[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: LDAP password policies don't seems to work
- To: openldap-technical@openldap.org,Andreas Hasenack <andreas@canonical.com>
- Subject: Re: LDAP password policies don't seems to work
- From: André Rodier <andre@rodier.me>
- Date: Sun, 24 Dec 2017 09:22:12 +0000
- Authentication-results: smtpuk.rodier.me; dmarc=fail (p=reject dis=none) header.from=rodier.me
- Dkim-filter: OpenDKIM Filter v2.9.2 smtpuk.rodier.me 3393C247AF
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rodier.me; s=smtpuk; t=1514107339; bh=S4TABnBY7iYSiAfOxKmC88Jpt3AuRBJAjQ9oZ34X2bM=; h=Date:In-Reply-To:References:Subject:To:From:From; b=drnW0Z5rYK77svvmFm7MYuF37H49yByOsYLiY3NjGFxKjKHG6dHgc2VKRo4WQY79+ uoDl7MGKZyjgywBhyfyKJzoLad1NB0bvsIHa/qK8od3/38I7xMDxpRSFfZyqyiSqR2 kTBBdelfg54kU95yqoY3IEe/BviOQHkQex8bIONU=
- In-reply-to: <CANYNYEG0s=UvASAwNwr+eFz8x-4d9HaSVVLXQM9V-NXa4283Kw@mail.gmail.com>
- References: <dfe2941e-d041-1486-db38-c3ac768ee3ab@rodier.me> <CANYNYEG0s=UvASAwNwr+eFz8x-4d9HaSVVLXQM9V-NXa4283Kw@mail.gmail.com>
- User-agent: K-9 Mail for Android
Hello Andreas,
Thank you very much. I setup try that, probably next year.
Kind regards,
André.
On 23 December 2017 21:29:45 GMT+00:00, Andreas Hasenack <andreas@canonical.com> wrote:
>I suggest to check the pam-ldap config. IIRC it should be using the
>exop
>method to change password.
>
>On Dec 23, 2017 1:17 PM, "André Rodier" <andre@rodier.me> wrote:
>
>> Hello all,
>>
>> I have an LDAP server, that I use for system authentication, emails,
>> etc, in a domain (homebox.space)
>>
>> I have the password policies defined in the LDAP database, but they
>> don't seem to apply to the users when changing a password.
>>
>> Both "olcPPolicyDefault" and "olcPPolicyHashCleartext" are set up,
>but
>> only the last is working, i.e. passwords sent in clear text by an
>LDAP
>> client are automatically encrypted.
>>
>> There is an overlay entry for the domain, example:
>>
>> olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
>>
>> and a correct entry "pwdPolicySubentry" for each user.
>>
>> However, when I try change the password with pam_ldap or using the
>> roundcube password plugin, even the minimal length rule is ignored.
>>
>> The module configuration:
>> > dn: cn=module{0},cn=config
>> > objectClass: olcModuleList
>> > cn: module{0}
>> > olcModulePath: /usr/lib/ldap
>> > olcModuleLoad: {0}back_mdb
>> > olcModuleLoad: {1}ppolicy.la
>> > olcModuleLoad: {2}deref.la
>> > structuralObjectClass: olcModuleList
>> > entryUUID: acbfbc52-7c3a-1037-9cc1-d74dec6fc011
>> > creatorsName: cn=admin,cn=config
>> > createTimestamp: 20171223143824Z
>> > entryCSN: 20171223143828.930245Z#000000#000#000000
>> > modifiersName:
>gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> > modifyTimestamp: 20171223143828Z
>>
>> The overlay configuration
>> > dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
>> > objectClass: olcPPolicyConfig
>> > objectClass: olcOverlayConfig
>> > olcOverlay: {0}ppolicy
>> > olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
>> > olcPPolicyHashCleartext: TRUE
>> > olcPPolicyUseLockout: FALSE
>> > olcPPolicyForwardUpdates: FALSE
>> > structuralObjectClass: olcPPolicyConfig
>> > entryUUID: affa09e0-7c3a-1037-956b-0f107d4f36ac
>> > creatorsName:
>gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> > createTimestamp: 20171223143829Z
>> > entryCSN: 20171223143829.643274Z#000000#000#000000
>> > modifiersName:
>gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> > modifyTimestamp: 20171223143829Z
>>
>> The policy:
>> > dn: cn=default,ou=pwpolicies,dc=homebox,dc=space
>> > pwdExpireWarning: 259200
>> > pwdMaxFailure: 5
>> > cn: default
>> > objectClass: pwdPolicy
>> > objectClass: person
>> > objectClass: top
>> > pwdMinLength: 8
>> > pwdCheckQuality: 0
>> > pwdAttribute: userPassword
>> > pwdLockoutDuration: 0
>> > pwdInHistory: 0
>> > sn: default
>> > pwdMaxAge: 31536000
>> > pwdGraceAuthNLimit: 0
>> > pwdFailureCountInterval: 300
>> > structuralObjectClass: person
>> > entryUUID: b083c4d2-7c3a-1037-956d-0f107d4f36ac
>> > creatorsName: cn=admin,dc=homebox,dc=space
>> > createTimestamp: 20171223143830Z
>> > entryCSN: 20171223143830.545905Z#000000#000#000000
>> > modifiersName: cn=admin,dc=homebox,dc=space
>> > modifyTimestamp: 20171223143830Z
>>
>> Example of one user:
>>
>> > dn:: Y249QW5kcsOpIFJvZGllcixvdT11c2VycyxkYz1ob21lYm94LGRjPXNwYWNl
>> > pwdPolicySubentry: cn=default,ou=pwpolicies,dc=homebox,dc=space
>> > shadowMin: 0
>> > uid: andre
>> > objectClass: top
>> > objectClass: person
>> > objectClass: posixAccount
>> > objectClass: shadowAccount
>> > objectClass: inetOrgPerson
>> > loginShell: /bin/bash
>> > shadowFlag: 0
>> > uidNumber: 1001
>> > shadowMax: 999999
>> > gidNumber: 1001
>> > homeDirectory: /home/users/andre
>> > sn: Rodier
>> > shadowInactive: -1
>> > mail: andre@homebox.space
>> > givenName:: QW5kcsOp
>> > shadowWarning: 7
>> > structuralObjectClass: inetOrgPerson
>> > cn:: QW5kcsOpIFJvZGllcg==
>> > entryUUID: b12c4db4-7c3a-1037-9572-0f107d4f36ac
>> > creatorsName: cn=admin,dc=homebox,dc=space
>> > createTimestamp: 20171223143831Z
>> > userPassword:: e1NTSEF9SHllVitOazkyekNHYlIwbVRUdkZJZWFpVUo2WElSVWM=
>> > pwdChangedTime: 20171223150211Z
>> > entryCSN: 20171223150211.599058Z#000000#000#000000
>> > modifiersName: cn=admin,dc=homebox,dc=space
>> > modifyTimestamp: 20171223150211Z
>> >
>>
>>
>> I have the whole source code here: https://github.com/
>> progmaticltd/homebox/
>>
>> The Ansible tasks I am using to configure the LDAP server are here:
>>
>>
>https://github.com/progmaticltd/homebox/blob/master/install/playbooks/
>> roles/accounts/tasks/main.yml
>>
>> Any help welcome.
>>
>> Kind regards,
>> André Rodier.
>>
>> PS: Merry Christmas / Happy new year / for those concerned.
>>
>>
>>
--
André Rodier