1:36 a.m.
2012/6/20 Francesco Belli <Francesco.Belli(a)vegaspace.com>:
Hi Clement,
I already used pam_password directive, I set it to cleartext, but this parameter is used
for password change and not for authentication. As man pam_ldap says "Specifies the
password change protocol to use", so not the authentication method. Now my situation
is that I have some users in the LDAP server that they have a SHA hash in the userPassword
field, and they are correctly authenticated, others that have a clear text password and
cannot be authenticated via PAM.
Password scheme used in LDAP directory do not prevent any application
to authenticate to LDAP. Dig into logs to see what is the real reason
of your problem.
Clément.
6:17 a.m.
New subject: PAM authentication and PPolicy issues
Sent: Wed Jun 20 2012 04:36:03 GMT-0400 (EDT)
From: Clément OUDOT <clem.oudot(a)gmail.com>
To: Francesco Belli <Francesco.Belli(a)vegaspace.com>
openldap-technical(a)openldap.org
Subject: Re: PAM authentication and PPolicy issues
2012/6/20 Francesco Belli<Francesco.Belli(a)vegaspace.com>:
> Hi Clement,
> I already used pam_password directive, I set it to cleartext, but this parameter is
used for password change and not for authentication. As man pam_ldap says "Specifies
the password change protocol to use", so not the authentication method. Now my
situation is that I have some users in the LDAP server that they have a SHA hash in the
userPassword field, and they are correctly authenticated, others that have a clear text
password and cannot be authenticated via PAM.
Password scheme used in LDAP directory do not prevent any application
to authenticate to LDAP. Dig into logs to see what is the real reason
of your problem.
Clément.
In addition, it is not true that the password must be stored in
cleartext for pwdCheckQuality and pwdInHistory to work. Storing
passwords in cleartext is bad.
-Patrick
6:32 a.m.
New subject: PAM authentication and PPolicy issues
2012/6/20 Patrick Hemmer <openldap(a)stormcloud9.net>:
Sent: Wed Jun 20 2012 04:36:03 GMT-0400 (EDT)
From: Clément OUDOT <clem.oudot(a)gmail.com>
To: Francesco Belli <Francesco.Belli(a)vegaspace.com>
openldap-technical(a)openldap.org
Subject: Re: PAM authentication and PPolicy issues
2012/6/20 Francesco Belli <Francesco.Belli(a)vegaspace.com>:
Hi Clement,
I already used pam_password directive, I set it to cleartext, but this
parameter is used for password change and not for authentication. As man
pam_ldap says "Specifies the password change protocol to use", so not the
authentication method. Now my situation is that I have some users in the
LDAP server that they have a SHA hash in the userPassword field, and they
are correctly authenticated, others that have a clear text password and
cannot be authenticated via PAM.
Password scheme used in LDAP directory do not prevent any application
to authenticate to LDAP. Dig into logs to see what is the real reason
of your problem.
Clément.
In addition, it is not true that the password must be stored in cleartext
for pwdCheckQuality and pwdInHistory to work. Storing passwords in cleartext
is bad.
They can be stored hashed, but they must be sent as clear text in the
modification operation so that OpenLDAP can check the quality (min
size for example). The ppolicy overlay is then able to hash them when
storing accepted password in database.
Clément.
6:44 a.m.
New subject: PAM authentication and PPolicy issues
Sorry Patric,
Maybe the reference that I have is wrong, I'm using the book "Mastering
OpenLDAP" by Matt Butcher that in chapter 6 at pag 323 says "if you store
password in plain text in the directory then the policy overlay can be configured to
maintain a password history". Now I'm using
http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=...
as reference for ppolicy. My authentication error was a trivial problem on an objectClass:
posixAccount. Now I'm testing with SHA stored passwords the pwdInHistory directive.
Thanks for the suggestions,
Regards
Francesco
From: openldap-technical-bounces(a)OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Patrick Hemmer
Sent: 20 June 2012 14:17
To: openldap-technical(a)openldap.org
Subject: Re: PAM authentication and PPolicy issues
Sent: Wed Jun 20 2012 04:36:03 GMT-0400 (EDT)
From: Clément OUDOT <clem.oudot@gmail.com><mailto:clem.oudot@gmail.com>
To: Francesco Belli
<Francesco.Belli@vegaspace.com><mailto:Francesco.Belli@vegaspace.com>
openldap-technical@openldap.org<mailto:openldap-technical@openldap.org>
Subject: Re: PAM authentication and PPolicy issues
2012/6/20 Francesco Belli
<Francesco.Belli@vegaspace.com><mailto:Francesco.Belli@vegaspace.com>:
Hi Clement,
I already used pam_password directive, I set it to cleartext, but this parameter is used
for password change and not for authentication. As man pam_ldap says "Specifies the
password change protocol to use", so not the authentication method. Now my situation
is that I have some users in the LDAP server that they have a SHA hash in the userPassword
field, and they are correctly authenticated, others that have a clear text password and
cannot be authenticated via PAM.
Password scheme used in LDAP directory do not prevent any application
to authenticate to LDAP. Dig into logs to see what is the real reason
of your problem.
Clément.
In addition, it is not true that the password must be stored in cleartext for
pwdCheckQuality and pwdInHistory to work. Storing passwords in cleartext is bad.
-Patrick
1:03 p.m.
New subject: PAM authentication and PPolicy issues
On Wed, Jun 20, 2012 at 01:44:05PM +0000, Francesco Belli wrote:
Now I’m using http://
www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&s...
manpath=OpenLDAP+2.3-Release&format=html as reference for ppolicy. My
The 2.3 release series is very old now. You should be using 2.4 and
the 2.4 manuals:
http://www.openldap.org/software/man.cgi
I’m testing with SHA stored passwords the pwdInHistory directive.
SHA is much better than plaintext, but best practice is to use a
salted hash - SSHA in this case. The use of salt frustrates attempts
to build a dictionary to invert stolen password records. If LinkedIn
had used salt in their password hashes they would now be in less
trouble as a result of the recent disclosure...
https://community.qualys.com/blogs/securitylabs/2012/06/08/lessons-learne...
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
4181
days inactive
4181
days old
openldap-technical@openldap.org
4 comments
4 participants
participants (4)
-
Andrew Findlay -
Clément OUDOT -
Francesco Belli -
Patrick Hemmer