[Date Prev][Date Next] [Chronological] [Thread] [Top]

Best multi-password password changing setup



(This email has been sitting in my drafts folder for a week ... if it seems 
incomplete, it was because I didn't want to wait till next week Tuesday when 
I am finally back in the office).

I'm trying to complete a system which allows authentication by a number of 
means, for example:

-Wifi authentication with WPA2 with MSCHAPv2 to FreeRADIUS against 
sambaNTPassword attribute in OpenLDAP
-Samba domain
-Kerberos with keys stored in OpenLDAP
-Some hardware devices which read userPassword and compare the hash

At the same time, I would like password policies applied, including:
-Password expiry by default (but exempt some accounts from password expiry)
-Password history checking
-Password strength rules (at minimum length, preferably enforce variation of 
character types)

It seems that Heimdal currently doesn't have password history support, and the 
password expiry available is quite limited (e.g. global via 
[kadmin]password_lifetime). However, Heimdal respects the sambaPwdMustChange 
attribute

MIT has password history support, and support for multiple password expiry 
policies, but password history is not available with the LDAP backend (and I 
don't see mention of whether the password policies can be stored in LDAP 
either).

Password changes via Heimdal will:
-Change the password in the krb5key attributes
-Change the password in sambaNTPassword
-update krb5PasswordEnd
-update sambaPwdMustChange (but not sambaPwdLastSet)
-not change the password in userPassword
-not update pwdChangedTime
-not update passwords in pwdHistory

Password changes via OpenLDAP (exop) with ppolicy and smbk5pwd overlays will:
-Change the password in the krb5Key attributes
-Change the password in the userPassword attribute
-Change the password in the sambaNTPassword and sambaLMPassword attributes
-update pwdChangedTime
-update sambaPwdLastSet (but not sambaPwdMustChange)
-update passwords in pwdHistory
-Not update krb5PasswordEnd

I would prefer not to rely on password changing via samba, since most users 
don't really know anything about samba (so, I'll probably have samba setup 
for 'ldap passwd sync = only'

So, are there any solutions to this problem ? Or, will one of ppolicy or 
smbk5pwd need to be updated to take the other into account.

Regards,
Buchan