https://bugs.openldap.org/show_bug.cgi?id=9740
Issue ID: 9740 Summary: olcPPolicyCheckModule not working in 2.6.0 Product: OpenLDAP Version: 2.6.0 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: david.coutadeur@gmail.com Target Milestone: ---
Following: https://bugs.openldap.org/show_bug.cgi?id=9666, we must now use the olcPPolicyCheckModule directive in the overlay configuration, instead of the pwdCheckModule in the password policy.
I have 3 remarks:
1/ it's a pity we can't define the chosen module in the corresponding ppolicy. It prevents having multiple extension to password policies (one for each policy)
2/ it does not seem to work. (ie the extended module is not launched). See below for my config and data.
3/ the slapo-ppolicy is quite unclear about the configuration. For example, I can read:
( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' AUXILIARY SUP top MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule ) )
Does pwdCheckModule and pwdUseCheckModule still have sense?
Here is my configuration:
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=ppolicies,dc=my-domain,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE olcPPolicyDisableWrite: FALSE olcPPolicySendNetscapeControls: FALSE olcPPolicyCheckModule: /usr/local/openldap/libexec/openldap/ppm.so
Here are my data:
dn: cn=default,ou=ppolicies,dc=my-domain,dc=com objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: organizationalRole cn: default pwdAttribute: userPassword pwdCheckQuality: 2 pwdMaxAge: 7776000 pwdInHistory: 5 pwdLockout: TRUE pwdMaxFailure: 5 pwdFailureCountInterval: 86400 pwdMinLength: 8 pwdMaxLength: 30 pwdExpireWarning: 432000 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdMaxIdle: 31536000 pwdCheckModuleArg: bWluUXVhbGl0eSAzCmNoZWNrUkROIDAKZm9yYmlkZGVuQ2hhcnMKbWF4Q29uc2VjdXRpdmVQZXJDbGFzcyAwCnVzZUNyYWNrbGliIDAKY3JhY2tsaWJEaWN0IC92YXIvY2FjaGUvY3JhY2tsaWIvY3JhY2tsaWJfZGljdApjbGFzcy11cHBlckNhc2UgQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVogMCAxCmNsYXNzLWxvd2VyQ2FzZSBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiAwIDEKY2xhc3MtZGlnaXQgMDEyMzQ1Njc4OSAwIDEKY2xhc3Mtc3BlY2lhbCA8Piw/Oy46LyHCp8O5JSrCtV7CqCTCo8KyJsOpfiIjJ3soWy18w6hgX1zDp17DoEApXcKwPX0rIDAgMQ==
dn: uid=jack.oneill,ou=people,dc=my-domain,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top cn: Jack O Neill givenName: Jack mail: jack.oneill@my-example.com sn: O Neill uid: jack.oneill userPassword: {ARGON2}$argon2id$v=19$m=65536,t=2,p=1$LiSaGIqce9o2C6T8d2BOfg$BpPpokTfKY9/X7/jkvG1SXBcsNnm95UbTGSstc2aHKk
https://bugs.openldap.org/show_bug.cgi?id=9740
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- On Fri, Nov 05, 2021 at 11:51:51AM +0000, openldap-its@openldap.org wrote:
Following: https://bugs.openldap.org/show_bug.cgi?id=9666, we must now use the olcPPolicyCheckModule directive in the overlay configuration, instead of the pwdCheckModule in the password policy.
I have 3 remarks:
1/ it's a pity we can't define the chosen module in the corresponding ppolicy. It prevents having multiple extension to password policies (one for each policy)
Hi David, the problem is you have to load/unload it every time you run a password change, that has been causing issues. You can use the same implementation and pass policy specific configuration in pwdCheckModuleArg.
What is your usecase where you'd need different modules in the same server?
2/ it does not seem to work. (ie the extended module is not launched). See below for my config and data.
Just checking you are actually building with --enable-modules?
3/ the slapo-ppolicy is quite unclear about the configuration. For example, I can read:
( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' AUXILIARY SUP top MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule ) )Does pwdCheckModule and pwdUseCheckModule still have sense?
pwdCheckModule is preserved for backwards compatibility and using it provokes a warning in the logs to let the admin know it is actually ignored.
pwdUseCheckModule is new and allows the policy admin decide whether the module is to be used in this particular policy or not.
