[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4276) Password policy history and complexity ignored with exop pwd change
On Tue, 2005-12-20 at 23:38 +0000, jboden508@yahoo.com wrote:
> Full_Name: Jim Boden
> Version: 2.3.13
> OS: Solaris
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (198.241.217.15)
>
>
> I tested this using PADL on Solaris 10 x86. The PADL pam_ldap was linked against
> the openldap 2.3.13 libldap.so. Only some of the ppolicy works fine when using
> exop. I got this back from Howard when asking about it:
>
>
> No, the exop only accepts passwords in plaintext and then generates the hash
> later. As such, quality checking can always be performed when using the exop.
but the password is stored in the DSA using the hashing indicated by the
password-hash option (slapd.conf(5), defaulting to "{SSHA}").
>
>
> So I'm assuming this to mean that exop should fully follow the default ppolicy.
> It does not in the following areas:
>
> pwdHistory - I configured for 6, yet my user entry grows forever and lets me
> re-use passwords. I tested with password-hash of {MD5}.
>
> complexity - Min length seems to work, but the complexity (letters/numbers) is
> not followed.
>
>
> I then changed the PADL to NOT use exop, but rather send pwds in the clear. The
> first time I changed a password with this new config, the pwdHistory for my test
> user went back to saving only 6 (like it should) and the complexity started
> being followed.
>
> I suppose this could be blamed on PADL pam_ldap but I did link it with OpenLDAP
> libldap.so for 2.3.13 so I figured it might be an OpenLDAP issue.
>
> I'm using a work-around of passwords in the clear, over SSL, and using the
> password-hash entry in slapd.conf.
You need to set
password-hash "{CLEARTEXT}"
to have the password stored in cleartext for the purpose of saving the
history. I couldn't observe any excessive growth of history beyond the
enforced limit. Also, note that when writing the password as the
rootdn, no checking occurs, so I suspect you configured your PAM LDAP
tools to use the rootdn as admin identity. This might need to be
clarified in the slapo-ppolicy(5) man page.
p.
Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------