Re: Password policies and hashed passwords
hello Michael,
many thanks for your reply!
Michael Ströder <michael(a)stroeder.com> writes:
On 2/20/22 18:14, Felix Natter wrote:
> my password policies (openldap 2.5.11) are not enforced and Roland
> Gruber (author of LAM (Pro)) kindly advised me that passwords must be
> stored in plaintext (Hash=PLAIN) in order to be able to enforce password
> minimal length, password quality etc (i.e. when using passwd(1) on Linux
> or an LDAP client on Windows).
Nope. That sounds like misleading advice, or it's a misunderstanding on
your side.
1. The LDAP client should support setting new password via LDAP Modify
Password extended operation
I tried with passwd(1), which currently ignores the ppolicy. Does this
mean it does not support an LDAP Modify Password *extended* operation?
If not, can I enable it?
or
2. as you already found out yourself you can use
olcPPolicyHashCleartext: TRUE
if the LDAP client sends a MODIFY operation with a clear-text userPassword
value.
Both options will let slapd hash the password according to the setting of
password-hash (slapd.conf) / olcPasswordHash (cn=config).
Now I added olcPPolicyHashCleartext: TRUE to the ppolicy overlay:
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
changetype: modify
add: olcPPolicyHashCleartext
olcPPolicyHashCleartext: TRUE
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f ppolicyoverlay2.ldif
modifying entry "olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config"
It now looks like this:
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=sidact,dc=com
structuralObjectClass: olcPPolicyConfig
entryUUID: <uuid>
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20220215121841Z
olcPPolicyHashCleartext: TRUE
entryCSN: 20220222113122.616521Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20220222113122Z
But still, the password policy is not enforced with passwd(1).
Processing simple bind requests are not affected by these
settings.
Bind request means login request, as opposed to password change request?
Existing password hashes will not be altered.
Yes, I read that ppolicies only work if the password is changed or
expires.
Could you please advise how to enforce the PP?
> [3] The manual states "Unfortunately, as dictionary and
brute force
> attacks are generally quite easy for attackers to successfully mount,
> this advantage is marginal at best (this is why all modern Unix systems
> use shadow password files)."
Well, this all is debatable.
1. Implement decent ACLs which forbids any read access to all LDAP clients
(except replicas).
2. Choose a decent hash algorithm, especially understand the
parameters. Recent OpenLDAP support {ARGON2} out-of-the-box. Note that
choosing the right parameters is trading performance with security. ARGON2
is called "memory-hard" and you should take this literally.
For inspiration read the comments and examples here:
https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/main/de...
Ok, thanks.
Many Thanks and Best Regards,
Felix
--
Felix Natter