(This email has been sitting in my drafts folder for a week ... if it seems incomplete, it was because I didn't want to wait till next week Tuesday when I am finally back in the office).
I'm trying to complete a system which allows authentication by a number of means, for example:
-Wifi authentication with WPA2 with MSCHAPv2 to FreeRADIUS against sambaNTPassword attribute in OpenLDAP -Samba domain -Kerberos with keys stored in OpenLDAP -Some hardware devices which read userPassword and compare the hash
At the same time, I would like password policies applied, including: -Password expiry by default (but exempt some accounts from password expiry) -Password history checking -Password strength rules (at minimum length, preferably enforce variation of character types)
It seems that Heimdal currently doesn't have password history support, and the password expiry available is quite limited (e.g. global via [kadmin]password_lifetime). However, Heimdal respects the sambaPwdMustChange attribute
MIT has password history support, and support for multiple password expiry policies, but password history is not available with the LDAP backend (and I don't see mention of whether the password policies can be stored in LDAP either).
Password changes via Heimdal will: -Change the password in the krb5key attributes -Change the password in sambaNTPassword -update krb5PasswordEnd -update sambaPwdMustChange (but not sambaPwdLastSet) -not change the password in userPassword -not update pwdChangedTime -not update passwords in pwdHistory
Password changes via OpenLDAP (exop) with ppolicy and smbk5pwd overlays will: -Change the password in the krb5Key attributes -Change the password in the userPassword attribute -Change the password in the sambaNTPassword and sambaLMPassword attributes -update pwdChangedTime -update sambaPwdLastSet (but not sambaPwdMustChange) -update passwords in pwdHistory -Not update krb5PasswordEnd
I would prefer not to rely on password changing via samba, since most users don't really know anything about samba (so, I'll probably have samba setup for 'ldap passwd sync = only'
So, are there any solutions to this problem ? Or, will one of ppolicy or smbk5pwd need to be updated to take the other into account.
Regards, Buchan
Buchan,
You may want to investigate pwdutils:
http://www.thkukuk.de/pam/pwdutils/
The website it a little dated, but the software appears to be more actively maintained at:
ftp://ftp.us.kernel.org/pub/linux/utils/net/NIS
- Dan White
Buchan Milne wrote:
(This email has been sitting in my drafts folder for a week ... if it seems incomplete, it was because I didn't want to wait till next week Tuesday when I am finally back in the office).
I'm trying to complete a system which allows authentication by a number of means, for example:
-Wifi authentication with WPA2 with MSCHAPv2 to FreeRADIUS against sambaNTPassword attribute in OpenLDAP -Samba domain -Kerberos with keys stored in OpenLDAP -Some hardware devices which read userPassword and compare the hash
At the same time, I would like password policies applied, including: -Password expiry by default (but exempt some accounts from password expiry) -Password history checking -Password strength rules (at minimum length, preferably enforce variation of character types)
It seems that Heimdal currently doesn't have password history support, and the password expiry available is quite limited (e.g. global via [kadmin]password_lifetime). However, Heimdal respects the sambaPwdMustChange attribute
MIT has password history support, and support for multiple password expiry policies, but password history is not available with the LDAP backend (and I don't see mention of whether the password policies can be stored in LDAP either).
Password changes via Heimdal will: -Change the password in the krb5key attributes -Change the password in sambaNTPassword -update krb5PasswordEnd -update sambaPwdMustChange (but not sambaPwdLastSet) -not change the password in userPassword -not update pwdChangedTime -not update passwords in pwdHistory
Password changes via OpenLDAP (exop) with ppolicy and smbk5pwd overlays will: -Change the password in the krb5Key attributes -Change the password in the userPassword attribute -Change the password in the sambaNTPassword and sambaLMPassword attributes -update pwdChangedTime -update sambaPwdLastSet (but not sambaPwdMustChange) -update passwords in pwdHistory -Not update krb5PasswordEnd
I would prefer not to rely on password changing via samba, since most users don't really know anything about samba (so, I'll probably have samba setup for 'ldap passwd sync = only'
So, are there any solutions to this problem ? Or, will one of ppolicy or smbk5pwd need to be updated to take the other into account.
Regards, Buchan
On Thursday 11 October 2007 20:55:51 Dan White wrote:
Buchan,
You may want to investigate pwdutils:
http://www.thkukuk.de/pam/pwdutils/
The website it a little dated, but the software appears to be more actively maintained at:
ftp://ftp.us.kernel.org/pub/linux/utils/net/NIS
I don't see anything in the current version that would alleviate my problems.
Maybe I was not clear enough. I am not looking for a tool to just change an LDAP password (I use ldappasswd for that currently, and it changes Samba passwords too via the smbk5passwd overlay) or provision accounts to LDAP etc. . I am looking for a solution to ensure that, whichever mechanisms I decide to allow for password changes (e.g. LDAP password change exop), all aspects related to the use of that password are updated consistently, for use via simple binds, authentication via Samba/NTLM/MSCHAPv2, and Kerberos. At present I see no means to accomplish this (at most you can get 2/3).
pwdutils seems mostly to be similar in function to what I am currently using smbldap-tools for (but this function will probably be moved to some in-house software).
