Hi John,
I didn't find a response to your query (pasted below). I'm about to try cooking up something similar. Did you ever get help or find the magic combination of ingredients to get pwdCheckModule working? If so, please share the recipe!
Thanks, Roger Metcalf
# # # # #
Hi all,
I don't know if this is the right list, but i'm hoping the author of the overlay or somebody equally knowledgeable is on this list and will be able to help me.
I'm attempting to use the password policy overlay with a custom password strength checker. The docs say the following on the subject:
"pwdCheckModule This attribute names a user-defined loadable module that must instantiate the check_password() function. This function will be called to further check a new password if pwdCheckQuality is set to one (1) or two (2), after all of the built-in password compliance checks have been passed. This function will be called according to this function prototype:
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
...
Note: The user-defined loadable module named by pwdCheckModule must be in slapd's standard executable search PATH. Note: pwdCheckModule is a non-standard extension to the LDAP password policy proposal
Now, i'm a little unclear on how exactly to compile such a module or where to place it so as to load it. "standard executable search PATH" seems to imply it should go where binaries go (for example /usr/local/bin) but i'm wondering if maybe it's the modulepath in the slapd.conf. I've tried both so i'm assuming i'm not compiling it up correctly
The following is my simple program using cracklib (untested but i believe should work). The file is called ldap_cracklib.c
#include <portable.h> #include <slap.h> #include <packer.h>
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
int check_password( char *pPasswd, char **ppErrStr, Entry *pentry) { char *ret; ret = (char *) FascistCheck( pPasswd, '/usr/local/libdata/cracklib/pw_dict' ); if (ret == NULL) { return 0; } *ppErrStr = ret; return 1; }
I've compiled it to an object file with gcc -c (and a whole bunch of other arguments for includes, etc) and also to a library using libtool (i took the makefile for smbk5pwd and modified it). I've then tried modifying the pwdCheckModule to ldap_cracklib.o and ldap_cracklib.so respectively (after copying the relevant files to both /usr/local/bin and our module path, /usr/local/libexec/openldap).
I'm using the following command to try and change my password:
ldappasswd -x -W -A -H ldaps://ldapservername.fully.qualified.domain -D "uid=allmanj,ou=people,dc=fully,dc=qualified,dc=domain"
It prompts me for my old password twice, once for my new and then says:
ldap_bind: Invalid credentials (49)
I can confirm that my (old) password is correct by using ldapwhoami.
So should i be making a library? Should i be making a basic compiled object? Should i be making something else? Please bear in mind that i'm an administrator not a programmer so i am a little ignorant.
I've tried boosting the ldap log level and looking for errors but i dont see anything.
Any help would be greatly appreciated.
Thanks,
John
Metcalf, Roger wrote:
Hi John,
I didn't find a response to your query (pasted below). I'm about to try cooking up something similar. Did you ever get help or find the magic combination of ingredients to get pwdCheckModule working? If so, please share the recipe!
Yes, it depends on the modulepath. And yes, a module is a DLL or shared library, just like a backend module or overlay module, and building it with libtool is probably the smartest approach.
Unlike other modules which are loaded once and then stay loaded, this module is loaded when referenced, then unloaded again after the call completes.
Thanks, Roger Metcalf
# # # # #
Hi all,
I don't know if this is the right list, but i'm hoping the author of the overlay or somebody equally knowledgeable is on this list and will be able to help me.
I'm attempting to use the password policy overlay with a custom password strength checker. The docs say the following on the subject:
"pwdCheckModule This attribute names a user-defined loadable module that must instantiate the check_password() function. This function will be called to further check a new password if pwdCheckQuality is set to one (1) or two (2), after all of the built-in password compliance checks have been passed. This function will be called according to this function prototype:
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);...