Regards,
https://bugs.openldap.org/show_bug.cgi?id=9740
--- Comment #2 from David Coutadeur david.coutadeur@gmail.com --- (In reply to Ondřej Kuzník from comment #1)
On Fri, Nov 05, 2021 at 11:51:51AM +0000, openldap-its@openldap.org wrote:
Following: https://bugs.openldap.org/show_bug.cgi?id=9666, we must now use the olcPPolicyCheckModule directive in the overlay configuration, instead of the pwdCheckModule in the password policy.
I have 3 remarks:
1/ it's a pity we can't define the chosen module in the corresponding ppolicy. It prevents having multiple extension to password policies (one for each policy)
Hi David, the problem is you have to load/unload it every time you run a password change, that has been causing issues. You can use the same implementation and pass policy specific configuration in pwdCheckModuleArg.
What is your usecase where you'd need different modules in the same server?
No particular use case.
It's just that before ppm, LTB project maintained another module named "check-password", and maybe it can help the transition to announce that OpenLDAP support multiple modules at one time... But again there is no real use case.
2/ it does not seem to work. (ie the extended module is not launched). See below for my config and data.
Just checking you are actually building with --enable-modules?
Yes indeed.
If it can help:
./configure --prefix=${LDAPDIR} --libdir=${LDAPDIR}/${_LIB} --enable-modules=yes --enable-overlays=mod --enable-backends=mod --enable-dynamic=yes --with-tls=openssl --enable-debug --with-cyrus-sasl --enable-spasswd --enable-ppolicy=mod --enable-crypt --enable-slapi --enable-mdb=mod --enable-ldap=mod --enable-meta=mod --enable-sock=mod --enable-wrappers --enable-rlookups --enable-argon2=yes --enable-otp=mod --enable-balancer=mod --enable-sql=no --enable-ndb=no --enable-wt=no --enable-perl=no
3/ the slapo-ppolicy is quite unclear about the configuration. For example, I can read:
( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' AUXILIARY SUP top MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule ) )Does pwdCheckModule and pwdUseCheckModule still have sense?
pwdCheckModule is preserved for backwards compatibility and using it provokes a warning in the logs to let the admin know it is actually ignored.
Thanks for the clarification. Actually, I meant the documentation of slapo-ppolicy (man page) it could be nice to explain: - what is deprecated - what is each attribute made for
pwdUseCheckModule is new and allows the policy admin decide whether the module is to be used in this particular policy or not.
Regards,
https://bugs.openldap.org/show_bug.cgi?id=9740
--- Comment #3 from Ondřej Kuzník ondra@mistotebe.net --- On Fri, Nov 05, 2021 at 01:09:06PM +0000, openldap-its@openldap.org wrote:
What is your usecase where you'd need different modules in the same server?
No particular use case.
It's just that before ppm, LTB project maintained another module named "check-password", and maybe it can help the transition to announce that OpenLDAP support multiple modules at one time... But again there is no real use case.
Then I would wait until a compelling use case comes up before we consider reverting that change.
2/ it does not seem to work. (ie the extended module is not launched). See below for my config and data.
Just checking you are actually building with --enable-modules?
Yes indeed.
If it can help:
./configure [...]
Yes, that's fine, checking your policy again: - pwdCheckQuality is 2, great, but the password you're setting is hashed already so it will just fail before considering whether the module should be used - you are not using pwdUseCheckModule - the module configured will not actually be used even if dealing with plaintext passwords
At least section 4.2.6 of the Behera draft[0] implicitly suggests that password administrators should be exempt from quality checking by being able to "set or reset the password to a well-known value." Is that the reason it wasn't being used for you or are you still having issues regardless of the above?
The manpage doesn't seem to document that the module is not used unless pwdCheckQuality is also enabled. I'll see about fixing that, thanks.
Thanks for the clarification. Actually, I meant the documentation of slapo-ppolicy (man page) it could be nice to explain:
- what is deprecated
- what is each attribute made for
That's already documented here: https://git.openldap.org/openldap/openldap/-/blob/master/doc/man/man5/slapo-...
Could you suggest any improvements to address whatever other confusion you think exists?
