Hi
Is there a feature that OpenLDAP password policy can forbidden user password reuse of the last 5 password?
Thanks.
Tian Zhiying writes:
Hi
Is there a feature that OpenLDAP password policy can forbidden user password reuse of the last 5 password?
Better use kerberos for advanced password policy requirements. You can use SASL to bridge LDAP's userPassword checking to a kerberos backend so everything still work and much safer.
Derek
On 2/14/19 8:19 AM, Derek Zhou wrote:
Tian Zhiying writes:
Is there a feature that OpenLDAP password policy can forbidden user password reuse of the last 5 password?>
Better use kerberos for advanced password policy requirements. You can use SASL to bridge LDAP's userPassword checking to a kerberos backend so everything still work and much safer.
By which definition of "safe" is adding more complexity safer?
Especially you don't know how the original poster does password changes. Maybe he wants to use ppolicy response controls etc.
Ciao, Michael.
Michael Ströder writes:
On 2/14/19 8:19 AM, Derek Zhou wrote:
Better use kerberos for advanced password policy requirements. You can use SASL to bridge LDAP's userPassword checking to a kerberos backend so everything still work and much safer.
By which definition of "safe" is adding more complexity safer?
Especially you don't know how the original poster does password changes. Maybe he wants to use ppolicy response controls etc.
Yeah, adding kerberos is a complexity and you cannot change password via ldap anymore; has to go through the kerberos route. My notion of "safe" is only referring to the fact that the password text is not stored anywhere and the rogue admin cannot read user's passwords.
I haven't found a good and up to date howto with step to step instrutctions on ppolicy with cn=config. I'd appreciate if someone here give my a pointer.
Derek
Derek Zhou wrote:
Michael Ströder writes:
On 2/14/19 8:19 AM, Derek Zhou wrote:
Better use kerberos for advanced password policy requirements. You can use SASL to bridge LDAP's userPassword checking to a kerberos backend so everything still work and much safer.
By which definition of "safe" is adding more complexity safer?
Especially you don't know how the original poster does password changes. Maybe he wants to use ppolicy response controls etc.
Yeah, adding kerberos is a complexity and you cannot change password via ldap anymore; has to go through the kerberos route. My notion of "safe" is only referring to the fact that the password text is not stored anywhere and the rogue admin cannot read user's passwords.
slapd does not store plaintext passwords either.
As for kerberos, you can always run the KDC with OpenLDAP as its backing store, and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a user's LDAP password. IMO this is a superior solution since a single LDAP-based admin tool can take care of standard LDAP as well as Kerberos administration.
On February 15, 2019 10:50:36 PM GMT+08:00, Howard Chu hyc@symas.com wrote:
slapd does not store plaintext passwords either.
sorry for spreading mis infomation based on my imagination. With ppolicy, can a user change his password after his password expired? I'd think no, because you have to bind before you modify the userpassword field, and if the password expired I'd think bind will fail. OTOH, kerberos does allow user to change password after expiration. this save me a lot of work, because my users always forgot to change pw in time.
On 2/16/19 1:33 PM, Derek Zhou wrote:
With ppolicy, can a user change his password after his password expired?
Yes. This feature is called grace logins and the possibe LDAP operations are very limited (e.g. no search). See description for attribute 'pwdGraceAuthnLimit' in man-page slapo-ppolicy(5).
Ciao, Michael.
Il 15/02/19 15:50, Howard Chu ha scritto:
As for kerberos, you can always run the KDC with OpenLDAP as its backing store, and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a user's LDAP password. IMO this is a superior solution since a single LDAP-based admin tool can take care of standard LDAP as well as Kerberos administration.
But it still work only on heimdal or it can be used aslo with MIT kerberos?
Regards Simone
Simone Piccardi wrote:
Il 15/02/19 15:50, Howard Chu ha scritto:
As for kerberos, you can always run the KDC with OpenLDAP as its backing store, and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a user's LDAP password. IMO this is a superior solution since a single LDAP-based admin tool can take care of standard LDAP as well as Kerberos administration.