Note: The user-defined loadable module named by pwdCheckModule must be in slapd's standard executable search PATH. Note: pwdCheckModule is a non-standard extension to the LDAP password policy proposal
Now, i'm a little unclear on how exactly to compile such a module or where to place it so as to load it. "standard executable search PATH" seems to imply it should go where binaries go (for example /usr/local/bin) but i'm wondering if maybe it's the modulepath in the slapd.conf. I've tried both so i'm assuming i'm not compiling it up correctly
The following is my simple program using cracklib (untested but i believe should work). The file is called ldap_cracklib.c
#include <portable.h> #include <slap.h> #include <packer.h>
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
int check_password( char *pPasswd, char **ppErrStr, Entry *pentry) { char *ret; ret = (char *) FascistCheck( pPasswd, '/usr/local/libdata/cracklib/pw_dict' ); if (ret == NULL) { return 0; } *ppErrStr = ret; return 1; }
I've compiled it to an object file with gcc -c (and a whole bunch of other arguments for includes, etc) and also to a library using libtool (i took the makefile for smbk5pwd and modified it). I've then tried modifying the pwdCheckModule to ldap_cracklib.o and ldap_cracklib.so respectively (after copying the relevant files to both /usr/local/bin and our module path, /usr/local/libexec/openldap).
I'm using the following command to try and change my password:
ldappasswd -x -W -A -H ldaps://ldapservername.fully.qualified.domain -D "uid=allmanj,ou=people,dc=fully,dc=qualified,dc=domain"
It prompts me for my old password twice, once for my new and then says:
ldap_bind: Invalid credentials (49)
I can confirm that my (old) password is correct by using ldapwhoami.
So should i be making a library? Should i be making a basic compiled object? Should i be making something else? Please bear in mind that i'm an administrator not a programmer so i am a little ignorant.
I've tried boosting the ldap log level and looking for errors but i dont see anything.
Any help would be greatly appreciated.
Thanks,
John
Hi !
A pair days ago I finished the same. And it works ...
Slapd.conf : ..... include /usr/local/etc/openldap/schema/ppolicy.schema
modulepath /usr/sbin/openldap
moduleload ppolicy.la
overlay ppolicy ppolicy_default "cn=std,ou=ppolicy,ou=users,ou=tm" ppolicy_hash_cleartext ppolicy_use_lockout
Ppolicy_example.ldif :
dn: ou=ppolicy, ou=users, ou=tm ou: ppolicy objectClass: organizationalUnit
dn: cn=std, ou=ppolicy, ou=users, ou=tm pwdCheckModule: check_password.so pwdMaxFailure: 6 pwdMustChange: TRUE pwdAttribute: userPassword pwdMinLength: 7 pwdSafeModify: FALSE pwdInHistory: 4 pwdGraceAuthNLimit: 3 pwdCheckQuality: 1 objectClass: pwdPolicy objectClass: top objectClass: device objectClass: pwdPolicyChecker pwdLockoutDuration: 1800 cn: std pwdAllowUserChange: TRUE pwdExpireWarning: 2591900 pwdLockout: TRUE pwdMaxAge: 2592000
And checking function :
......./openldap-2.3.32/servers/slapd/overlays/check_password.c :
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> #include "portable.h" #include "slap.h"
int init_module() { return 0; }
int check_password(char *pPasswd, char **ppErrStr, Entry *pEntry) { char pwqr=0; char retmsg[255]; char *message;
pwqr = 0;
if (strstr( pPasswd, " ") != NULL) { pwqr = 1; strcpy(retmsg , "1:Password contains SPACE ..."); goto paroles_rez; } ////////////////// .. // other controls .. //////////////////
return 0;
paroles_rez:
/* Allocate */ message = (char *)malloc(sizeof(char) * (strlen(retmsg)+1)); /* Copy the contents of the string. */ strcpy(message, retmsg); *ppErrStr=message;
return pwqr; }
......./openldap-2.3.32/servers/slapd/overlays/Makefile: ... check_password: gcc -fPIC -c -I../../../include -I.. check_password.c gcc -shared -o check_password.so check_password.o cp -f check_password.so /usr/sbin/openldap .....
Only my returned error message slapd shows in log file and doesn't forward to client.
