Hey List,
I wanted to test the scenario where a user had forgotten his password, and needed to have it reset. I wanted to give this user the ability change this temporary password if they wanted. To do this, I:
1. Executed ldappasswd, binding as the rootdn, to change the user's password 2. Used ldapvi to reset the sambaPwdCanChange and sambaPwdLastSet attributes 3. Logged in to the domain as the user 4. Hit Ctrl+Alt+Delete and selected "Change Password"
However, because my ppolicy pwdMinAge hadn't expired yet, the user was unable to change the password. So, it seems necessary to be able to change that value for the user so he/she can change their password. I couldn't find an attribute called pwdMinAge, but I'm assuming that's because it just looks at pwdChangedTime. I 'assume' because I couldn't find explicit documentation stating this, though the man page definition for pwdChangedTime says "[pwdChangedTime] is used by the password expiration policy to determine whether the password is too old to be allowed to be used for user authentication." Is this why I see a NT_STATUS_WRONG_PASSWORD returned from LDAP when a user tries to change a password that is being protected by pwdMinAge?
And, is executing an ldapmodify the proper thing to do in this situation to change the pwdChangedTime and allow the user to change his/her password? E.g.:
ldapmodify -D "cn=admin,dc=example,dc=com" -W dn: uid=someuser,ou=Users,dc=example,dc=com changetype: modify replace: pwdChangedTime pwdChangedTime: 1207690188Z
Thanks as always, Ryan
My site uses ppolicy with great success.
Ryan Steele skrev, on 08-04-2008 23:35:
I wanted to test the scenario where a user had forgotten his password, and needed to have it reset. I wanted to give this user the ability change this temporary password if they wanted. To do this, I:
- Executed ldappasswd, binding as the rootdn, to change the user's password
- Used ldapvi to reset the sambaPwdCanChange and sambaPwdLastSet attributes
Fie. That's part of what 'overlay smbk5pwd' is for. Does it automatically.
- Logged in to the domain as the user
- Hit Ctrl+Alt+Delete and selected "Change Password"
However, because my ppolicy pwdMinAge hadn't expired yet, the user was unable to change the password. So, it seems necessary to be able to change that value for the user so he/she can change their password. I couldn't find an attribute called pwdMinAge, but I'm assuming that's because it just looks at pwdChangedTime.
The pwdMinAge attribute exists. Perhaps a GUI such as gq could help here.
I 'assume' because I couldn't find explicit documentation stating this, though the man page definition for pwdChangedTime says "[pwdChangedTime] is used by the password expiration policy to determine whether the password is too old to be allowed to be used for user authentication." Is this why I see a NT_STATUS_WRONG_PASSWORD returned from LDAP when a user tries to change a password that is being protected by pwdMinAge?
No, pwdMinAge has nothing to do with Samba, Samba doesn't use it - see pdbedit -P.
And, is executing an ldapmodify the proper thing to do in this situation to change the pwdChangedTime and allow the user to change his/her password? E.g.:
ldapmodify -D "cn=admin,dc=example,dc=com" -W dn: uid=someuser,ou=Users,dc=example,dc=com changetype: modify replace: pwdChangedTime pwdChangedTime: 1207690188Z
pwdChangedTime is an operational attribute and cannot be changed by *any* user, it is the directory that has to change it.
Best,
--Tonni
Tony Earnshaw wrote:
My site uses ppolicy with great success.
Ryan Steele skrev, on 08-04-2008 23:35:
I wanted to test the scenario where a user had forgotten his password, and needed to have it reset. I wanted to give this user the ability change this temporary password if they wanted. To do this, I:
- Executed ldappasswd, binding as the rootdn, to change the user's
password 2. Used ldapvi to reset the sambaPwdCanChange and sambaPwdLastSet attributes
Fie. That's part of what 'overlay smbk5pwd' is for. Does it automatically.
I'm using smbk5pwd, but I think you're missing the point here. Users can change their passwords just fine thanks to the overlay, but not if I reset the password, because then the sambaPwdCanChange, sambaPwdLastSet, and pwdChangedTime (or pwdMinAge) gets updated. The first two I can fix easily, the third is where I run in to trouble.
- Logged in to the domain as the user
- Hit Ctrl+Alt+Delete and selected "Change Password"
However, because my ppolicy pwdMinAge hadn't expired yet, the user was unable to change the password. So, it seems necessary to be able to change that value for the user so he/she can change their password. I couldn't find an attribute called pwdMinAge, but I'm assuming that's because it just looks at pwdChangedTime.
The pwdMinAge attribute exists. Perhaps a GUI such as gq could help here.
I shouldn't need a GUI to administer the directory, but nevertheless I installed phpldapadmin, and it doesn't see a pwdMinAge attribute in the user's entry. Neither slapcat nor ldapvi can find this attribute on the user either.
