Hi,
I am trying to make ppolicy work when chain overlay is also configured.
Password lockout works. But changing password stopped working after adding ppolicy. Here is part of log for changing password on a client that binds to one consumer:
============================================================================== Jun 11 17:20:18 ldap2 slapd[4090]: do_modify Jun 11 17:20:18 ldap2 slapd[4090]: do_modify: dn (uid=user1,ou=people,dc=example,dc=com) Jun 11 17:20:18 ldap2 slapd[4090]: >>> dnPrettyNormal: <uid=user1,ou=people,dc=example,dc=com> Jun 11 17:20:18 ldap2 slapd[4090]: <<< dnPrettyNormal: <uid=user1,ou=people,dc=example,dc=com>, <uid=user1,ou=people,dc=example,dc=com> Jun 11 17:20:18 ldap2 slapd[4090]: modifications: Jun 11 17:20:18 ldap2 slapd[4090]: replace: userPassword Jun 11 17:20:18 ldap2 slapd[4090]: one value, length 41 Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 MOD dn="uid=user1,ou=people,dc=example,dc=com" Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 MOD attr=userPassword Jun 11 17:20:18 ldap2 slapd[4090]: bdb_dn2entry("uid=user1,ou=people,dc=example,dc=com") Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3 Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=10 matched="" text="" Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: referral="ldaps://provider/uid=user1,ou=people,dc=example,dc=com" Jun 11 17:20:18 ldap2 slapd[4090]: >>> dnPrettyNormal: <uid=user1,ou=people,dc=example,dc=com> Jun 11 17:20:18 ldap2 slapd[4090]: <<< dnPrettyNormal: <uid=user1,ou=people,dc=example,dc=com>, <uid=user1,ou=people,dc=example,dc=com> Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3 Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=50 matched="" text="Must supply old password to be changed as well as new one" Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3 Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=10 matched="" text="" Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: referral="ldaps://provider/uid=user1,ou=people,dc=example,dc=com" Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_response: msgid=8 tag=103 err=10 Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_response: ref="ldaps://provider/uid=user1,ou=people,dc=example,dc=com" Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 RESULT tag=103 err=10 text= ===============================================================================
Even though both old and new password were given, they seems not being passed over to provider.
With chain overlay, how should I set up ppolicy so that real user's password being passed along to provider properly?
My provider slapd.conf set up is:
..... index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq
overlay ppolicy ppolicy_default "cn=passwdpolicy,ou=policies,dc=example,dc=com" ppolicy_use_lockout
overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
Simon
Simon Gao wrote:
overlay ppolicy ppolicy_default "cn=passwdpolicy,ou=policies,dc=example,dc=com" ppolicy_use_lockout
I had to make two changes to make ppolicy working, but with questions still not answered:
1. *Change pwdCheckQuality from default 2 to 1. Does this attribute require check_password module to work? 2.3.35 does not seem including this module. Where can I find it?
2. **Change pwdSafeModify from TRUE to FALSE. How to configure a consumer's chain overlay to send both existing and new password to provider at the same time?
Ideally, I would like to set **pwdCheckQuality and **pwdSafeModify preferred values (2 and TRUE). * * Any help is appreciated.
Simon *
To help troubleshoot ppolicy issue, I set a client binding to provider directly. So far my tests show following attributes work as expected:
pwdLockout pwdLockoutDuration pwdMinAge pwdMaxAge pwdGraceAuthnLimit pwdAllowUserChange pwdMaxFailure
Following does not work for some reason:
pwdInHistory ppolicy does not check whether an old password exist in history or not; or maybe old password was not even being saved
pwdCheckQuality can only be set to 1 or disable it. This leads me to believe password syntax check does not work on server. This is confirmed with pwdMinLength failing to block password less than specified number of characters. Does it take an external module for pwdCheckQuality to work? or some built-in function with slapd supposed to take care of it?
pwdExpireWarning does not send out warning message to user about password expiration. What else is required to make this feature working?
pwdMinLength does not work.
pwdSafeModify does not work if set to TRUE. How should one configure an client to send both existing and new password to provider?
Does anyone make above attributes working? Can you share your experience if you do?
Simon
- *Change pwdCheckQuality from default 2 to 1. Does this attribute
require check_password module to work? 2.3.35 does not seem including this module. Where can I find it?
- **Change pwdSafeModify from TRUE to FALSE. How to configure a
consumer's chain overlay to send both existing and new password to provider at the same time?