Thanks,
[0]. https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10#s...
https://bugs.openldap.org/show_bug.cgi?id=9740
--- Comment #4 from David Coutadeur david.coutadeur@gmail.com --- (In reply to Ondřej Kuzník from comment #3)
On Fri, Nov 05, 2021 at 01:09:06PM +0000, openldap-its@openldap.org wrote:
What is your usecase where you'd need different modules in the same server?
No particular use case.
It's just that before ppm, LTB project maintained another module named "check-password", and maybe it can help the transition to announce that OpenLDAP support multiple modules at one time... But again there is no real use case.
Then I would wait until a compelling use case comes up before we consider reverting that change.
2/ it does not seem to work. (ie the extended module is not launched). See below for my config and data.
Just checking you are actually building with --enable-modules?
Yes indeed.
If it can help:
./configure [...]
Yes, that's fine, checking your policy again:
- pwdCheckQuality is 2, great, but the password you're setting is hashed already so it will just fail before considering whether the module should be used
No it's not. Sorry I didn't send you the modification ldif:
dn:uid=jack.oneill,ou=people,dc=my-domain,dc=com changetype: modify replace: userPassword userPassword: secretsecret
- you are not using pwdUseCheckModule - the module configured will not actually be used even if dealing with plaintext passwords
Yes, it seems working with this parameter set inside the default policy!
I did'nt understand this parameter fully at first instance.
This parameter is quite new, isn't it? (specific to 2.6 release?) IMO it is actually a big step in migration process. Maybe can you add this in the migration steps from 2.5 to 2.6. (it does not seem to be documented here for example: https://www.openldap.org/doc/admin26/guide.html#Migration)
At least section 4.2.6 of the Behera draft[0] implicitly suggests that password administrators should be exempt from quality checking by being able to "set or reset the password to a well-known value." Is that the reason it wasn't being used for you or are you still having issues regardless of the above?
I have used a non-admin account for password modification.
The manpage doesn't seem to document that the module is not used unless pwdCheckQuality is also enabled. I'll see about fixing that, thanks.
Thanks for the clarification. Actually, I meant the documentation of slapo-ppolicy (man page) it could be nice to explain:
- what is deprecated
- what is each attribute made for
That's already documented here: https://git.openldap.org/openldap/openldap/-/blob/master/doc/man/man5/slapo- ppolicy.5#L645
Could you suggest any improvements to address whatever other confusion you think exists?
The extended module is described at multiple places in the manual. Maybe quote each time the minimum essential parameters implicated in the process? ie: - olcPPolicyCheckModule - pwdUseCheckModule - pwdCheckModuleArg
The first occurrence where it is missing is for example:
ppolicy_check_module <path> Specify the path of a loadable module containing a check_password() function for additional password quality checks. The use of this module is described further below in the description of the pwdPolicyChecker objectclass.
Note: The user-defined loadable module must be in slapd's standard executable search PATH, or an absolute path must be provided.
Note: Use of a ppolicy_check_module is a non-standard extension to the LDAP password policy proposal.
Anyway, many thanks for your help!
Thanks,
[0]. https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy- 10#section-4.2.6
https://bugs.openldap.org/show_bug.cgi?id=9740
--- Comment #5 from Ondřej Kuzník ondra@mistotebe.net --- On Mon, Nov 08, 2021 at 02:51:43PM +0000, openldap-its@openldap.org wrote:
- you are not using pwdUseCheckModule - the module configured will not actually be used even if dealing with plaintext passwords
Yes, it seems working with this parameter set inside the default policy!
I did'nt understand this parameter fully at first instance.
This parameter is quite new, isn't it? (specific to 2.6 release?) IMO it is actually a big step in migration process. Maybe can you add this in the migration steps from 2.5 to 2.6. (it does not seem to be documented here for example: https://www.openldap.org/doc/admin26/guide.html#Migration)
Yes and it has been documented in the upgrading section. How about these changes to the admin guide: https://git.openldap.org/openldap/openldap/-/merge_requests/440
That's already documented here: https://git.openldap.org/openldap/openldap/-/blob/master/doc/man/man5/slapo-...
Could you suggest any improvements to address whatever other confusion you think exists?
The extended module is described at multiple places in the manual. Maybe quote each time the minimum essential parameters implicated in the process? ie:
- olcPPolicyCheckModule
- pwdUseCheckModule
- pwdCheckModuleArg
The manpage is long enough even before we start duplicating things unnecessarily. Trying to add in what you mention, I found everything was already in the places I thought it was relevant and the links were mostly there to link the concepts. The existence of this ITS suggests you disagree, please suggest a different approach.