I 'assume' because I couldn't find explicit documentation stating this, though the man page definition for pwdChangedTime says "[pwdChangedTime] is used by the password expiration policy to determine whether the password is too old to be allowed to be used for user authentication." Is this why I see a NT_STATUS_WRONG_PASSWORD returned from LDAP when a user tries to change a password that is being protected by pwdMinAge?
No, pwdMinAge has nothing to do with Samba, Samba doesn't use it - see pdbedit -P.
It _does_ affect being able to change your password when logged into a Samba controlled domain. Adding a pwdMinAge attribute to my password policy prevents the user from being able to change his/her password after it's been reset by an administrator. I'm familiar with pdbedit, but I fail to see how that will help me solve this problem. I'm happy to be convinced otherwise, though.
And, is executing an ldapmodify the proper thing to do in this situation to change the pwdChangedTime and allow the user to change his/her password? E.g.:
ldapmodify -D "cn=admin,dc=example,dc=com" -W dn: uid=someuser,ou=Users,dc=example,dc=com changetype: modify replace: pwdChangedTime pwdChangedTime: 1207690188Z
pwdChangedTime is an operational attribute and cannot be changed by *any* user, it is the directory that has to change it.
Well then, how does one accomplish what I'm trying to do? If a user forgets his/her password, and an admin resets it, I want the user to be able to change it to something they're comfortable with (which adheres to the restrictions), but short of removing the pwdMinAge attribute from my password policy, I can't seem to figure out how that is possible.
Thanks as always, Ryan
pwdMinAge is part of the password policy, not part of the user's record.
The scheme defines pwdMinAge as being part of the objectClass pwdPolicy, so unless you have that in your users record, it will not be there.
I believe you assume correct that it uses math to determine when the password was last changed, and when the current time is. If that does not exceed the value of the password policy entry for pwdMinAge, then the change will fail.
You could change the user's passwordPolicy to be Zero Day password change,but you would have to change it back.
Min Age is used to avoid people from changing their password 10 times to avoid password rotation policies. Sometimes that gets in the way. The question I always ask is what is better, a password that a user can remember or the one that I forced them to have unique and they write down and stick on their monitor! :)
Sellers
On Apr 9, 2008, at 11:42 AM, Ryan Steele wrote:
Tony Earnshaw wrote:
My site uses ppolicy with great success.
Ryan Steele skrev, on 08-04-2008 23:35:
I wanted to test the scenario where a user had forgotten his password, and needed to have it reset. I wanted to give this user the ability change this temporary password if they wanted. To do this, I:
- Executed ldappasswd, binding as the rootdn, to change the user's
password 2. Used ldapvi to reset the sambaPwdCanChange and sambaPwdLastSet attributes
Fie. That's part of what 'overlay smbk5pwd' is for. Does it automatically.
I'm using smbk5pwd, but I think you're missing the point here. Users can change their passwords just fine thanks to the overlay, but not if I reset the password, because then the sambaPwdCanChange, sambaPwdLastSet, and pwdChangedTime (or pwdMinAge) gets updated. The first two I can fix easily, the third is where I run in to trouble.
- Logged in to the domain as the user
- Hit Ctrl+Alt+Delete and selected "Change Password"
However, because my ppolicy pwdMinAge hadn't expired yet, the user was unable to change the password. So, it seems necessary to be able to change that value for the user so he/she can change their password. I couldn't find an attribute called pwdMinAge, but I'm assuming that's because it just looks at pwdChangedTime.
The pwdMinAge attribute exists. Perhaps a GUI such as gq could help here.
I shouldn't need a GUI to administer the directory, but nevertheless I installed phpldapadmin, and it doesn't see a pwdMinAge attribute in the user's entry. Neither slapcat nor ldapvi can find this attribute on the user either.
I 'assume' because I couldn't find explicit documentation stating this, though the man page definition for pwdChangedTime says "[pwdChangedTime] is used by the password expiration policy to determine whether the password is too old to be allowed to be used for user authentication." Is this why I see a NT_STATUS_WRONG_PASSWORD returned from LDAP when a user tries to change a password that is being protected by pwdMinAge?
No, pwdMinAge has nothing to do with Samba, Samba doesn't use it - see pdbedit -P.
It _does_ affect being able to change your password when logged into a Samba controlled domain. Adding a pwdMinAge attribute to my password policy prevents the user from being able to change his/her password after it's been reset by an administrator. I'm familiar with pdbedit, but I fail to see how that will help me solve this problem. I'm happy to be convinced otherwise, though.
