10:58 p.m.
Hi
Is there a feature that OpenLDAP password policy can forbidden user password reuse of the
last 5 password?
Thanks.
11:19 p.m.
Tian Zhiying writes:
Hi
Is there a feature that OpenLDAP password policy can forbidden user password reuse of the
last 5 password?
Better use kerberos for advanced password policy requirements. You can
use SASL to bridge LDAP's userPassword checking to a kerberos backend so
everything still work and much safer.
Derek
11:18 a.m.
On 2/14/19 8:19 AM, Derek Zhou wrote:
Tian Zhiying writes:
> Is there a feature that OpenLDAP password policy can forbidden user
> password reuse of the last 5 password?>
Better use kerberos for advanced password policy requirements. You can
use SASL to bridge LDAP's userPassword checking to a kerberos backend so
everything still work and much safer.
By which definition of "safe" is adding more complexity safer?
Especially you don't know how the original poster does password changes.
Maybe he wants to use ppolicy response controls etc.
Ciao, Michael.
5:57 p.m.
Michael Ströder writes:
On 2/14/19 8:19 AM, Derek Zhou wrote:
> Better use kerberos for advanced password policy requirements. You can
> use SASL to bridge LDAP's userPassword checking to a kerberos backend so
> everything still work and much safer.
By which definition of "safe" is adding more complexity safer?
Especially you don't know how the original poster does password changes.
Maybe he wants to use ppolicy response controls etc.
Yeah, adding kerberos is a complexity and you cannot change password
via ldap anymore; has to go through the kerberos route. My notion of
"safe" is only referring to the fact that the password text is not
stored anywhere and the rogue admin cannot read user's passwords.
I haven't found a good and up to date howto with step to step instrutctions
on ppolicy with cn=config. I'd appreciate if someone here give my a
pointer.
Derek
6:50 a.m.
Derek Zhou wrote:
Michael Ströder writes:
> On 2/14/19 8:19 AM, Derek Zhou wrote:
>> Better use kerberos for advanced password policy requirements. You can
>> use SASL to bridge LDAP's userPassword checking to a kerberos backend so
>> everything still work and much safer.
>
> By which definition of "safe" is adding more complexity safer?
>
> Especially you don't know how the original poster does password changes.
> Maybe he wants to use ppolicy response controls etc.
>
Yeah, adding kerberos is a complexity and you cannot change password
via ldap anymore; has to go through the kerberos route. My notion of
"safe" is only referring to the fact that the password text is not
stored anywhere and the rogue admin cannot read user's passwords.
slapd does not store plaintext passwords either.
As for kerberos, you can always run the KDC with OpenLDAP as its backing store,
and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a
user's LDAP password. IMO this is a superior solution since a single LDAP-based
admin tool can take care of standard LDAP as well as Kerberos administration.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
4:33 a.m.
On February 15, 2019 10:50:36 PM GMT+08:00, Howard Chu <hyc(a)symas.com> wrote:
slapd does not store plaintext passwords either.
sorry for spreading mis infomation based on my imagination. With ppolicy, can a
user change his password after his password expired? I'd think no, because you have to
bind before you modify the userpassword field, and if the password expired I'd think
bind will fail. OTOH, kerberos does allow user to change password after expiration. this
save me a lot of work, because my users always forgot to change pw in time.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
9:34 a.m.
On 2/16/19 1:33 PM, Derek Zhou wrote:
With ppolicy, can a user change his password after his password
expired?
Yes. This feature is called grace logins and the possibe LDAP operations
are very limited (e.g. no search). See description for attribute
'pwdGraceAuthnLimit' in man-page slapo-ppolicy(5).
Ciao, Michael.
5:51 a.m.
Il 15/02/19 15:50, Howard Chu ha scritto:
As for kerberos, you can always run the KDC with OpenLDAP as its
backing store,
and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a
user's LDAP password. IMO this is a superior solution since a single LDAP-based
admin tool can take care of standard LDAP as well as Kerberos administration.
But it still work only on heimdal or it can be used aslo with MIT kerberos?
Regards
Simone
--
Simone Piccardi Truelite Srl
piccardi(a)truelite.it (email/jabber) Via Monferrato, 6
Tel. +39-347-1032433 50142 Firenze
http://www.truelite.it Tel. +39-055-7879597
6:27 a.m.
Simone Piccardi wrote:
Il 15/02/19 15:50, Howard Chu ha scritto:
> As for kerberos, you can always run the KDC with OpenLDAP as its backing store,
> and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a
> user's LDAP password. IMO this is a superior solution since a single LDAP-based
> admin tool can take care of standard LDAP as well as Kerberos administration.
>
But it still work only on heimdal or it can be used aslo with MIT kerberos?
The module was written for Heimdal. Feel free to submit a patch to make it
compatible with MIT Kerberos.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
12:42 p.m.