On Thursday, 14 June 2007, Simon Gao wrote:
To help troubleshoot ppolicy issue, I set a client binding to provider directly. So far my tests show following attributes work as expected:
pwdLockout pwdLockoutDuration pwdMinAge pwdMaxAge pwdGraceAuthnLimit pwdAllowUserChange pwdMaxFailure
Following does not work for some reason:
pwdInHistory ppolicy does not check whether an old password exist in history or not; or maybe old password was not even being saved
False: $ ldapsearch -x -D $ROOTDN -w $ROOTPW "(uid=bgmilne)" pwdHistory|grep ^pwd pwdHistory: 20051024195301Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}due/1GRmi+/ pwdHistory: 20051024195320Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}WoTiMN/HvKb pwdHistory: 20051024200447Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}QcLPVL+c+Gg pwdHistory: 20051024200859Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}uLaheCI+c8r pwdHistory: 20051024200906Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}IA62ZoaOYL/ pwdHistory: 20051024201018Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}ZOo4R/MjzmT pwdHistory: 20051026152114Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}Xy2GA6wJSW0 pwdHistory: 20051129080907Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}ltRPSEWys6V pwdHistory: 20070615091512Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}7XFYw9QSbM/ pwdHistory: 20070615091738Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}jmJjm9PIMVL pwdHistory: 20070615092245Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}sraq4BVS46n
(I intentionally truncated these to not expose my test passwords). Note that most attibutes related to ppolicy are operational attributes, you either have to ask for them by name, or ask for all operational attributes (with '+').
Testing a password change with a password in my history:
$ ldappasswd -x -D uid=bgmilne,ou=People,$BASEDN -W -S New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password is in history of old passwords
pwdCheckQuality can only be set to 1 or disable it. This leads me to believe password syntax check does not work on server. This is confirmed with pwdMinLength failing to block password less than specified number of characters. Does it take an external module for pwdCheckQuality to work?
If you want to do anything besides check min and max lengths, you need a module.
However, pwdMinLength works for me (see below).
Note that depending on how you are changing passwords, the server might not have the opportunity to check this (set pwdCheckQuality to 2 if you don't want to allow methods where the server cannot check them).
or some built-in function with slapd supposed to take care of it?
pwdExpireWarning does not send out warning message to user about password expiration. What else is required to make this feature working?
Maybe you had more grace logins configured than you tried:
$ ldapwhoami -x -D uid=bgmilne,ou=People,$BASEDN -W -e ppolicy Enter LDAP Password: ldap_bind: Success (0) (Password expired, 4 grace logins remain) dn:uid=bgmilne,ou=People,ou=internal,dc=telkomsa,dc=net Result: Success (0)
[...]
$ ldapwhoami -x -D uid=bgmilne,ou=People,$BASEDN -W -e ppolicy Enter LDAP Password: ldap_bind: Invalid credentials (49); Password expired
$ ldapwhoami -x -D uid=bgmilne,ou=People,$BASEDN -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
pwdMinLength does not work.
It does, if pwdCheckQuality is 1 or 2:
$ ldappasswd -x -D uid=bgmilne,ou=People,$BASEDN -W -s qwertyu Enter LDAP Password: Result: Constraint violation (19) Additional info: Password fails quality checking policy
$ ldappasswd -x -D uid=bgmilne,ou=People,$BASEDN -W -s qwertyui Enter LDAP Password: Result: Success (0)
pwdSafeModify does not work if set to TRUE. How should one configure an client to send both existing and new password to provider?
Depends on the client. pam_ldap can be configured to do this, and I think the -a/-A/-t options to ldappasswd pertain to this.
Does anyone make above attributes working? Can you share your experience if you do?
I think the more applicable question is, "how are you testing?".
Regards, Buchan
Simon
- *Change pwdCheckQuality from default 2 to 1. Does this attribute
require check_password module to work? 2.3.35 does not seem including this module. Where can I find it?
- **Change pwdSafeModify from TRUE to FALSE. How to configure a
consumer's chain overlay to send both existing and new password to provider at the same time?
Simon Gao wrote:
I am trying to make ppolicy work when chain overlay is also configured.
Password lockout works. But changing password stopped working after adding ppolicy. Here is part of log for changing password on a client that binds to one consumer:
There is a bug (related to ITS#4964, AFAIR) that prevents password changes from being propagated correctly. It was fixed but not released yet. I don't know if there's also something related to ppolicy, but password changes shouldn't plainly work with slapo-chain(5). You should check if the problem persists with current re23 code (i.e. code tagged as OPENLDAP_REL_ENG_2_3 in the CVS).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Buchan Milne -
Pierangelo Masarati -
Simon Gao