Hi community,
We want implement password politics in our DIT, and are testing ppolicy and found issues using olcPasswordHash, Password Modify Extension and so. Here are my testings:
1) My cn=config with olcPasswordHash and olcSuffix values
$ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b "cn=config" olcPasswordHash olcSuffix dn: cn=config olcPasswordHash: {SSHA} ... # {-1}frontend, config dn: olcDatabase={-1}frontend,cn=config olcPasswordHash: {SSHA} olcPasswordHash: {SHA} olcPasswordHash: {SMD5} olcPasswordHash: {MD5} olcPasswordHash: {CRYPT} ... # {2}hdb, config dn: olcDatabase={2}hdb,cn=config olcSuffix: dc=ktu,dc=lt
$
2) My testing user exists without userPassword attribute
$ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b "eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt" userPassword Enter LDAP Password: dn: eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt
$
3) Making a password for a test user. As documentation says "ldappasswd uses the LDAPv3 Password Modify (RFC 3062) extended operation."
$ ldappasswd -h localhost -D "cn=admin,dc=ktu,dc=lt" -x -W -S "eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt" New password: Re-enter new password: Enter LDAP Password: $
4) userPassword is somehow gets multivalued
$ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b "eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt" userPassword Enter LDAP Password: # testuser9@ktu.lt, People, Users, ktu.lt dn: eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt userPassword:: e1NTSEF9RlE3VjRYa003RVJ6eGFTNjR4ZkFRSzRGZEk4cFk0UDQ= --> {SSHA}FQ7V4XkM7ERzxaS64xfAQK4FdI8pY4P4 userPassword:: e1NTSEF9K1JtbWl3M0RxTTV3aEl0U3g5TjVrZWRETlpES3NROUg= --> {SSHA}+Rmmiw3DqM5whItSx9N5kedDNZDKsQ9H userPassword:: e1NIQX1maVFONTAreDdRajZDTk9BWS9hbXFSUmlxQlU9 --> {SHA}fiQN50+x7Qj6CNOAY/amqRRiqBU= userPassword:: e1NNRDV9VUdaa3ZDSWI5Qld4a1VNcUhyZEl3ZElTbnJ3PQ== --> {SMD5}UGZkvCIb9BWxkUMqHrdIwdISnrw= userPassword:: e01ENX1SN3pseDA5WW4waG4yOVYrbktuNENBPT0= --> {MD5}R7zlx09Yn0hn29V+nKn4CA== userPassword:: e0NSWVBUfTFNZVAud1ZxenEvdWM= --> {CRYPT}1MeP.wVqzq/uc
$
I guess "frontend" database has so called global olcPasswordHash directive in effect over all databases. I also guess, that 1 SSHA form comes from cn=config, and other 5 forms comes from "frontend". Does anyone know if this is true?
5) if above is true, overwriting globals in local database config seems like a solution to me, but ...
$ ldapmodify -D "cn=admin,dc=ktu,dc=lt" -W -x <<EOF
dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcPasswordHash olcPasswordHash: {SSHA} EOF
Enter LDAP Password: modifying entry "olcDatabase={2}hdb,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcPasswordHash' not allowed
$
Is it possible to get rid of not secure forms of password schemes? I always believed, that password-hash (olcPasswordHash) should help to do that. Maybe I don't know something? I also think, that it could be related to ITS#7625 http://www.openldap.org/its/index.cgi/Incoming?id=7625;expression=ppolicy;page=2, why ppolicy shows "Additional info: Password policy only allows one password value" error message. Please, help to clear things out.
System: Debian 7.0 (wheezy) OpenLDAP: 2.4.31 (from package)
Thank you.