Hi community,
We want implement password politics in our DIT, and are testing
ppolicy and found issues using olcPasswordHash, Password Modify
Extension and so. Here are my testings:
1) My cn=config with olcPasswordHash and olcSuffix values
$ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b "cn=config"
olcPasswordHash olcSuffix
dn: cn=config
olcPasswordHash: {SSHA}
...
# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
olcPasswordHash: {SSHA}
olcPasswordHash: {SHA}
olcPasswordHash: {SMD5}
olcPasswordHash: {MD5}
olcPasswordHash: {CRYPT}
...
# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
olcSuffix: dc=ktu,dc=lt
$
2) My testing user exists without userPassword attribute
$ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b
"eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt"
userPassword
Enter LDAP Password:
dn:
eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt
$
3) Making a password for a test user. As documentation says
"ldappasswd uses the LDAPv3 Password Modify (RFC 3062) extended
operation."
$ ldappasswd -h localhost -D "cn=admin,dc=ktu,dc=lt" -x -W -S
"eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt"
New password:
Re-enter new password:
Enter LDAP Password:
$
4) userPassword is somehow gets multivalued
$ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b
"eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt"
userPassword
Enter LDAP Password:
# testuser9@ktu.lt, People, Users, ktu.lt
dn:
eduPersonPrincipalName=testuser9@ktu.lt,ou=People,ou=Users,dc=ktu,dc=lt
userPassword::
e1NTSEF9RlE3VjRYa003RVJ6eGFTNjR4ZkFRSzRGZEk4cFk0UDQ= -->
{SSHA}FQ7V4XkM7ERzxaS64xfAQK4FdI8pY4P4
userPassword::
e1NTSEF9K1JtbWl3M0RxTTV3aEl0U3g5TjVrZWRETlpES3NROUg= -->
{SSHA}+Rmmiw3DqM5whItSx9N5kedDNZDKsQ9H
userPassword:: e1NIQX1maVFONTAreDdRajZDTk9BWS9hbXFSUmlxQlU9
--> {SHA}fiQN50+x7Qj6CNOAY/amqRRiqBU=
userPassword:: e1NNRDV9VUdaa3ZDSWI5Qld4a1VNcUhyZEl3ZElTbnJ3PQ==
--> {SMD5}UGZkvCIb9BWxkUMqHrdIwdISnrw=
userPassword:: e01ENX1SN3pseDA5WW4waG4yOVYrbktuNENBPT0=
--> {MD5}R7zlx09Yn0hn29V+nKn4CA==
userPassword:: e0NSWVBUfTFNZVAud1ZxenEvdWM= -->
{CRYPT}1MeP.wVqzq/uc
$
I guess "frontend" database has so called global olcPasswordHash
directive in effect over all databases. I also guess, that 1 SSHA
form comes from cn=config, and other 5 forms comes from "frontend".
Does anyone know if this is true?
5) if above is true, overwriting globals in local database config
seems like a solution to me, but ...
$ ldapmodify -D "cn=admin,dc=ktu,dc=lt" -W -x <<EOF
> dn: olcDatabase={2}hdb,cn=config
> changetype: modify
> add: olcPasswordHash
> olcPasswordHash: {SSHA}
> EOF
Enter LDAP Password:
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: Object class violation (65)
additional info: attribute 'olcPasswordHash' not allowed
$
Is it possible to get rid of not secure forms of password schemes? I
always believed, that password-hash (olcPasswordHash) should help to
do that. Maybe I don't know something? I also think, that it could
be related to ITS#7625,
why ppolicy shows "Additional info: Password policy only allows one
password value" error message. Please, help to clear things out.
System: Debian 7.0 (wheezy)
OpenLDAP: 2.4.31 (from package)
Thank you.
--
Pagarbiai,
Nerijus Kislauskas
KTU ITD, Litnet valdymo centras
Studentu g. 48a - 101, Kaunas
tel.: (8~37) 30 06 45
mob. tel.: 8-614-93889
e-mail.: nerijus.kislauskas@ktu.lt