[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password history configuration for ldap users.

To: openldap-technical@openldap.org
Subject: Re: Password history configuration for ldap users.
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Thu, 2 Sep 2010 09:16:10 +0100
Cc: Meghanand Acharekar <vasco.debian@gmail.com>
In-reply-to: <AANLkTikBWbzXH=XnKacucw=KrqtuyjP-xQkWD90VDNvu@mail.gmail.com>
References: <AANLkTikBWbzXH=XnKacucw=KrqtuyjP-xQkWD90VDNvu@mail.gmail.com>
User-agent: KMail/1.13.3 (Linux/2.6.33.7-desktop-0.4mnb; KDE/4.4.3; x86_64; ; )

On Wednesday, 1 September 2010 08:44:33 Meghanand Acharekar wrote:
> Hello,
> 
> I have configured openldap server on RHEL 5.4
> I also want to enforce strong password policies for my ldap users.

Have you enabled and configured the ppolicy overlay for OpenLDAP ? If you are 
only enforcing LDAP passwords via PAM, changing passwords via another 
mechanism will bypass these controls. So, you should consider using ppolicy 
instead ...

Have you tested password changes with the ldappasswd tool ?

> for which i configured pam module on each ldap client in following way.
> 
> (/etc/pam.d/system-auth)
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_tally.so onerr=fail deny=5 unlock_time=300
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so
> 
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
> 
> password    requisite     pam_cracklib.so try_first_pass retry=3 dcredit=-1
> ucredit=-1 ocredit=-1 lcredit=0 minlen=8 \
>                                 reject_username
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok remember=5
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_ldap.so
> session     optional      pam_mkhomedir.so skel=/etc/skel umask=0066
> 
> I am having following problems with my configuration.
> 
> 1. Although configured password history (pam_unix.so remember =5) is not
> working for ldap users, while other password policies
> (pam_cracklib,pam_tally) are working fine.
> 2. I also observed that I can't change/set any users password as root user
> (using passwd username).

You probably don't want this configuration ... root on an individual "generic" 
server should not be able to change passwords of all users in LDAP.

Use ldappasswd (please see the man page regarding options you need to provide 
to make it work) or another LDAP-based tool (smbldap-passwd etc. or a web-
based interface) to change/reset user's passwords.

> Following is my ldap client configuration file (ldap.conf).
> 
> base dc=mycomp,dc=com
> bind_timelimit 120
> idle_timelimit 3600
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
> ,gdm pam_check_host_attr
> pam_password md5

If you want to implement any password quality checks on the LDAP side, you 
need to use:
pam_password exop
instead. If you use 'pam_password md5', the LDAP server will only ever see the 
hash, so will not be able to test password length etc. If you only want 
password quality checks on the clients, your configuration will work, but users 
may be able to bypass your quality checks by using ldappasswd (or any LDAP 
client).

> ssl no
> timelimit 120
> tls_cacertdir /etc/openldap/cacerts
> uri ldap://10.0.119.36
> 
> For further troubleshooting I observer my /var/log/secure file while
> changing ldap user's passwod.
> 
> passwd: pam_unix(passwd:chauthtok): user "username" does not exist in
> /etc/passwd
> 
> but #getent passwd show me the username.

Fine, but pam_unix should fail, and after that 'passwd' should be trying via 
LDAP.

What do the logs on the LDAP server show? Can you show the prompts you get 
from running 'passwd' ? You should be prompted for the LDAP password before 
being prompted for the new password:

[bgmilne@xymon ~]$ passwd
Changing password for user bgmilne.
Enter login(LDAP) password: 
New UNIX password: 
Retype new UNIX password:
LDAP password information changed for bgmilne
passwd: all authentication tokens updated successfully.
[bgmilne@xymon ~]$

Regards,
Buchan

Follow-Ups:
- Re: Password history configuration for ldap users.
  - From: Meghanand Acharekar <vasco.debian@gmail.com>

References:
- Password history configuration for ldap users.
  - From: Meghanand Acharekar <vasco.debian@gmail.com>

Prev by Date: Re: OID für caseExactIA5SubstringsMatch?
Next by Date: Re: Including schema in directory based config?
Index(es):
- Chronological
- Thread