[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password change problem after adding ppolicy



On Thursday, 14 June 2007, Simon Gao wrote:
> To help troubleshoot ppolicy issue, I set a client binding to provider
> directly. So far my tests show following attributes work as expected:
>
> pwdLockout
> pwdLockoutDuration
> pwdMinAge
> pwdMaxAge
> pwdGraceAuthnLimit
> pwdAllowUserChange
> pwdMaxFailure
>
>
> Following does not work for some reason:
>
> pwdInHistory                    ppolicy does not check whether an old
> password exist in history or not; or maybe old password was not even
> being saved

False:
$ ldapsearch -x -D $ROOTDN -w $ROOTPW "(uid=bgmilne)" pwdHistory|grep ^pwd
pwdHistory: 20051024195301Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}due/1GRmi+/
pwdHistory: 20051024195320Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}WoTiMN/HvKb
pwdHistory: 20051024200447Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}QcLPVL+c+Gg
pwdHistory: 20051024200859Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}uLaheCI+c8r
pwdHistory: 20051024200906Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}IA62ZoaOYL/
pwdHistory: 20051024201018Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}ZOo4R/MjzmT
pwdHistory: 20051026152114Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}Xy2GA6wJSW0
pwdHistory: 20051129080907Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}ltRPSEWys6V
pwdHistory: 20070615091512Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}7XFYw9QSbM/
pwdHistory: 20070615091738Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}jmJjm9PIMVL
pwdHistory: 20070615092245Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}sraq4BVS46n

(I intentionally truncated these to not expose my test passwords). Note that 
most attibutes related to ppolicy are operational attributes, you either have 
to ask for them by name, or ask for all operational attributes (with '+').

Testing a password change with a password in my history:

$ ldappasswd -x -D uid=bgmilne,ou=People,$BASEDN -W -S
New password:
Re-enter new password:
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password is in history of old passwords

> pwdCheckQuality           can only be set to 1 or disable it. This leads
> me to believe password syntax check does not work on server. This is
> confirmed with pwdMinLength failing to block password less than
>                                              specified number of
> characters. Does it take an external module for pwdCheckQuality to work?

If you want to do anything besides check min and max lengths, you need a 
module.

However, pwdMinLength works for me (see below).

Note that depending on how you are changing passwords, the server might not 
have the opportunity to check this (set pwdCheckQuality to 2 if you don't 
want to allow methods where the server cannot check them).

> or some built-in function with slapd supposed to take care of it?
>
> pwdExpireWarning         does not send out warning message to user about
> password expiration. What else is required to make this feature working?

Maybe you had more grace logins configured than you tried:

$ ldapwhoami -x -D uid=bgmilne,ou=People,$BASEDN -W -e ppolicy
Enter LDAP Password:
ldap_bind: Success (0) (Password expired, 4 grace logins remain)
dn:uid=bgmilne,ou=People,ou=internal,dc=telkomsa,dc=net
Result: Success (0)

[...]

$ ldapwhoami -x -D uid=bgmilne,ou=People,$BASEDN -W -e ppolicy
Enter LDAP Password:
ldap_bind: Invalid credentials (49); Password expired

$ ldapwhoami -x -D uid=bgmilne,ou=People,$BASEDN -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

> pwdMinLength                 does not work.

It does, if pwdCheckQuality is 1 or 2:

$ ldappasswd -x -D uid=bgmilne,ou=People,$BASEDN -W -s qwertyu
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password fails quality checking policy

$ ldappasswd -x -D uid=bgmilne,ou=People,$BASEDN -W -s qwertyui
Enter LDAP Password:
Result: Success (0)

> pwdSafeModify               does not work if set to TRUE.  How should
> one configure an client to send both existing and new password to provider?

Depends on the client. pam_ldap can be configured to do this, and I think 
the -a/-A/-t options to ldappasswd pertain to this.

> Does anyone make above attributes working? Can you share your experience
> if you do?

I think the more applicable question is, "how are you testing?".

Regards,
Buchan

>
> Simon
>
> > 1. *Change pwdCheckQuality from default 2 to 1. Does this attribute
> > require check_password module to work? 2.3.35 does not seem including
> > this module. Where can I find it?
> >
> > 2. **Change pwdSafeModify from TRUE to FALSE. How to configure a
> > consumer's chain overlay to send both existing and new password to
> > provider at the same time?



-- 
Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
http://en.wikipedia.org/wiki/List_of_Internet_slang_phrases

Attachment: pgpKTQAky5Wvz.pgp
Description: PGP signature