Jan 30 09:05:39 KS-Test-1 slapd[11959]: check_password_quality: module error: (check_password.so) 1:Password contains SPACE ....[1] Jan 30 09:05:39 KS-Test-1 slapd[11959]: send_ldap_result: conn=4 op=5 p=3 Jan 30 09:05:39 KS-Test-1 slapd[11959]: send_ldap_result: err=19 matched="" text="Password fails quality checking policy" Jan 30 09:05:39 KS-Test-1 slapd[11959]: send_ldap_response: msgid=6 tag=103 err=19 Jan 30 09:05:39 KS-Test-1 slapd[11959]: conn=4 op=5 RESULT tag=103 err=19 text=Password fails quality checking policy
Andris Eiduks
-----Original Message----- From: openldap-software-bounces+andris.eiduks=tietoenator.com@OpenLDAP.org [mailto:openldap-software-bounces+andris.eiduks=tietoenator.com@OpenLDAP .org] On Behalf Of Metcalf, Roger Sent: Monday, January 29, 2007 5:51 PM To: allmanj@cp.dias.ie Cc: openldap-software@openldap.org Subject: Ppolicy overlay password checking module
Hi John,
I didn't find a response to your query (pasted below). I'm about to try cooking up something similar. Did you ever get help or find the magic combination of ingredients to get pwdCheckModule working? If so, please share the recipe!
Thanks, Roger Metcalf
# # # # #
Hi all,
I don't know if this is the right list, but i'm hoping the author of the overlay or somebody equally knowledgeable is on this list and will be able to help me.
I'm attempting to use the password policy overlay with a custom password strength checker. The docs say the following on the subject:
"pwdCheckModule This attribute names a user-defined loadable module that must instantiate the check_password() function. This function will be called to further check a new password if pwdCheckQuality is set to one (1) or two (2), after all of the built-in password compliance checks have been passed. This function will be called according to this function prototype:
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
...
Note: The user-defined loadable module named by pwdCheckModule must be in slapd's standard executable search PATH. Note: pwdCheckModule is a non-standard extension to the LDAP password policy proposal
Now, i'm a little unclear on how exactly to compile such a module or where to place it so as to load it. "standard executable search PATH" seems to imply it should go where binaries go (for example /usr/local/bin) but i'm wondering if maybe it's the modulepath in the slapd.conf. I've tried both so i'm assuming i'm not compiling it up correctly
The following is my simple program using cracklib (untested but i believe should work). The file is called ldap_cracklib.c
#include <portable.h> #include <slap.h> #include <packer.h>
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
int check_password( char *pPasswd, char **ppErrStr, Entry *pentry) { char *ret; ret = (char *) FascistCheck( pPasswd, '/usr/local/libdata/cracklib/pw_dict' ); if (ret == NULL) { return 0; } *ppErrStr = ret; return 1; }
I've compiled it to an object file with gcc -c (and a whole bunch of other arguments for includes, etc) and also to a library using libtool (i took the makefile for smbk5pwd and modified it). I've then tried modifying the pwdCheckModule to ldap_cracklib.o and ldap_cracklib.so respectively (after copying the relevant files to both /usr/local/bin and our module path, /usr/local/libexec/openldap).
I'm using the following command to try and change my password:
ldappasswd -x -W -A -H ldaps://ldapservername.fully.qualified.domain -D "uid=allmanj,ou=people,dc=fully,dc=qualified,dc=domain"
It prompts me for my old password twice, once for my new and then says:
ldap_bind: Invalid credentials (49)
I can confirm that my (old) password is correct by using ldapwhoami.
So should i be making a library? Should i be making a basic compiled object? Should i be making something else? Please bear in mind that i'm an administrator not a programmer so i am a little ignorant.
I've tried boosting the ldap log level and looking for errors but i dont see anything.
Any help would be greatly appreciated.
Thanks,
John
Andris.Eiduks@tietoenator.com wrote:
Hi !
A pair days ago I finished the same. And it works ...
paroles_rez:/* Allocate */ message = (char *)malloc(sizeof(char) * (strlen(retmsg)+1));
A comment on style: The C language spec defines sizeof(char) == 1. Explicitly multiplying by "sizeof(char)" in C code is redundant, distracting, and confusing.
It would have been better just to use strdup() here.
/* Copy the contents of the string. */ strcpy(message, retmsg);
*ppErrStr=message;
return pwqr;}
Only my returned error message slapd shows in log file and doesn't forward to client.
That is by design. These errors are only meant for system administrators to view. Passing them back to the client would allow an attacker to discover the policy, and assist in password cracking attempts.
openldap-software@openldap.org
-
Andris.Eiduks@tietoenator.com -
Howard Chu -
Metcalf, Roger