[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forbidden account password reuse of the last 5 password

To: Derek Zhou <derek@shannon-data.com>, Michael Ströder <michael@stroeder.com>
Subject: Re: Forbidden account password reuse of the last 5 password
From: Howard Chu <hyc@symas.com>
Date: Fri, 15 Feb 2019 14:50:36 +0000
Cc: openldap-technical@openldap.org
In-reply-to: <87ftspq0d5.fsf@mail.shannon-data.com>
References: <012201d4c432$c27c4540$4774cfc0$@thundersoft.com> <87h8d6q1lj.fsf@mail.shannon-data.com> <31cba83e-e98d-6043-6430-62f5abd23732@stroeder.com> <87ftspq0d5.fsf@mail.shannon-data.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0 SeaMonkey/2.53

Derek Zhou wrote:
> 
> Michael Ströder writes:
> 
>> On 2/14/19 8:19 AM, Derek Zhou wrote:
>>> Better use kerberos for advanced password policy requirements. You can
>>> use SASL to bridge LDAP's userPassword checking to a kerberos backend so
>>> everything still work and much safer.
>>
>> By which definition of "safe" is adding more complexity safer?
>>
>> Especially you don't know how the original poster does password changes.
>> Maybe he wants to use ppolicy response controls etc.
>>
> Yeah, adding kerberos is a complexity and you cannot change password
> via ldap anymore; has to go through the kerberos route. My notion of
> "safe" is only referring to the fact that the password text is not
> stored anywhere and the rogue admin cannot read user's passwords.

slapd does not store plaintext passwords either.

As for kerberos, you can always run the KDC with OpenLDAP as its backing store,
and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a
user's LDAP password. IMO this is a superior solution since a single LDAP-based
admin tool can take care of standard LDAP as well as Kerberos administration.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Forbidden account password reuse of the last 5 password
  - From: Derek Zhou <derek@shannon-data.com>
- Re: Forbidden account password reuse of the last 5 password
  - From: Simone Piccardi <piccardi@truelite.it>

References:
- Forbidden account password reuse of the last 5 password
  - From: "Tian Zhiying" <tianzy1225@thundersoft.com>
- Re: Forbidden account password reuse of the last 5 password
  - From: Derek Zhou <derek@shannon-data.com>
- Re: Forbidden account password reuse of the last 5 password
  - From: Michael Ströder <michael@stroeder.com>
- Re: Forbidden account password reuse of the last 5 password
  - From: Derek Zhou <derek@shannon-data.com>

Prev by Date: Re: Switch OpenLDAP backend database from HDB to MDB
Next by Date: RE: help needed for further investigation
Index(es):
- Chronological
- Thread