[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication breaks ppolicy



On Tuesday, 23 August 2011 16:12:52 rocke.robertson@pch.gc.ca wrote:
> From:	Buchan Milne <bgmilne@staff.telkomsa.net>
> To:	openldap-technical@openldap.org
> Cc:	rocke.robertson@pch.gc.ca
> Date:	23/08/2011 09:45 AM
> Subject:	Re: replication breaks ppolicy
> 
> On Tuesday, 23 August 2011 15:12:41 rocke.robertson@pch.gc.ca wrote:
> > Good morning all
> > 
> > After quite a bit of work, I got replication working (thank you all).
> > 
> > So I forged ahead and deployed the server in our RHEL 5.5 environment.
> >
> >RHEL5's openldap packages finally became somewhat usable at RHEL5.4, for
> >openldap *2.3*. You may find you want newer (e.g. for
> >ppolicy_forward_updates).
> 
> Will look into getting a newer version.

You may want to look here:

http://staff.telkomsa.net/packages/

(has 2.4.25, will soon have 2.4.26).

> > But
> > now I just realized that none of my ppolicy rules work. Also, the Redhat
> > clients are configured to use MD5 hash.
> >
> >You don't want clients to hash passwords, you can't enforce any password
> >quality checks on hashes. Use 'pam_password exop' if you want to enforce
> >password quality (or otherwise be able to control password hashing on the
> >server-side).
> 
> Have tried exop and clear as the documentation suggests is needed. No
> aging / history though...
> 
> > When I look at the accounts in
> > webmin, it shows it being crypt????? I know openldap likes salted SHA,
> 
> but
> 
> > I thought I'd do what Redhat wanted, which was MD5.
> >
> >Why?
> 
> Because... I guess cause I blindly follow vendor documentation? I do see
> folks complaining about this though.
> 
> > Password history, aging etc... A search used to show me all of my ppolicy
> > objects.
> > 
> > ldapsearch -v -x -b 'dc=chin,dc=ca' cn=default
> 
> ?
> 
> > But now returns nothing. Users can reuse passwords, so no history or
> 
> aging
> 
> > is working. No locking. I had to change ACL's on the provider and
> 
> consumer
> 
> > to get the replication working. Would that cause the problem?
> > 
> > No.
> 
> THen this is good.
> 
> > Here is my policy LDIF file I added to the server:
> > 
> > # policies, chin.com
> > dn: ou=policies,dc=chin,dc=ca
> > objectClass: organizationalUnit
> > objectClass: top
> > ou: policies
> > 
> > # default, policies, chin.com
> > dn: cn=default,ou=policies,dc=chin,dc=ca
> > objectClass: top
> > objectClass: device
> > objectClass: pwdPolicy
> > cn: default
> > pwdAttribute: userPassword
> > pwdInHistory: 6
> > pwdCheckQuality: 1
> > pwdMinLength: 8
> > pwdMaxFailure: 4
> > pwdLockout: TRUE
> > pwdLockoutDuration: 1920
> > pwdGraceAuthNLimit: 0
> > pwdFailureCountInterval: 0
> > pwdMustChange: TRUE
> > pwdAllowUserChange: TRUE
> > pwdSafeModify: FALSE
> > pwdMaxAge: 10368000
> > pwdExpireWarning: 1209600
> > pwdMinAge: 86400
> >
> >Show some example accounts, requesting the operational attributes ('+'),
> 
> and
> 
> >show authentication attempts (see ldapwhoami(1)) and password change
> 
> attempts
> 
> >(see ldappasswd(1)) with the ppolicy control enabled (-e ppolicy).
> 
> -bash-3.2$ ldapwhoami -x -D "uid=bigbob,ou=People,dc=chin,dc=ca" -W -e
> ppolicy
> Enter LDAP Password:
> dn:uid=bigbob,ou=People,dc=chin,dc=ca
> Result: Success (0)
> 
> Not a whole hell of a lot of information is produced. I don't know this
> command well so I'm not sure, but I think this is a little shy on output?
> 

An example with a password that is about to expire (coincidentally):

[bgmilne@tiger ~]$ ldapwhoami -x -D 
uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -W -e ppolicy
Enter LDAP Password: 
ldap_bind: Success (0) (Password expires in 14811 seconds)


> -bash-3.2$ id
> uid=10014(bigbob) gid=100(users) groups=100(users)
> 
> -bash-3.2$ ldappasswd -h ldap -x -D cn=admin,dc=chin,dc=ca
> "uid=bigbob,ou=People,dc=chin,dc=ca" -W -S -e ppolicy
> New password:
> Re-enter new password:
> Enter LDAP Password:
> Result: Success (0)
> 
> -bash-3.2$
> 
> 
> I can change the password with ldappasswd, and here I am changing it to the
> existing password with no errors or complaints. That used to fail.

[bgmilne@tiger ~]$ ldappasswd -x -D 
uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com -W -S -e ppolicy
New password: 
Re-enter new password: 
Enter LDAP Password: 
Result: Constraint violation (19)
Additional info: Password is not being changed from existing value
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAOBAQg=
ppolicy: error=8 (New password is in list of old passwords)

> 
> 
> I'm sorry but I'm not %100 sure what an operations attribute of ('+')is,
> but here is an account that was created with the pwdpolicy objectclass. I
> used to be able to get all the aging, last changed, lock and history
> information....
> 
> ldapsearch -v -x -b 'dc=chin,dc=ca' uid=bigbob -e ppolicy
> 
> # extended LDIF
> #
> # LDAPv3
> # base <dc=chin,dc=ca> with scope subtree
> # filter: uid=bigbob
> # requesting: ALL
> #
> 
> # bigbob, People, chin.ca
> dn: uid=bigbob,ou=People,dc=chin,dc=ca
> pwdAttribute: userPassword
> shadowMax: 99999
> uid: bigbob
> cn: Big Bob
> homeDirectory: /homes/bigbob
> uidNumber: 10014
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> objectClass: hostObject
> objectClass: pwdPolicy
> host: db1.rcip-chin.gc.ca
> host: db2.rcip-chin.gc.ca
> host: db-cl1.rcip-chin.gc.ca
> host: db-cl2.rcip-chin.gc.ca
> shadowWarning: 7
> gidNumber: 100
> gecos: Big Bob
> loginShell: /bin/bash
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1


[bgmilne@tiger CatDap]$ ldapsearch -LLL -x -D 'uid=LDAP Admin,ou=System 
Accounts,dc=ranger,dc=dnsalias,dc=com' -W "(uid=bgmilne)" '+'
Enter LDAP Password: 
dn: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
structuralObjectClass: inetOrgPerson
entryUUID: 8b74bea0-f20d-101e-8cdf-6105b6f2f478
creatorsName: uid=account admin,ou=system accounts,dc=ranger,dc=dnsailas,dc=co
 m
createTimestamp: 19960203002836Z
pwdPolicySubentry: cn=default,ou=Password Policies,dc=ranger,dc=dnsalias,dc=co
 m
pwdChangedTime: 20110824062606Z
pwdHistory: 20110824062606Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}Os/M84d/89D
 oNHCc1JutMnIHnyezjE47
entryCSN: 20110824062606.003012Z#000000#003#000000
modifiersName: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
modifyTimestamp: 20110824062606Z
entryDN: uid=bgmilne,ou=People,dc=ranger,dc=dnsalias,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE


Of interest are pwdChangedTime, pwdHistory, and possibly pwdFailureTime, 
pwdAccountLockedTime etc.


But, yes, it looks like ppolicy is not active, even though your configuration 
looks ok.