Regards, Buchan
On Oct 11, 2007, at 1:05 PM, Buchan Milne wrote:
Maybe I was not clear enough. I am not looking for a tool to just change an LDAP password (I use ldappasswd for that currently, and it changes Samba passwords too via the smbk5passwd overlay) or provision accounts to LDAP etc. . I am looking for a solution to ensure that, whichever mechanisms I decide to allow for password changes (e.g. LDAP password change exop), all aspects related to the use of that password are updated consistently, for use via simple binds, authentication via Samba/NTLM/MSCHAPv2, and Kerberos. At present I see no means to accomplish this (at most you can get 2/3).
The OpenLDAP-specific solution would be write modules that would, after update of a directory password, would update whatever other systems you want updated.
Given this is the OpenLDAP Software list, I'll stop there.
-- Kurt
On Thursday 11 October 2007 22:34:33 Kurt Zeilenga wrote:
On Oct 11, 2007, at 1:05 PM, Buchan Milne wrote:
The OpenLDAP-specific solution would be write modules that would, after update of a directory password, would update whatever other systems you want updated.
As discussed in the first email in this thread, the combination of modules (ppolicy, smbk5passwd) is not more than the sum of the two parts. Thus, password expiry times aren't updated in the samba-specific attributes (only the password, and time of last password change) or heimdal-specific attributes.
So, the OpenLDAP-specific solution I had in mind was one of: -ppolicy, on seeing smbk5passwd has also changed sambaNTPassword and krb5Key, updates sambaPwdMustChange and krb5PasswordEnd according to the same policy or -smbk5passwd, on seeing pwdChangedTime being updated, assumes the times for sambaPwdMustChange and krb5PasswordEnd should be the same, and sets them. or -a third module, which applies the time in pwdChangedTime to sambaPwdMustChange and krb5PasswordEnd if sambaNTPassword or krb5Key have changed.
I'm happy to try and assist in implementing whichever of the 3 options is preferable ...
Regards, Buchan
Buchan,
pwdutils should perform the exop for you, in addition to the following:
Make use of the chage command to maintain shadowMin, shadowMax, shadowWarning and shadowExpire attributes, assuming your users have shadowAccount.
Update shadow expiry information when the passwd command is executed (the passwd command from pwdutils).
That should help handle shell/PAM authentications.
That doesn't solve your situation with samba/kerberos expirations, but you may be able to wrap passwd with a script and update the appropriate attributes based on the existing shadow attrs.
- Dan White
Buchan Milne wrote:
On Thursday 11 October 2007 20:55:51 Dan White wrote:
Buchan,
You may want to investigate pwdutils:
http://www.thkukuk.de/pam/pwdutils/
The website it a little dated, but the software appears to be more actively maintained at:
ftp://ftp.us.kernel.org/pub/linux/utils/net/NIS
I don't see anything in the current version that would alleviate my problems.
Maybe I was not clear enough. I am not looking for a tool to just change an LDAP password (I use ldappasswd for that currently, and it changes Samba passwords too via the smbk5passwd overlay) or provision accounts to LDAP etc. . I am looking for a solution to ensure that, whichever mechanisms I decide to allow for password changes (e.g. LDAP password change exop), all aspects related to the use of that password are updated consistently, for use via simple binds, authentication via Samba/NTLM/MSCHAPv2, and Kerberos. At present I see no means to accomplish this (at most you can get 2/3).
pwdutils seems mostly to be similar in function to what I am currently using smbldap-tools for (but this function will probably be moved to some in-house software).
Regards, Buchan
Buchan Milne wrote:
(This email has been sitting in my drafts folder for a week ... if it seems incomplete, it was because I didn't want to wait till next week Tuesday when I am finally back in the office).
I'm trying to complete a system which allows authentication by a number of means, for example:
-Wifi authentication with WPA2 with MSCHAPv2 to FreeRADIUS against sambaNTPassword attribute in OpenLDAP -Samba domain -Kerberos with keys stored in OpenLDAP -Some hardware devices which read userPassword and compare the hash
At the same time, I would like password policies applied, including: -Password expiry by default (but exempt some accounts from password expiry) -Password history checking -Password strength rules (at minimum length, preferably enforce variation of character types)
It seems that Heimdal currently doesn't have password history support, and the password expiry available is quite limited (e.g. global via [kadmin]password_lifetime). However, Heimdal respects the sambaPwdMustChange attribute
MIT has password history support, and support for multiple password expiry policies, but password history is not available with the LDAP backend (and I don't see mention of whether the password policies can be stored in LDAP either).
Password changes via Heimdal will: -Change the password in the krb5key attributes -Change the password in sambaNTPassword -update krb5PasswordEnd -update sambaPwdMustChange (but not sambaPwdLastSet) -not change the password in userPassword -not update pwdChangedTime -not update passwords in pwdHistory
Password changes via OpenLDAP (exop) with ppolicy and smbk5pwd overlays will: -Change the password in the krb5Key attributes -Change the password in the userPassword attribute -Change the password in the sambaNTPassword and sambaLMPassword attributes -update pwdChangedTime -update sambaPwdLastSet (but not sambaPwdMustChange) -update passwords in pwdHistory -Not update krb5PasswordEnd
I would prefer not to rely on password changing via samba, since most users don't really know anything about samba (so, I'll probably have samba setup for 'ldap passwd sync = only'
So, are there any solutions to this problem ? Or, will one of ppolicy or smbk5pwd need to be updated to take the other into account.
It's a simple matter to update smbk5pwd. Nobody has asked until now, and you could easily do it yourself. I don't think ppolicy has any business doing that other stuff.
openldap-software@openldap.org
-
Buchan Milne -
Dan White -
Howard Chu -
Kurt Zeilenga