Also note that it's up to the actual module whether pwdCheckModuleArg is needed or not. As such we can only suggest what to do with it.
The first occurrence where it is missing is for example:
ppolicy_check_module <path> Specify the path of a loadable module containing acheck_password() function for additional password quality checks. The use of this module is described further below in the description of the pwdPolicyChecker objectclass.
"The use of this module is described further below in the description of the pwdPolicyChecker objectclass."
Is there anything about this sentence that should be changed to make it clearer after taking into account the change proposed in MR!441[0].
[0]. https://git.openldap.org/openldap/openldap/-/merge_requests/441
Thanks,
https://bugs.openldap.org/show_bug.cgi?id=9740
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|bugs@openldap.org |ondra@mistotebe.net Target Milestone|--- |2.6.1 Keywords|needs_review |
https://bugs.openldap.org/show_bug.cgi?id=9740
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED
--- Comment #6 from Quanah Gibson-Mount quanah@openldap.org --- • 45720734 by Ondřej Kuzník at 2021-11-08T16:15:33+00:00 ITS#9740 Be more explicit about where we document the options
https://bugs.openldap.org/show_bug.cgi?id=9740
--- Comment #7 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
• 53e4ceca by Ondřej Kuzník at 2021-11-08T15:45:49+00:00 ITS#9740 Upgrade guide tweaks
• 9081ec97 by Ondřej Kuzník at 2021-11-08T15:46:59+00:00 ITS#9725 Note that lastbind overlay might need reconfiguring in 2.6
• 0cc10bc0 by Ondřej Kuzník at 2021-11-08T16:28:51+00:00 ITS#9740 Mention where to find config changes for upgrades
https://bugs.openldap.org/show_bug.cgi?id=9740
--- Comment #8 from David Coutadeur david.coutadeur@gmail.com --- (In reply to Ondřej Kuzník from comment #5)
On Mon, Nov 08, 2021 at 02:51:43PM +0000, openldap-its@openldap.org wrote:
- you are not using pwdUseCheckModule - the module configured will not actually be used even if dealing with plaintext passwords
Yes, it seems working with this parameter set inside the default policy!
I did'nt understand this parameter fully at first instance.
This parameter is quite new, isn't it? (specific to 2.6 release?) IMO it is actually a big step in migration process. Maybe can you add this in the migration steps from 2.5 to 2.6. (it does not seem to be documented here for example: https://www.openldap.org/doc/admin26/guide.html#Migration)
Yes and it has been documented in the upgrading section. How about these changes to the admin guide: https://git.openldap.org/openldap/openldap/-/merge_requests/440
That's already documented here: https://git.openldap.org/openldap/openldap/-/blob/master/doc/man/man5/slapo-...
Could you suggest any improvements to address whatever other confusion you think exists?
The extended module is described at multiple places in the manual. Maybe quote each time the minimum essential parameters implicated in the process? ie:
- olcPPolicyCheckModule
- pwdUseCheckModule
- pwdCheckModuleArg
The manpage is long enough even before we start duplicating things unnecessarily. Trying to add in what you mention, I found everything was already in the places I thought it was relevant and the links were mostly there to link the concepts. The existence of this ITS suggests you disagree, please suggest a different approach.
Also note that it's up to the actual module whether pwdCheckModuleArg is needed or not. As such we can only suggest what to do with it.
The first occurrence where it is missing is for example:
ppolicy_check_module <path> Specify the path of a loadable module containing acheck_password() function for additional password quality checks. The use of this module is described further below in the description of the pwdPolicyChecker objectclass.
"The use of this module is described further below in the description of the pwdPolicyChecker objectclass."
Is there anything about this sentence that should be changed to make it clearer after taking into account the change proposed in MR!441[0].
[0]. https://git.openldap.org/openldap/openldap/-/merge_requests/441
Thanks,
Hi,
Sorry for the late answer.
I have read again the last version of slapo-ppolicy man page.
Everything seems ok : each section is linked to each other.
The attributes section (pwdUseCheckModule/pwdCheckModuleArg) defines all attributes at the same place and show how they work together.
Thanks for the fix about the upgrade notes.
Regards
https://bugs.openldap.org/show_bug.cgi?id=9740
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org