hello Michael,
thanks for the explanations.
Michael Ströder michael@stroeder.com writes:
On 2/22/22 19:00, Felix Natter wrote:
- The LDAP client should support setting new password via LDAP
Modify Password extended operation >
I tried with passwd(1), which currently ignores the ppolicy. Does this mean it does not support an LDAP Modify Password *extended* operation? If not, can I enable it?
passwd(1) is not even an LDAP client.
ldappasswd(1) is the right tool for the command-line but takes a DN to specify the user's entry.
I tried this (which would be fine as a solution):
ldappasswd -H ldap://<ip> -x -D \ cn=ldaptestuser1,ou=users,dc=company,dc=com -W -A -S
but it does not enforce the pwdMinLength:3 restriction of the PP.
But for various reasons I usually disallow changing passwords from an arbitrary system. I'd recommend to force users to use a decent central password self-service web app.
I will look at whether it can be done with LAMPro.
Now I added olcPPolicyHashCleartext: TRUE to the ppolicy overlay: [..] But still, the password policy is not enforced with passwd(1).
passwd(1) should not even cause an LDAP modify operation to reach your OpenLDAP server. Just in case you've added shadow: ldap in your nsswitch.conf then remove that immediately because it's an ancient insecure concept.
Processing simple bind requests are not affected by these settings.
Bind request means login request, as opposed to password change request?
Sorry for the nitpicking but the term "login request" is blurry:
"Simple bind request" means literally a simple bind request as described in RFC 4511:
https://datatracker.ietf.org/doc/html/rfc4511#section-4.2
This simple bind operation is used by NSS/PAM integration components like nss-pam-ldapd or sssd (or my own aehostd for Æ-DIR) to let the PAM stack check the user's password. Maybe this is what you call a "login request".
Could you please advise how to enforce the PP?
I already did. You have to use the right software.
Agreed.
Thanks and Best Regards,