[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
LDAP password policies don't seems to work
- To: openldap-technical@openldap.org
- Subject: LDAP password policies don't seems to work
- From: André Rodier <andre@rodier.me>
- Date: Sat, 23 Dec 2017 15:14:50 +0000
- Authentication-results: smtpfr.rodier.me; dmarc=fail (p=reject dis=none) header.from=rodier.me
- Content-language: en-GB
- Dkim-filter: OpenDKIM Filter v2.9.2 smtpfr.rodier.me D35A724019
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rodier.me; s=smtpuk; t=1514042090; bh=68NM0l0pA52sC4g8dgQsx7AVlGqgQkCcnNQevWPFVgg=; h=To:From:Subject:Date:From; b=MhHPT/eOsI+pJ0VjqCwNAfZyCCkCRf03Hnv+aI2vzG2g9QIfvoAMD2tAUTc+fy03A RvrwLfZNfxih+4yPvXYuU6Uw5EUbcBXJYlJCn+rK5mvmtxrwYm3AGn9cW97zBvRH6a 0CHZyvCjp7WRge03hA7YEr48d2+tk1Bdo2a6iJbU=
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
Hello all,
I have an LDAP server, that I use for system authentication, emails,
etc, in a domain (homebox.space)
I have the password policies defined in the LDAP database, but they
don't seem to apply to the users when changing a password.
Both "olcPPolicyDefault" and "olcPPolicyHashCleartext" are set up, but
only the last is working, i.e. passwords sent in clear text by an LDAP
client are automatically encrypted.
There is an overlay entry for the domain, example:
olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
and a correct entry "pwdPolicySubentry" for each user.
However, when I try change the password with pam_ldap or using the
roundcube password plugin, even the minimal length rule is ignored.
The module configuration:
> dn: cn=module{0},cn=config
> objectClass: olcModuleList
> cn: module{0}
> olcModulePath: /usr/lib/ldap
> olcModuleLoad: {0}back_mdb
> olcModuleLoad: {1}ppolicy.la
> olcModuleLoad: {2}deref.la
> structuralObjectClass: olcModuleList
> entryUUID: acbfbc52-7c3a-1037-9cc1-d74dec6fc011
> creatorsName: cn=admin,cn=config
> createTimestamp: 20171223143824Z
> entryCSN: 20171223143828.930245Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20171223143828Z
The overlay configuration
> dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
> objectClass: olcPPolicyConfig
> objectClass: olcOverlayConfig
> olcOverlay: {0}ppolicy
> olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
> olcPPolicyHashCleartext: TRUE
> olcPPolicyUseLockout: FALSE
> olcPPolicyForwardUpdates: FALSE
> structuralObjectClass: olcPPolicyConfig
> entryUUID: affa09e0-7c3a-1037-956b-0f107d4f36ac
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20171223143829Z
> entryCSN: 20171223143829.643274Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20171223143829Z
The policy:
> dn: cn=default,ou=pwpolicies,dc=homebox,dc=space
> pwdExpireWarning: 259200
> pwdMaxFailure: 5
> cn: default
> objectClass: pwdPolicy
> objectClass: person
> objectClass: top
> pwdMinLength: 8
> pwdCheckQuality: 0
> pwdAttribute: userPassword
> pwdLockoutDuration: 0
> pwdInHistory: 0
> sn: default
> pwdMaxAge: 31536000
> pwdGraceAuthNLimit: 0
> pwdFailureCountInterval: 300
> structuralObjectClass: person
> entryUUID: b083c4d2-7c3a-1037-956d-0f107d4f36ac
> creatorsName: cn=admin,dc=homebox,dc=space
> createTimestamp: 20171223143830Z
> entryCSN: 20171223143830.545905Z#000000#000#000000
> modifiersName: cn=admin,dc=homebox,dc=space
> modifyTimestamp: 20171223143830Z
Example of one user:
> dn:: Y249QW5kcsOpIFJvZGllcixvdT11c2VycyxkYz1ob21lYm94LGRjPXNwYWNl
> pwdPolicySubentry: cn=default,ou=pwpolicies,dc=homebox,dc=space
> shadowMin: 0
> uid: andre
> objectClass: top
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> loginShell: /bin/bash
> shadowFlag: 0
> uidNumber: 1001
> shadowMax: 999999
> gidNumber: 1001
> homeDirectory: /home/users/andre
> sn: Rodier
> shadowInactive: -1
> mail: andre@homebox.space
> givenName:: QW5kcsOp
> shadowWarning: 7
> structuralObjectClass: inetOrgPerson
> cn:: QW5kcsOpIFJvZGllcg==
> entryUUID: b12c4db4-7c3a-1037-9572-0f107d4f36ac
> creatorsName: cn=admin,dc=homebox,dc=space
> createTimestamp: 20171223143831Z
> userPassword:: e1NTSEF9SHllVitOazkyekNHYlIwbVRUdkZJZWFpVUo2WElSVWM=
> pwdChangedTime: 20171223150211Z
> entryCSN: 20171223150211.599058Z#000000#000#000000
> modifiersName: cn=admin,dc=homebox,dc=space
> modifyTimestamp: 20171223150211Z
>
I have the whole source code here: https://github.com/progmaticltd/homebox/
The Ansible tasks I am using to configure the LDAP server are here:
https://github.com/progmaticltd/homebox/blob/master/install/playbooks/roles/accounts/tasks/main.yml
Any help welcome.
Kind regards,
André Rodier.
PS: Merry Christmas / Happy new year / for those concerned.