Hello all,
I have an LDAP server, that I use for system authentication, emails, etc, in a domain (homebox.space)
I have the password policies defined in the LDAP database, but they don't seem to apply to the users when changing a password.
Both "olcPPolicyDefault" and "olcPPolicyHashCleartext" are set up, but only the last is working, i.e. passwords sent in clear text by an LDAP client are automatically encrypted.
There is an overlay entry for the domain, example:
olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
and a correct entry "pwdPolicySubentry" for each user.
However, when I try change the password with pam_ldap or using the roundcube password plugin, even the minimal length rule is ignored.
The module configuration:
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}ppolicy.la olcModuleLoad: {2}deref.la structuralObjectClass: olcModuleList entryUUID: acbfbc52-7c3a-1037-9cc1-d74dec6fc011 creatorsName: cn=admin,cn=config createTimestamp: 20171223143824Z entryCSN: 20171223143828.930245Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20171223143828Z
The overlay configuration
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcPPolicyConfig objectClass: olcOverlayConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE structuralObjectClass: olcPPolicyConfig entryUUID: affa09e0-7c3a-1037-956b-0f107d4f36ac creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20171223143829Z entryCSN: 20171223143829.643274Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20171223143829Z
The policy:
dn: cn=default,ou=pwpolicies,dc=homebox,dc=space pwdExpireWarning: 259200 pwdMaxFailure: 5 cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdMinLength: 8 pwdCheckQuality: 0 pwdAttribute: userPassword pwdLockoutDuration: 0 pwdInHistory: 0 sn: default pwdMaxAge: 31536000 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 300 structuralObjectClass: person entryUUID: b083c4d2-7c3a-1037-956d-0f107d4f36ac creatorsName: cn=admin,dc=homebox,dc=space createTimestamp: 20171223143830Z entryCSN: 20171223143830.545905Z#000000#000#000000 modifiersName: cn=admin,dc=homebox,dc=space modifyTimestamp: 20171223143830Z
Example of one user:
dn:: Y249QW5kcsOpIFJvZGllcixvdT11c2VycyxkYz1ob21lYm94LGRjPXNwYWNl pwdPolicySubentry: cn=default,ou=pwpolicies,dc=homebox,dc=space shadowMin: 0 uid: andre objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson loginShell: /bin/bash shadowFlag: 0 uidNumber: 1001 shadowMax: 999999 gidNumber: 1001 homeDirectory: /home/users/andre sn: Rodier shadowInactive: -1 mail: andre@homebox.space givenName:: QW5kcsOp shadowWarning: 7 structuralObjectClass: inetOrgPerson cn:: QW5kcsOpIFJvZGllcg== entryUUID: b12c4db4-7c3a-1037-9572-0f107d4f36ac creatorsName: cn=admin,dc=homebox,dc=space createTimestamp: 20171223143831Z userPassword:: e1NTSEF9SHllVitOazkyekNHYlIwbVRUdkZJZWFpVUo2WElSVWM= pwdChangedTime: 20171223150211Z entryCSN: 20171223150211.599058Z#000000#000#000000 modifiersName: cn=admin,dc=homebox,dc=space modifyTimestamp: 20171223150211Z
I have the whole source code here: https://github.com/progmaticltd/homebox/
The Ansible tasks I am using to configure the LDAP server are here:
https://github.com/progmaticltd/homebox/blob/master/install/playbooks/roles/...
Any help welcome.
Kind regards, André Rodier.
PS: Merry Christmas / Happy new year / for those concerned.
I suggest to check the pam-ldap config. IIRC it should be using the exop method to change password.
On Dec 23, 2017 1:17 PM, "André Rodier" andre@rodier.me wrote:
Hello all,
I have an LDAP server, that I use for system authentication, emails, etc, in a domain (homebox.space)
I have the password policies defined in the LDAP database, but they don't seem to apply to the users when changing a password.
Both "olcPPolicyDefault" and "olcPPolicyHashCleartext" are set up, but only the last is working, i.e. passwords sent in clear text by an LDAP client are automatically encrypted.
There is an overlay entry for the domain, example:
olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
and a correct entry "pwdPolicySubentry" for each user.
However, when I try change the password with pam_ldap or using the roundcube password plugin, even the minimal length rule is ignored.
