|
Hi community, We want implement password politics in our DIT, and are testing ppolicy and found issues using olcPasswordHash, Password Modify Extension and so. Here are my testings: 1) My cn=config with olcPasswordHash and olcSuffix values $ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b "cn=config" olcPasswordHash olcSuffix dn: cn=config olcPasswordHash: {SSHA} ... # {-1}frontend, config dn: olcDatabase={-1}frontend,cn=config olcPasswordHash: {SSHA} olcPasswordHash: {SHA} olcPasswordHash: {SMD5} olcPasswordHash: {MD5} olcPasswordHash: {CRYPT} ... # {2}hdb, config dn: olcDatabase={2}hdb,cn=config olcSuffix: dc=ktu,dc=lt $ 2) My testing user exists without userPassword attribute $ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b "eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt" userPassword Enter LDAP Password: dn: eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt $ 3) Making a password for a test user. As documentation says "ldappasswd uses the LDAPv3 Password Modify (RFC 3062) extended operation." $ ldappasswd -h localhost -D "cn=admin,dc=ktu,dc=lt" -x -W -S "eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt" New password: Re-enter new password: Enter LDAP Password: $ 4) userPassword is somehow gets multivalued $ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b "eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt" userPassword Enter LDAP Password: # testuser9@ktu.lt, People, Users, ktu.lt dn: eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt userPassword:: e1NTSEF9RlE3VjRYa003RVJ6eGFTNjR4ZkFRSzRGZEk4cFk0UDQ=ÂÂÂ --> {SSHA}FQ7V4XkM7ERzxaS64xfAQK4FdI8pY4P4 userPassword:: e1NTSEF9K1JtbWl3M0RxTTV3aEl0U3g5TjVrZWRETlpES3NROUg=ÂÂÂ --> {SSHA}+Rmmiw3DqM5whItSx9N5kedDNZDKsQ9H userPassword:: e1NIQX1maVFONTAreDdRajZDTk9BWS9hbXFSUmlxQlU9ÂÂÂ ÂÂÂ --> {SHA}fiQN50+x7Qj6CNOAY/amqRRiqBU= userPassword:: e1NNRDV9VUdaa3ZDSWI5Qld4a1VNcUhyZEl3ZElTbnJ3PQ==ÂÂÂ ÂÂÂ --> {SMD5}UGZkvCIb9BWxkUMqHrdIwdISnrw= userPassword:: e01ENX1SN3pseDA5WW4waG4yOVYrbktuNENBPT0=ÂÂÂ ÂÂÂ ÂÂÂ --> {MD5}R7zlx09Yn0hn29V+nKn4CA== userPassword:: e0NSWVBUfTFNZVAud1ZxenEvdWM=ÂÂÂ ÂÂÂ ÂÂÂ ÂÂÂ --> {CRYPT}1MeP.wVqzq/uc $ I guess "frontend" database has so called global olcPasswordHash directive in effect over all databases. I also guess, that 1 SSHA form comes from cn=config, and other 5 forms comes from "frontend". Does anyone know if this is true? 5) if above is true, overwriting globals in local database config seems like a solution to me, but ... $ ldapmodify -D "cn=admin,dc=ktu,dc=lt" -W -x <<EOF > dn: olcDatabase={2}hdb,cn=config > changetype: modify > add: olcPasswordHash > olcPasswordHash: {SSHA} > EOF Enter LDAP Password: modifying entry "olcDatabase={2}hdb,cn=config" ldap_modify: Object class violation (65) ÂÂÂÂÂÂÂ additional info: attribute 'olcPasswordHash' not allowed $ Is it possible to get rid of not secure forms of password schemes? I always believed, that password-hash (olcPasswordHash) should help to do that. Maybe I don't know something? I also think, that it could be related to ITS#7625, why ppolicy shows "Additional info: Password policy only allows one password value" error message. Please, help to clear things out. System: Debian 7.0 (wheezy) OpenLDAP: 2.4.31 (from package) Thank you. -- Pagarbiai, Nerijus Kislauskas KTU ITD, Litnet valdymo centras Studentu g. 48a - 101, Kaunas tel.: (8~37) 30 06 45 mob. tel.: 8-614-93889 e-mail.: nerijus.kislauskas@ktu.lt |