hi Ulrich,
"Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de writes:
Felix Natter fnatter@gmx.net schrieb am 23.02.2022 um 21:45 in Nachricht
87wnhl9uru.fsf@bitburger.home.felix:
hello Ulrich,
thanks for your reply! My replies are inline:
"Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de writes:
Felix Natter fnatter@gmx.net schrieb am 22.02.2022 um 19:00 in Nachr=
icht
87h78qlr1i.fsf@bitburger.home.felix:
hello Michael, =20 many thanks for your reply! =20 Michael Str=C3=B6der michael@stroeder.com writes:
On 2/20/22 18:14, Felix Natter wrote:
my password policies (openldap 2.5.11) are not enforced and Roland Gruber (author of LAM (Pro)) kindly advised me that passwords must be stored in plaintext (Hash=3DPLAIN) in order to be able to enforce pass=
word
minimal length, password quality etc (i.e. when using passwd(1) on Lin=
ux
or an LDAP client on Windows).
Nope. That sounds like misleading advice, or it's a misunderstanding on your side.
- The LDAP client should support setting new password via LDAP Modify
Password extended operation
=20 I tried with passwd(1), which currently ignores the ppolicy. Does this mean it does not support an LDAP Modify Password *extended* operation? If not, can I enable it?
I have these lines in /etc/ldap.conf (and it works): # Search the root DSE for the password policy (works # with Netscape Directory Server). Make use of # Password Policy LDAP Control (as in OpenLDAP) pam_lookup_policy yes ... # Use the OpenLDAP password change # extended operation to update the password. pam_password exop ...
This is on the client, right?
Yes!
I tried putting the two above options in /etc/openldap/ldap.conf, rebooted, but no change. Also man ldap.conf does not mention them.
As the "pam_" prefix might indicate, try "man pam_ldap" instead.
... Features of the PADL pam_ldap module include support for transport layer security, SASL authentication, directory server-enforced password policy, and host- and group- based logon authorization. ... pam_lookup_policy <yes|no> Specifies whether to search the root DSE for password policy. The default is "no". ...
pam_ldap does not exist in RH7 (actually Scientific Linux 7), I think your SLES12 is also a bit older. See Michael's reply, which has an explanation for this.
Which OS do you use?
SLES 12 SP5
I also have: # grep ldap /etc/nsswitch.conf group: files ldap services: files ldap netgroup: files ldap aliases: files ldap passwd_compat: ldap
and
/etc/pam.d # cat login #%PAM-1.0 auth requisite pam_nologin.so auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]pam_securetty.so auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_lastlog.so nowtmp session optional pam_mail.so standard
Maybe this helps.
Thank you. As I wrote in the other reply today, pwdCheckQuality:0 was set, and I'm pretty sure I did not need any client changes to make PPs work on SL7 (with pwdCheckQuality:2 on the server).
Many Thanks and Best Regards, Felix -- Felix Natter