Hey All
Does anyone know why when I change pam_password exop in /etc/ldap.conf my password history and check_password module that I built into ppolicy stop working. This is openldap 2.4.21 built from source running on Centos 5.5. It worked fine when I had pam_password md5.
Thanks
John Allgood Senior Systems Administrator OHL Transportation Services 2251 Jesse Jewell Pky. NE Gainesville, GA 30507 tel: (678) 989-3051 fax: (770) 531-7878
jallgood@ohl.commailto:jallgood@ohl.com www.ohl.comhttp://www.ohl.com
______________________________________________________
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
On Monday, 28 June 2010 16:43:34 Allgood, John wrote:
Hey All
Does anyone know why when I change pam_password exop in /etc/ldap.conf my password history and check_password module that I built into ppolicy stop working.
Define "stop working". Is it not updating password history attributes? Or, is it not preventing you from using passwords from when they were being hashed on the client side?
Was this working (as you claimed) correctly, with these two features, when you changed your password with ldappasswd?
It could be that your default server hash (please check the hash on passwords changed via pam_ldap with 'pam_password exop', or by ldappasswd) may not be md5, in which case, your new password hashes will be different to the old ones, even if the passwords are the same .....
Either correct your 'password-hash' in slapd.conf, restart, test etc., or stick with your current config, and ensure you're not testing against any old (md5) password hashes (in password histories).
This is openldap 2.4.21 built from source running on Centos 5.5. It worked fine when I had pam_password md5.
Well, note that in this case, the server would never see the clear-text, so a check_password module would not be able to do very much ...
Regards, Buchan
Hey Mike
Thanks for the response. When pam_password was set equal to md5 the only issue I had was with changing the password it was suggested that I switch to exop so I could use passwd to change the password instead of ldappasswd. With the password history and and strength testing I had testing this thoroughly with md5 and when I switched to exop I could see the attributes getting updated but I did not seem to matter. I think it is definitely something to do with the hashes. Here is the ppolicy lines in my slapd.conf file. Any other information I can provide just let me know.
overlay ppolicy ppolicy_default cn=default,ou=policies,dc=turbocorp,dc=com ppolicy_hash_cleartext ppolicy_use_lockout
John Allgood Senior Systems Administrator OHL Transportation Services 2251 Jesse Jewell Pky. NE Gainesville, GA 30507 tel: (678) 989-3051 fax: (770) 531-7878
jallgood@ohl.com www.ohl.com
-----Original Message----- From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Sent: Monday, June 28, 2010 5:15 PM To: openldap-technical@openldap.org Cc: Allgood, John Subject: Re: OpenLDAP Issues
On Monday, 28 June 2010 16:43:34 Allgood, John wrote:
Hey All
Does anyone know why when I change pam_password exop in
/etc/ldap.conf my
password history and check_password module that I built into ppolicy
stop
working.
Define "stop working". Is it not updating password history attributes? Or, is it not preventing you from using passwords from when they were being hashed on the client side?
Was this working (as you claimed) correctly, with these two features, when you changed your password with ldappasswd?
It could be that your default server hash (please check the hash on passwords changed via pam_ldap with 'pam_password exop', or by ldappasswd) may not be md5, in which case, your new password hashes will be different to the old ones, even if the passwords are the same .....
Either correct your 'password-hash' in slapd.conf, restart, test etc., or stick with your current config, and ensure you're not testing against any old (md5) password hashes (in password histories).
This is openldap 2.4.21 built from source running on Centos 5.5. It worked fine when I had pam_password md5.
Well, note that in this case, the server would never see the clear- text, so a check_password module would not be able to do very much ...
Regards, Buchan
______________________________________________________
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
openldap-technical@openldap.org