Buchan Milne wrote:
On Friday, 6 May 2011 00:11:32 Bidwell, Matt wrote:
I'm running OpenLDAP 2.5.24 on 2 servers. I'm trying to enforce some security rules on client machines through the ppolicy overlay. All the lockout stuff works fine. I understand that pwdMinLength will not work by design because the password is hashed.
This statement isn't true. If OpenLDAP receives the clear text password, length/content enforcements can be made. However, if your clients are sending the password hashed, it obviously can't.
You can either get your clients to use the Password Modify extended operation (e.g. with pam_ldap use 'pam_password exop'), or if your clients can send a modify with the userPassword unhashed, then you can use 'ppolicy_hash_cleartext yes' in slapd.conf.
I can't get pwdInHistory to work. If I set it to 5 I clearly see 5 pwdHistory entries, all hashed {crypt}, but I can go back and forth between two passwords without it rejecting them for being reused. My current theory is that it's not looking at the actual password to prevent reuse, but the hashed password, which is not going to be the same. Should it be working? Follow up question, shouldn't the password be stored {SSHA} and not {CRYPT} by default?
It will be hashed with whatever you have set with 'password-hash', which defaults to SSHA, *if* the server receives a password modify extended operation, or if the server receives the cleartext and has 'ppolicy_hash_cleartext'. If password-hash is not {CRYPT}, then most likely your clients are sending operations with pre-hashed passwords.
And if the clients are not completely broken, they're using a randomly generated salt each time, therefore the password history checking can never succeed.
Just to be clear, the password is being set on the client machine using passwd, not on the servers running OpenLDAP.
*Where* they are being set isn't that relevant, what software is doing it, and how it is configured, is more ...