But it still work only on heimdal or it can be used aslo with MIT kerberos?
The module was written for Heimdal. Feel free to submit a patch to make it compatible with MIT Kerberos.
Il 16/02/19 15:27, Howard Chu ha scritto:
The module was written for Heimdal. Feel free to submit a patch to make it compatible with MIT Kerberos.
Sorry I dont think I'm capable to do something like this, I'm not a programmer. I was just asking if it was compatible, I assume your answer means it is not.
Regards Simone
On 2/15/19 2:57 AM, Derek Zhou wrote:
Yeah, adding kerberos is a complexity and you cannot change password via ldap anymore; has to go through the kerberos route. My notion of "safe" is only referring to the fact that the password text is not stored anywhere and the rogue admin cannot read user's passwords.
If you set the password-hash directive in slapd.conf and use the Password Modify extended operation (e.g. via CLI tool ldappasswd) then no clear-text password is stored. Choose a salted hash-scheme.
In opposite to that a KDC must store a reversibly encrypted shared secret derived from user's password which can be directly abused in Kerberos protocol if the KDC system gets hacked.
I haven't found a good and up to date howto with step to step instrutctions on ppolicy with cn=config. I'd appreciate if someone here give my a pointer.
I have no docs at hand which are better than OpenLDAP's admin guide.
Ciao, Michael.
"Tian Zhiying" tianzy1225@thundersoft.com schrieb am 14.02.2019 um 07:58 in
Nachricht 012201d4c432$c27c4540$4774cfc0$@thundersoft.com:
Hi
Is there a feature that OpenLDAP password policy can forbidden user password reuse of the last 5 password?
Thanks.
"Password policy" is the name you are looking for.
Yes, you might want to use the password policy (ppolicy) overlay: https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
Hi
Is there a feature that OpenLDAP password policy can forbidden user password reuse of the last 5 password?
Thanks.
You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords used, and forbid their reuse.
Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
Yes, you might want to use the password policy (ppolicy) overlay: https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
Hi
Is there a feature that OpenLDAP password policy can forbidden user password reuse of the last 5 password?
Thanks.
Hi Matthieu,
Thank you for your reply.
I have set the "pwdInHistory" attribute to 5 in password policy and set forbidden their reuse in config.inc.php of Self Service Password. As below shown:
But it seems not working, my password is following:
First time password: AAbb1122
Second time password: CCdd3344
Third time password: AAbb1122, same with the first time password, it has been modified successfully.
Thanks
-----邮件原件----- 发件人: openldap-technical [mailto:openldap-technical-bounces@openldap.org] 代表 Matthieu Cerda 发送时间: 2019年2月14日 17:38 收件人: openldap-technical@openldap.org 主题: Re: Forbidden account password reuse of the last 5 password
You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords used, and forbid their reuse.
Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
Yes, you might want to use the password policy (ppolicy) overlay:
https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/ https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
Hi
Is there a feature that OpenLDAP password policy can forbidden user password reuse of the last 5 password?
Thanks.
--
Matthieu Cerda
Infrastructure, BU Means @ NBS System
"Tian Zhiying" tianzy1225@thundersoft.com schrieb am 14.02.2019 um 12:17
in Nachricht 000001d4c456$d6b4ed40$841ec7c0$@thundersoft.com:
Hi Matthieu,
Thank you for your reply.
I have set the "pwdInHistory" attribute to 5 in password policy and set forbidden their reuse in config.inc.php of Self Service Password. As below shown:
Did you also assign the password policy to users, or did you set a default policy?
But it seems not working, my password is following:
First time password: AAbb1122
Second time password: CCdd3344
Third time password: AAbb1122, same with the first time password, it has been modified successfully.
Thanks
-----邮件原件----- 发件人: openldap-technical [mailto:openldap-technical-bounces@openldap.org] 代表
Matthieu Cerda 发送时间: 2019年2月14日 17:38 收件人: openldap-technical@openldap.org 主题: Re: Forbidden account password reuse of the last 5 password
You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords
used, and forbid their reuse.
Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
Yes, you might want to use the password policy (ppolicy) overlay:
https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
Hi
Is there a feature that OpenLDAP password policy can forbidden user
password
reuse of the last 5 password?
Thanks.
--
Matthieu Cerda
Infrastructure, BU Means @ NBS System
Yes, I have set a default password policy and assigned the password policy to user.
-----邮件原件----- 发件人: openldap-technical [mailto:openldap-technical-bounces@openldap.org] 代表 Ulrich Windl 发送时间: 2019年2月14日 22:18 收件人: matthieu.cerda@nbs-system.com; openldap-technical@openldap.org; tianzy1225 tianzy1225@thundersoft.com 主题: Antw: 答复: Forbidden account password reuse of the last 5 password
"Tian Zhiying" tianzy1225@thundersoft.com schrieb am 14.02.2019 um 12:17
in Nachricht 000001d4c456$d6b4ed40$841ec7c0$@thundersoft.com:
Hi Matthieu,
Thank you for your reply.
I have set the "pwdInHistory" attribute to 5 in password policy and set forbidden their reuse in config.inc.php of Self Service Password. As below shown:
Did you also assign the password policy to users, or did you set a default policy?
But it seems not working, my password is following:
First time password: AAbb1122
Second time password: CCdd3344
Third time password: AAbb1122, same with the first time password, it has been modified successfully.
Thanks
-----邮件原件----- 发件人: openldap-technical [mailto:openldap-technical-bounces@openldap.org] 代表
Matthieu Cerda 发送时间: 2019年2月14日 17:38 收件人: openldap-technical@openldap.org 主题: Re: Forbidden account password reuse of the last 5 password
You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords
used, and forbid their reuse.
Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
Yes, you might want to use the password policy (ppolicy) overlay:
https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
Hi
Is there a feature that OpenLDAP password policy can forbidden user
password
reuse of the last 5 password?
Thanks.
--
Matthieu Cerda
Infrastructure, BU Means @ NBS System
Le 14/02/2019 à 12:17, Tian Zhiying a écrit :
But it seems not working, my password is following:
First time password: AAbb1122
Second time password: CCdd3344
*Third time password: AAbb1122, same with the first time password, it has been modified successfully.*
Check that the password modification is not done by the rootdn, as the rootdn is bypassing password policy constraints.
Clément Oudot,
Thank you.
I have changed the rootdn from root to other user, it’s still not working. I can modified the user password same with before.
I have set the password policy and added user in this password policy as below:
发件人: openldap-technical [mailto:openldap-technical-bounces@openldap.org] 代表 Clément OUDOT 发送时间: 2019年2月14日 23:19 收件人: openldap-technical@openldap.org 主题: Re: 答复: Forbidden account password reuse of the last 5 password
Le 14/02/2019 à 12:17, Tian Zhiying a écrit :
But it seems not working, my password is following:
First time password: AAbb1122
Second time password: CCdd3344
Third time password: AAbb1122, same with the first time password, it has been modified successfully.
Check that the password modification is not done by the rootdn, as the rootdn is bypassing password policy constraints.
Le 15/02/2019 à 04:08, Tian Zhiying a écrit :
Clément Oudot,
Thank you.
I have changed the rootdn from root to other user, it’s still not working. I can modified the user password same with before.
First check that your are sending you password in cleartext, so that OpenLDAP can check the syntax and compare it to passwords in history.
You might need to set pwdCheckQuality to 1 or 2 in your ppolicy, but I am not sure it is required to check history. It is needed to check password length and other checks from the optionnal password checker module.
openldap-technical@openldap.org
-
Clément OUDOT -
Derek Zhou -
Howard Chu -
Matthieu Cerda -
Michael Ströder -
Simone Piccardi -
Tian Zhiying -
Ulrich Windl