And, is executing an ldapmodify the proper thing to do in this situation to change the pwdChangedTime and allow the user to change his/her password? E.g.:
ldapmodify -D "cn=admin,dc=example,dc=com" -W dn: uid=someuser,ou=Users,dc=example,dc=com changetype: modify replace: pwdChangedTime pwdChangedTime: 1207690188Z
pwdChangedTime is an operational attribute and cannot be changed by *any* user, it is the directory that has to change it.
Well then, how does one accomplish what I'm trying to do? If a user forgets his/her password, and an admin resets it, I want the user to be able to change it to something they're comfortable with (which adheres to the restrictions), but short of removing the pwdMinAge attribute from my password policy, I can't seem to figure out how that is possible.
Thanks as always, Ryan
______________________________________________ Chris G. Sellers | NITLE - Technology Team 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GoogleTalk: cgseller@gmail.com
Chris G. Sellers wrote:
pwdMinAge is part of the password policy, not part of the user's record.
The scheme defines pwdMinAge as being part of the objectClass pwdPolicy, so unless you have that in your users record, it will not be there.
I believe you assume correct that it uses math to determine when the password was last changed, and when the current time is. If that does not exceed the value of the password policy entry for pwdMinAge, then the change will fail.
You could change the user's passwordPolicy to be Zero Day password change,but you would have to change it back.
RTFM already. slapo-ppolicy(5), pwdReset.
Ryan Steele skrev, on 08-04-2008 23:35:
I wanted to test the scenario where a user had forgotten his password, and needed to have it reset. I wanted to give this user the ability change this temporary password if they wanted. To do this, I:
However, because my ppolicy pwdMinAge hadn't expired yet, the user was unable to change the password. So, it seems necessary to be able to change that value for the user so he/she can change their password. I couldn't find an attribute called pwdMinAge, but I'm assuming that's because it just looks at pwdChangedTime.
Howard Chu wrote:
Chris G. Sellers wrote:
pwdMinAge is part of the password policy, not part of the user's record.
The scheme defines pwdMinAge as being part of the objectClass pwdPolicy, so unless you have that in your users record, it will not be there.
I believe you assume correct that it uses math to determine when the password was last changed, and when the current time is. If that does not exceed the value of the password policy entry for pwdMinAge, then the change will fail.
You could change the user's passwordPolicy to be Zero Day password change,but you would have to change it back.
RTFM already. slapo-ppolicy(5), pwdReset.
I set pwdReset to TRUE after setting a reasonable pwdMinAge, and reset the user's password with ldappasswd, binding as the rootdn to make the change. Then, I adjusted the sambaPwdCanChange and sambaPwdLastSet values to something earlier than the current time. Alas, I still get "Password is too young to change" from LDAP. My only recourse at this point is to only enforce the 'min password age' in Samba via pdbedit, but I'd really like to enforce this in LDAP as well as an extra precaution against shell users circumventing the policies laid forth in Samba. Any and all advice and/or clue-stick beatings welcome.
I look forward to the day when the interaction between the two is more seamless/native, which hopefully is in the not-too-distant future; I've been made aware of a new RFC proposal to make Samba play nice with ppolicy: http://www.ietf.org/internet-drafts/draft-zeilenga-ldap-passwords-00.txt
Ryan Steele wrote:
Howard Chu wrote:
Chris G. Sellers wrote:
pwdMinAge is part of the password policy, not part of the user's record.
The scheme defines pwdMinAge as being part of the objectClass pwdPolicy, so unless you have that in your users record, it will not be there.
I believe you assume correct that it uses math to determine when the password was last changed, and when the current time is. If that does not exceed the value of the password policy entry for pwdMinAge, then the change will fail.
You could change the user's passwordPolicy to be Zero Day password change,but you would have to change it back.
RTFM already. slapo-ppolicy(5), pwdReset.
I set pwdReset to TRUE after setting a reasonable pwdMinAge, and reset the user's password with ldappasswd, binding as the rootdn to make the change.
Set pwdReset to TRUE *after* using ldappasswd. Normally any pwdModify operation will remove the pwdReset attribute.
Then, I adjusted the sambaPwdCanChange and sambaPwdLastSet values to something earlier than the current time. Alas, I still get "Password is too young to change" from LDAP. My only recourse at this point is to only enforce the 'min password age' in Samba via pdbedit, but I'd really like to enforce this in LDAP as well as an extra precaution against shell users circumventing the policies laid forth in Samba. Any and all advice and/or clue-stick beatings welcome.
I look forward to the day when the interaction between the two is more seamless/native, which hopefully is in the not-too-distant future; I've been made aware of a new RFC proposal to make Samba play nice with ppolicy: http://www.ietf.org/internet-drafts/draft-zeilenga-ldap-passwords-00.txt
Yes, one can hope...
openldap-software@openldap.org
-
Chris G. Sellers -
Howard Chu -
Ryan Steele -
Tony Earnshaw