The module configuration:
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}ppolicy.la olcModuleLoad: {2}deref.la structuralObjectClass: olcModuleList entryUUID: acbfbc52-7c3a-1037-9cc1-d74dec6fc011 creatorsName: cn=admin,cn=config createTimestamp: 20171223143824Z entryCSN: 20171223143828.930245Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20171223143828Z
The overlay configuration
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcPPolicyConfig objectClass: olcOverlayConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE structuralObjectClass: olcPPolicyConfig entryUUID: affa09e0-7c3a-1037-956b-0f107d4f36ac creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20171223143829Z entryCSN: 20171223143829.643274Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20171223143829Z
The policy:
dn: cn=default,ou=pwpolicies,dc=homebox,dc=space pwdExpireWarning: 259200 pwdMaxFailure: 5 cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdMinLength: 8 pwdCheckQuality: 0 pwdAttribute: userPassword pwdLockoutDuration: 0 pwdInHistory: 0 sn: default pwdMaxAge: 31536000 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 300 structuralObjectClass: person entryUUID: b083c4d2-7c3a-1037-956d-0f107d4f36ac creatorsName: cn=admin,dc=homebox,dc=space createTimestamp: 20171223143830Z entryCSN: 20171223143830.545905Z#000000#000#000000 modifiersName: cn=admin,dc=homebox,dc=space modifyTimestamp: 20171223143830Z
Example of one user:
dn:: Y249QW5kcsOpIFJvZGllcixvdT11c2VycyxkYz1ob21lYm94LGRjPXNwYWNl pwdPolicySubentry: cn=default,ou=pwpolicies,dc=homebox,dc=space shadowMin: 0 uid: andre objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson loginShell: /bin/bash shadowFlag: 0 uidNumber: 1001 shadowMax: 999999 gidNumber: 1001 homeDirectory: /home/users/andre sn: Rodier shadowInactive: -1 mail: andre@homebox.space givenName:: QW5kcsOp shadowWarning: 7 structuralObjectClass: inetOrgPerson cn:: QW5kcsOpIFJvZGllcg== entryUUID: b12c4db4-7c3a-1037-9572-0f107d4f36ac creatorsName: cn=admin,dc=homebox,dc=space createTimestamp: 20171223143831Z userPassword:: e1NTSEF9SHllVitOazkyekNHYlIwbVRUdkZJZWFpVUo2WElSVWM= pwdChangedTime: 20171223150211Z entryCSN: 20171223150211.599058Z#000000#000#000000 modifiersName: cn=admin,dc=homebox,dc=space modifyTimestamp: 20171223150211Z
I have the whole source code here: https://github.com/ progmaticltd/homebox/
The Ansible tasks I am using to configure the LDAP server are here:
https://github.com/progmaticltd/homebox/blob/master/install/playbooks/ roles/accounts/tasks/main.yml
Any help welcome.
Kind regards, André Rodier.
PS: Merry Christmas / Happy new year / for those concerned.
Hello Andreas, Thank you very much. I setup try that, probably next year. Kind regards, André.
On 23 December 2017 21:29:45 GMT+00:00, Andreas Hasenack andreas@canonical.com wrote:
I suggest to check the pam-ldap config. IIRC it should be using the exop method to change password.
On Dec 23, 2017 1:17 PM, "André Rodier" andre@rodier.me wrote:
Hello all,
I have an LDAP server, that I use for system authentication, emails, etc, in a domain (homebox.space)
I have the password policies defined in the LDAP database, but they don't seem to apply to the users when changing a password.
Both "olcPPolicyDefault" and "olcPPolicyHashCleartext" are set up,
but
only the last is working, i.e. passwords sent in clear text by an
LDAP
client are automatically encrypted.
There is an overlay entry for the domain, example:
olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
and a correct entry "pwdPolicySubentry" for each user.
However, when I try change the password with pam_ldap or using the roundcube password plugin, even the minimal length rule is ignored.
The module configuration:
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}ppolicy.la olcModuleLoad: {2}deref.la structuralObjectClass: olcModuleList entryUUID: acbfbc52-7c3a-1037-9cc1-d74dec6fc011 creatorsName: cn=admin,cn=config createTimestamp: 20171223143824Z entryCSN: 20171223143828.930245Z#000000#000#000000 modifiersName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20171223143828Z
The overlay configuration
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcPPolicyConfig objectClass: olcOverlayConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE structuralObjectClass: olcPPolicyConfig entryUUID: affa09e0-7c3a-1037-956b-0f107d4f36ac creatorsName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20171223143829Z entryCSN: 20171223143829.643274Z#000000#000#000000 modifiersName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20171223143829Z
The policy:
dn: cn=default,ou=pwpolicies,dc=homebox,dc=space pwdExpireWarning: 259200 pwdMaxFailure: 5 cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdMinLength: 8 pwdCheckQuality: 0 pwdAttribute: userPassword pwdLockoutDuration: 0 pwdInHistory: 0 sn: default pwdMaxAge: 31536000 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 300 structuralObjectClass: person entryUUID: b083c4d2-7c3a-1037-956d-0f107d4f36ac creatorsName: cn=admin,dc=homebox,dc=space createTimestamp: 20171223143830Z entryCSN: 20171223143830.545905Z#000000#000#000000 modifiersName: cn=admin,dc=homebox,dc=space modifyTimestamp: 20171223143830Z
Example of one user:
dn:: Y249QW5kcsOpIFJvZGllcixvdT11c2VycyxkYz1ob21lYm94LGRjPXNwYWNl pwdPolicySubentry: cn=default,ou=pwpolicies,dc=homebox,dc=space shadowMin: 0 uid: andre objectClass: top objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson loginShell: /bin/bash shadowFlag: 0 uidNumber: 1001 shadowMax: 999999 gidNumber: 1001 homeDirectory: /home/users/andre sn: Rodier shadowInactive: -1 mail: andre@homebox.space givenName:: QW5kcsOp shadowWarning: 7 structuralObjectClass: inetOrgPerson cn:: QW5kcsOpIFJvZGllcg== entryUUID: b12c4db4-7c3a-1037-9572-0f107d4f36ac creatorsName: cn=admin,dc=homebox,dc=space createTimestamp: 20171223143831Z userPassword:: e1NTSEF9SHllVitOazkyekNHYlIwbVRUdkZJZWFpVUo2WElSVWM= pwdChangedTime: 20171223150211Z entryCSN: 20171223150211.599058Z#000000#000#000000 modifiersName: cn=admin,dc=homebox,dc=space modifyTimestamp: 20171223150211Z
I have the whole source code here: https://github.com/ progmaticltd/homebox/
The Ansible tasks I am using to configure the LDAP server are here:
https://github.com/progmaticltd/homebox/blob/master/install/playbooks/
roles/accounts/tasks/main.yml
Any help welcome.
Kind regards, André Rodier.
PS: Merry Christmas / Happy new year / for those concerned.
openldap-technical@openldap.org