Il 16/02/19 15:27, Howard Chu ha scritto:
The module was written for Heimdal. Feel free to submit a patch to make it
compatible with MIT Kerberos.
Sorry I dont think I'm capable to do something like this, I'm not a
programmer. I was just asking if it was compatible, I assume your answer
means it is not.
Regards
Simone
9:35 a.m.
On 2/15/19 2:57 AM, Derek Zhou wrote:
Yeah, adding kerberos is a complexity and you cannot change password
via ldap anymore; has to go through the kerberos route. My notion of
"safe" is only referring to the fact that the password text is not
stored anywhere and the rogue admin cannot read user's passwords.
If you set the password-hash directive in slapd.conf and use the
Password Modify extended operation (e.g. via CLI tool ldappasswd) then
no clear-text password is stored. Choose a salted hash-scheme.
In opposite to that a KDC must store a reversibly encrypted shared
secret derived from user's password which can be directly abused in
Kerberos protocol if the KDC system gets hacked.
I haven't found a good and up to date howto with step to step
instrutctions on ppolicy with cn=config. I'd appreciate if someone
here give my a pointer.
I have no docs at hand which are better than OpenLDAP's admin guide.
Ciao, Michael.
12:06 a.m.
New subject: Antw: Forbidden account password reuse of the last 5 password
>> "Tian Zhiying" <tianzy1225(a)thundersoft.com>
schrieb am 14.02.2019 um 07:58 in
Nachricht
<012201d4c432$c27c4540$4774cfc0$(a)thundersoft.com>:
Hi
Is there a feature that OpenLDAP password policy can forbidden user password
reuse of the last 5 password?
Thanks.
"Password policy" is the name you are looking for.
1:35 a.m.
Yes, you might want to use the password policy (ppolicy) overlay:
https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
Hi
Is there a feature that OpenLDAP password policy can forbidden user password reuse of the
last 5 password?
Thanks.
--
Matthieu Cerda
Infrastructure, BU Means @ NBS System
1:38 a.m.
You may set the "pwdInHistory" attribute to 5 to store the last 5
passwords used, and forbid their reuse.
Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
Yes, you might want to use the password policy (ppolicy) overlay:
https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
> Hi
>
> Is there a feature that OpenLDAP password policy can forbidden user password reuse of
the last 5 password?
>
> Thanks.
>
>
>
>
--
Matthieu Cerda
Infrastructure, BU Means @ NBS System
3:17 a.m.
New subject: 答复: Forbidden account password reuse of the last 5 password
Hi Matthieu,
Thank you for your reply.
I have set the "pwdInHistory" attribute to 5 in password policy and set
forbidden their reuse in config.inc.php of Self Service Password. As below shown:
But it seems not working, my password is following:
First time password: AAbb1122
Second time password: CCdd3344
Third time password: AAbb1122, same with the first time password, it has been modified
successfully.
Thanks
-----邮件原件-----
发件人: openldap-technical [mailto:openldap-technical-bounces@openldap.org] 代表 Matthieu
Cerda
发送时间: 2019年2月14日 17:38
收件人: openldap-technical(a)openldap.org
主题: Re: Forbidden account password reuse of the last 5 password
You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords
used, and forbid their reuse.
Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
>
>
>
--
Matthieu Cerda
Infrastructure, BU Means @ NBS System
Yes, you might want to use the password policy (ppolicy) overlay:
<https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/>
https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
> Hi
>> Is there a feature that OpenLDAP password policy can forbidden
user password reuse of the last 5 password?
>> Thanks.
>
6:18 a.m.
New subject: Antw: 答复: Forbidden account password reuse of the last 5 password
>> "Tian Zhiying" <tianzy1225(a)thundersoft.com>
schrieb am 14.02.2019 um 12:17
in
Nachricht <000001d4c456$d6b4ed40$841ec7c0$(a)thundersoft.com>:
Hi Matthieu,
Thank you for your reply.
I have set the "pwdInHistory" attribute to 5 in password policy and set
forbidden their reuse in config.inc.php of Self Service Password. As below
shown:
Did you also assign the password policy to users, or did you set a default
policy?
But it seems not working, my password is following:
First time password: AAbb1122
Second time password: CCdd3344
Third time password: AAbb1122, same with the first time password, it has
been modified successfully.
Thanks
-----邮件原件-----
发件人: openldap-technical [mailto:openldap-technical-bounces@openldap.org] 代表
Matthieu Cerda
发送时间: 2019年2月14日 17:38
收件人: openldap-technical(a)openldap.org
主题: Re: Forbidden account password reuse of the last 5 password
You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords
used, and forbid their reuse.
Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
> Yes, you might want to use the password policy (ppolicy) overlay:
> <https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/>
https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
>
> Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
>> Hi
>>
>> Is there a feature that OpenLDAP password policy can forbidden user
password
reuse of the last 5 password?
