[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antw: Questions on ppolicy (SLES11)



>>> I wrote:
> Hello!
> 
> I started to configure ppolicy in SLES11 SP3, and I think I succeeded with 
> the LDAP part. However I did not understand how to integrate ppolicy to the 
> OS, specifically:
> 
> I created one test user with a ppolicy, and expectation is that on first 
> login the passowrd should be canged (minus grace logins). According to the 
> syslog ppolicy triggers an expired password:
> 
> slapd[3990]: ppolicy_bind: Setting warning for password expiry for 
> uid=windl2,ou=domain,dc=org = 0 seconds
> 
> However the user when logging in gets no type of message at all. It also 
> seems that nothing is changed in the LDAP database when this message occurs. 

The answer to this part is: If nscd is stil using the same connection, it won't detect ppolicy. After restarting nscd, things work as expected on that client.

> So what is actually "set" there?
> 
> When the user actually changes the password, I see the following attributes 
> changed in LDAP:
> userPassword, pwdHistory, shadowLastChange
> 
> What's not quite clear is when using SSHA-hashed passwords, what changes can 
> be done regarding pwdCheckQuality. I can imagine that some checks will work 
> if the client uses the extended operation to change the password, but not if 
> the password is changed by an ordinary LDAP modify request. Is that correct?

It seems password history and minimum length can still be checked. Unsure about the rest.

I also discovered that the attempt to change the password (after being logged in) may consume another grace login. This may be of interest if the actual password change failed or was aborted.

> 
> Finally, maybe a stupid question: How does authentication against LDAP work? 
> In the classical UNIX mechanism, the authenticating process would query the 
> user name, then fetch the hashed password for that user, get the password 
> from the user, hash it using the same salt, and then compare the results for 
> a match. To my understanding you cannot get the hashed password from LDAP 
> until authenticated, so that looks like a egg-hen paradoxon to me.
> 
> If anybody could enlighten me, I'd be glad.
> 
> Regards,
> Ulrich
> 
>