hi Ulrich,
"Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de> writes:
>>> Felix Natter <fnatter(a)gmx.net> schrieb am
23.02.2022 um 21:45 in Nachricht
<87wnhl9uru.fsf(a)bitburger.home.felix>:
> hello Ulrich,
>
> thanks for your reply! My replies are inline:
>
> "Ulrich Windl" <Ulrich.Windl(a)rz.uni-regensburg.de> writes:
>>>>> Felix Natter <fnatter(a)gmx.net> schrieb am 22.02.2022 um 19:00
in Nachr=
> icht
>> <87h78qlr1i.fsf(a)bitburger.home.felix>:
>>> hello Michael,
>>>=20
>>> many thanks for your reply!
>>>=20
>>> Michael Str=C3=B6der <michael(a)stroeder.com> writes:
>>>> On 2/20/22 18:14, Felix Natter wrote:
>>>>> my password policies (openldap 2.5.11) are not enforced and Roland
>>>>> Gruber (author of LAM (Pro)) kindly advised me that passwords must
be
>>>>> stored in plaintext (Hash=3DPLAIN) in order to be able to enforce
pass=
> word
>>>>> minimal length, password quality etc (i.e. when using passwd(1) on
Lin=
> ux
>>>>> or an LDAP client on Windows).
>>>>
>>>> Nope. That sounds like misleading advice, or it's a misunderstanding
on
>>>> your side.
>>>>
>>>> 1. The LDAP client should support setting new password via LDAP Modify
>>>> Password extended operation
>>>=20
>>> I tried with passwd(1), which currently ignores the ppolicy. Does this
>>> mean it does not support an LDAP Modify Password *extended* operation?
>>> If not, can I enable it?
>>
>> I have these lines in /etc/ldap.conf (and it works):
>> # Search the root DSE for the password policy (works
>> # with Netscape Directory Server). Make use of
>> # Password Policy LDAP Control (as in OpenLDAP)
>> pam_lookup_policy yes
>> ...
>> # Use the OpenLDAP password change
>> # extended operation to update the password.
>> pam_password exop
>> ...
>
> This is on the client, right?
Yes!
>
> I tried putting the two above options in /etc/openldap/ldap.conf,
> rebooted, but no change. Also man ldap.conf does not mention them.
As the "pam_" prefix might indicate, try "man pam_ldap" instead.
...
Features of the PADL pam_ldap module include support for transport
layer security, SASL authentication, directory server-enforced password
policy, and host- and group- based logon authorization.
...
pam_lookup_policy <yes|no>
Specifies whether to search the root DSE for password policy.
The default is "no".
...
pam_ldap does not exist in RH7 (actually Scientific Linux 7), I think
your SLES12 is also a bit older. See Michael's reply, which has an
explanation for this.
>
> Which OS do you use?
SLES 12 SP5
I also have:
# grep ldap /etc/nsswitch.conf
group: files ldap
services: files ldap
netgroup: files ldap
aliases: files ldap
passwd_compat: ldap
and
/etc/pam.d # cat login
#%PAM-1.0
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die
default=bad]pam_securetty.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so nowtmp
session optional pam_mail.so standard
Maybe this helps.
Thank you. As I wrote in the other reply today, pwdCheckQuality:0 was
set, and I'm pretty sure I did not need any client changes to make PPs
work on SL7 (with pwdCheckQuality:2 on the server).
Many Thanks and Best Regards,
Felix
--
Felix Natter