[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy pwdCheckModule failure and still calling other overlays

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: ppolicy pwdCheckModule failure and still calling other overlays
From: Tim Watts <tw@dionic.net>
Date: Thu, 21 Feb 2013 18:47:19 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2

I realise this is a long shot,

but if pwdCheckModule is enabled in ppolicy AND the module it callsFAILS a prospective password (for being too weak) - should slapdactually be calling the next overlay in the stack?? Common sense saysppolicy should bomb out?




Here are the overlay configs in slapd.conf:

<backend hdb database stuff>

overlay smbkrb5pwd
smbkrb5pwd-enable krb5
smbkrb5pwd-krb5realm DIGHUM.KCL.AC.UK
smbkrb5pwd-requiredclass posixAccount
#
#  Password Policy - this runs check_password.so compiled from
#  /vol/source/ldap_check_password/1.0/check_password.c
#
#
overlay ppolicy
ppolicy_default "cn=default,ou=pwpolicies,dc=dighum,dc=kcl,dc=ac,dc=uk"
ppolicy_use_lockout
ppolicy_hash_cleartext



The idea is:

ppolicy is configured to call my own password_check.so and that worksnicely - that exits with EXIT_FAILURE if it fails.

smbkrb5pwd is OpinSys.fi's modification to smbk5pwd to work with MITkerberos. That works too (after I fixed something). It will set theprinciple's password and create the principle is it doesn't exist.



The failure scenario is:

1) No principle for the UID in question;

2) The UID in question has a DN in slapd;

3) Set password for UID - choose one that will fail the ppolicy checks;

4) do an ldappasswd change for UID

Result: ldappasswd says it fails and the user password hash in slapd isnot changed. However, smbkrb5pwd was still called and managed to createa principle for UID with the weak password - bypassing the policy.



The best answer to my mind is:

Fix smbkrb5pwd to be able to add a default kerberos policy to anycreated principles. Such a policy can replace ppolicy for passwordstrength checking. I think I can do this.

However, it bothers me - is there no way to make the failure of oneoverlay bomb the stack out (rather like PAM)?


Or perhaps ppolicy is not actually "failing" as such??


Any ideas?

Cheers!

Tim

--
Tim Watts
Personal Blog:                          http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage

Prev by Date: Re: Indices is missing?
Next by Date: Re: N-Way Multimaster with syncrepl and delta-repl -- slapd stops responding
Index(es):
- Chronological
- Thread