1:22 a.m.
Hello Andreas,
Thank you very much. I setup try that, probably next year.
Kind regards,
André.
On 23 December 2017 21:29:45 GMT+00:00, Andreas Hasenack <andreas(a)canonical.com>
wrote:
I suggest to check the pam-ldap config. IIRC it should be using the
exop
method to change password.
On Dec 23, 2017 1:17 PM, "André Rodier" <andre(a)rodier.me> wrote:
> Hello all,
>
> I have an LDAP server, that I use for system authentication, emails,
> etc, in a domain (homebox.space)
>
> I have the password policies defined in the LDAP database, but they
> don't seem to apply to the users when changing a password.
>
> Both "olcPPolicyDefault" and "olcPPolicyHashCleartext" are set
up,
but
> only the last is working, i.e. passwords sent in clear text by an
LDAP
> client are automatically encrypted.
>
> There is an overlay entry for the domain, example:
>
> olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
>
> and a correct entry "pwdPolicySubentry" for each user.
>
> However, when I try change the password with pam_ldap or using the
> roundcube password plugin, even the minimal length rule is ignored.
>
> The module configuration:
> > dn: cn=module{0},cn=config
> > objectClass: olcModuleList
> > cn: module{0}
> > olcModulePath: /usr/lib/ldap
> > olcModuleLoad: {0}back_mdb
> > olcModuleLoad: {1}ppolicy.la
> > olcModuleLoad: {2}deref.la
> > structuralObjectClass: olcModuleList
> > entryUUID: acbfbc52-7c3a-1037-9cc1-d74dec6fc011
> > creatorsName: cn=admin,cn=config
> > createTimestamp: 20171223143824Z
> > entryCSN: 20171223143828.930245Z#000000#000#000000
> > modifiersName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > modifyTimestamp: 20171223143828Z
>
> The overlay configuration
> > dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
> > objectClass: olcPPolicyConfig
> > objectClass: olcOverlayConfig
> > olcOverlay: {0}ppolicy
> > olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
> > olcPPolicyHashCleartext: TRUE
> > olcPPolicyUseLockout: FALSE
> > olcPPolicyForwardUpdates: FALSE
> > structuralObjectClass: olcPPolicyConfig
> > entryUUID: affa09e0-7c3a-1037-956b-0f107d4f36ac
> > creatorsName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > createTimestamp: 20171223143829Z
> > entryCSN: 20171223143829.643274Z#000000#000#000000
> > modifiersName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > modifyTimestamp: 20171223143829Z
>
> The policy:
> > dn: cn=default,ou=pwpolicies,dc=homebox,dc=space
> > pwdExpireWarning: 259200
> > pwdMaxFailure: 5
> > cn: default
> > objectClass: pwdPolicy
> > objectClass: person
> > objectClass: top
> > pwdMinLength: 8
> > pwdCheckQuality: 0
> > pwdAttribute: userPassword
> > pwdLockoutDuration: 0
> > pwdInHistory: 0
> > sn: default
> > pwdMaxAge: 31536000
> > pwdGraceAuthNLimit: 0
> > pwdFailureCountInterval: 300
> > structuralObjectClass: person
> > entryUUID: b083c4d2-7c3a-1037-956d-0f107d4f36ac
> > creatorsName: cn=admin,dc=homebox,dc=space
> > createTimestamp: 20171223143830Z
> > entryCSN: 20171223143830.545905Z#000000#000#000000
> > modifiersName: cn=admin,dc=homebox,dc=space
> > modifyTimestamp: 20171223143830Z
>
> Example of one user:
>
> > dn:: Y249QW5kcsOpIFJvZGllcixvdT11c2VycyxkYz1ob21lYm94LGRjPXNwYWNl
> > pwdPolicySubentry: cn=default,ou=pwpolicies,dc=homebox,dc=space
> > shadowMin: 0
> > uid: andre
> > objectClass: top
> > objectClass: person
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: inetOrgPerson
> > loginShell: /bin/bash
> > shadowFlag: 0
> > uidNumber: 1001
> > shadowMax: 999999
> > gidNumber: 1001
> > homeDirectory: /home/users/andre
> > sn: Rodier
> > shadowInactive: -1
> > mail: andre(a)homebox.space
> > givenName:: QW5kcsOp
> > shadowWarning: 7
> > structuralObjectClass: inetOrgPerson
> > cn:: QW5kcsOpIFJvZGllcg==
> > entryUUID: b12c4db4-7c3a-1037-9572-0f107d4f36ac
> > creatorsName: cn=admin,dc=homebox,dc=space
> > createTimestamp: 20171223143831Z
> > userPassword:: e1NTSEF9SHllVitOazkyekNHYlIwbVRUdkZJZWFpVUo2WElSVWM=
> > pwdChangedTime: 20171223150211Z
> > entryCSN: 20171223150211.599058Z#000000#000#000000
> > modifiersName: cn=admin,dc=homebox,dc=space
> > modifyTimestamp: 20171223150211Z
> >
>
>
> I have the whole source code here: https://github.com/
> progmaticltd/homebox/
>
> The Ansible tasks I am using to configure the LDAP server are here:
>
>
https://github.com/progmaticltd/homebox/blob/master/install/playbooks/
> roles/accounts/tasks/main.yml
>
> Any help welcome.
>
> Kind regards,
> André Rodier.
>
> PS: Merry Christmas / Happy new year / for those concerned.
>
>
>
--
André Rodier