>>
>> Thanks.
>>
>>
>>
>>
--
Matthieu Cerda
Infrastructure, BU Means @ NBS System
6:48 p.m.
New subject: 答复: Antw: 答复: Forbidden account password reuse of the last 5 password
Yes, I have set a default password policy and assigned the password policy to user.
-----邮件原件-----
发件人: openldap-technical [mailto:openldap-technical-bounces@openldap.org] 代表 Ulrich Windl
发送时间: 2019年2月14日 22:18
收件人: matthieu.cerda(a)nbs-system.com; openldap-technical(a)openldap.org; tianzy1225
<tianzy1225(a)thundersoft.com>
主题: Antw: 答复: Forbidden account password reuse of the last 5 password
>> "Tian Zhiying" <tianzy1225(a)thundersoft.com>
schrieb am 14.02.2019 um
>> 12:17
in
Nachricht <000001d4c456$d6b4ed40$841ec7c0$(a)thundersoft.com>:
Hi Matthieu,
Thank you for your reply.
I have set the "pwdInHistory" attribute to 5 in password policy and
set forbidden their reuse in config.inc.php of Self Service Password.
As below
shown:
Did you also assign the password policy to users, or did you set a default policy?
But it seems not working, my password is following:
First time password: AAbb1122
Second time password: CCdd3344
Third time password: AAbb1122, same with the first time password, it
has been modified successfully.
Thanks
-----邮件原件-----
发件人: openldap-technical
[mailto:openldap-technical-bounces@openldap.org] 代表
Matthieu Cerda
发送时间: 2019年2月14日 17:38
收件人: openldap-technical(a)openldap.org
主题: Re: Forbidden account password reuse of the last 5 password
You may set the "pwdInHistory" attribute to 5 to store the last 5
passwords
used, and forbid their reuse.
Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
> Yes, you might want to use the password policy (ppolicy) overlay:
> <https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/>
https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
>
> Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
>> Hi
>>
>> Is there a feature that OpenLDAP password policy can forbidden user
password
reuse of the last 5 password?
>>
>> Thanks.
>>
>>
>>
>>
--
Matthieu Cerda
Infrastructure, BU Means @ NBS System
7:18 a.m.
New subject: 答复: Forbidden account password reuse of the last 5 password
Le 14/02/2019 à 12:17, Tian Zhiying a écrit :
But it seems not working, my password is following:
First time password: AAbb1122
Second time password: CCdd3344
*Third time password: AAbb1122, same with the first time password, it
has been modified successfully.*
Check that the password modification is not done by the rootdn, as the
rootdn is bypassing password policy constraints.
--
Clément Oudot | Identity Solutions Manager
clement.oudot(a)worteks.com
Worteks | https://www.worteks.com
7:08 p.m.
New subject: 答复: 答复: Forbidden account password reuse of the last 5 password
Clément Oudot,
Thank you.
I have changed the rootdn from root to other user, it’s still not working. I can modified
the user password same with before.
I have set the password policy and added user in this password policy as below:
发件人: openldap-technical [mailto:openldap-technical-bounces@openldap.org] 代表 Clément OUDOT
发送时间: 2019年2月14日 23:19
收件人: openldap-technical(a)openldap.org
主题: Re: 答复: Forbidden account password reuse of the last 5 password
Le 14/02/2019 à 12:17, Tian Zhiying a écrit :
But it seems not working, my password is following:
First time password: AAbb1122
Second time password: CCdd3344
Third time password: AAbb1122, same with the first time password, it has been modified
successfully.
Check that the password modification is not done by the rootdn, as the rootdn is bypassing
password policy constraints.
--
Clément Oudot | Identity Solutions Manager
clement.oudot(a)worteks.com <mailto:clement.oudot@worteks.com>
Worteks | https://www.worteks.com
12:10 a.m.
New subject: 答复: 答复: Forbidden account password reuse of the last 5 password
Le 15/02/2019 à 04:08, Tian Zhiying a écrit :
Clément Oudot,
Thank you.
I have changed the rootdn from root to other user, it’s still not
working. I can modified the user password same with before.
First check that your are sending you password in cleartext, so that
OpenLDAP can check the syntax and compare it to passwords in history.
You might need to set pwdCheckQuality to 1 or 2 in your ppolicy, but I
am not sure it is required to check history. It is needed to check
password length and other checks from the optionnal password checker module.
--
Clément Oudot | Identity Solutions Manager
clement.oudot(a)worteks.com
Worteks | https://www.worteks.com
1757
days inactive
1759
days old
openldap-technical@openldap.org
19 comments
8 participants
participants (8)
-
Clément OUDOT -
Derek Zhou -
Howard Chu -
Matthieu Cerda -
Michael Ströder -
Simone Piccardi -
Tian Zhiying -
Ulrich Windl