Felix Natter fnatter@gmx.net schrieb am 22.02.2022 um 19:00 in Nachricht
87h78qlr1i.fsf@bitburger.home.felix:
hello Michael,
many thanks for your reply!
Michael Ströder michael@stroeder.com writes:
On 2/20/22 18:14, Felix Natter wrote:
my password policies (openldap 2.5.11) are not enforced and Roland Gruber (author of LAM (Pro)) kindly advised me that passwords must be stored in plaintext (Hash=PLAIN) in order to be able to enforce password minimal length, password quality etc (i.e. when using passwd(1) on Linux or an LDAP client on Windows).
Nope. That sounds like misleading advice, or it's a misunderstanding on your side.
- The LDAP client should support setting new password via LDAP Modify
Password extended operation
I tried with passwd(1), which currently ignores the ppolicy. Does this mean it does not support an LDAP Modify Password *extended* operation? If not, can I enable it?
I have these lines in /etc/ldap.conf (and it works): # Search the root DSE for the password policy (works # with Netscape Directory Server). Make use of # Password Policy LDAP Control (as in OpenLDAP) pam_lookup_policy yes ... # Use the OpenLDAP password change # extended operation to update the password. pam_password exop ...
or
- as you already found out yourself you can use
olcPPolicyHashCleartext: TRUE
if the LDAP client sends a MODIFY operation with a clear-text userPassword value.
Both options will let slapd hash the password according to the setting of password-hash (slapd.conf) / olcPasswordHash (cn=config).
Now I added olcPPolicyHashCleartext: TRUE to the ppolicy overlay:
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config changetype: modify add: olcPPolicyHashCleartext olcPPolicyHashCleartext: TRUE
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f ppolicyoverlay2.ldif modifying entry "olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config"
It now looks like this: dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=sidact,dc=com structuralObjectClass: olcPPolicyConfig entryUUID: <uuid> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20220215121841Z olcPPolicyHashCleartext: TRUE entryCSN: 20220222113122.616521Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20220222113122Z
But still, the password policy is not enforced with passwd(1).
Processing simple bind requests are not affected by these settings.
Bind request means login request, as opposed to password change request?
Existing password hashes will not be altered.
Yes, I read that ppolicies only work if the password is changed or expires.
Could you please advise how to enforce the PP?
[3] The manual states "Unfortunately, as dictionary and brute force attacks are generally quite easy for attackers to successfully mount, this advantage is marginal at best (this is why all modern Unix systems use shadow password files)."
Well, this all is debatable.
- Implement decent ACLs which forbids any read access to all LDAP clients
(except replicas).
- Choose a decent hash algorithm, especially understand the
parameters. Recent OpenLDAP support {ARGON2} out-of-the-box. Note that choosing the right parameters is trading performance with security. ARGON2 is called "memory-hard" and you should take this literally.
For inspiration read the comments and examples here:
https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/main/defau...
ts/main.yml#L712
Ok, thanks.
Many Thanks and Best Regards, Felix -- Felix Natter