7:14 a.m.
Hello all,
I have an LDAP server, that I use for system authentication, emails,
etc, in a domain (homebox.space)
I have the password policies defined in the LDAP database, but they
don't seem to apply to the users when changing a password.
Both "olcPPolicyDefault" and "olcPPolicyHashCleartext" are set up,
but
only the last is working, i.e. passwords sent in clear text by an LDAP
client are automatically encrypted.
There is an overlay entry for the domain, example:
olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
and a correct entry "pwdPolicySubentry" for each user.
However, when I try change the password with pam_ldap or using the
roundcube password plugin, even the minimal length rule is ignored.
The module configuration:
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}ppolicy.la
olcModuleLoad: {2}deref.la
structuralObjectClass: olcModuleList
entryUUID: acbfbc52-7c3a-1037-9cc1-d74dec6fc011
creatorsName: cn=admin,cn=config
createTimestamp: 20171223143824Z
entryCSN: 20171223143828.930245Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20171223143828Z
The overlay configuration
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
structuralObjectClass: olcPPolicyConfig
entryUUID: affa09e0-7c3a-1037-956b-0f107d4f36ac
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20171223143829Z
entryCSN: 20171223143829.643274Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20171223143829Z
The policy:
dn: cn=default,ou=pwpolicies,dc=homebox,dc=space
pwdExpireWarning: 259200
pwdMaxFailure: 5
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdMinLength: 8
pwdCheckQuality: 0
pwdAttribute: userPassword
pwdLockoutDuration: 0
pwdInHistory: 0
sn: default
pwdMaxAge: 31536000
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 300
structuralObjectClass: person
entryUUID: b083c4d2-7c3a-1037-956d-0f107d4f36ac
creatorsName: cn=admin,dc=homebox,dc=space
createTimestamp: 20171223143830Z
entryCSN: 20171223143830.545905Z#000000#000#000000
modifiersName: cn=admin,dc=homebox,dc=space
modifyTimestamp: 20171223143830Z
Example of one user:
dn:: Y249QW5kcsOpIFJvZGllcixvdT11c2VycyxkYz1ob21lYm94LGRjPXNwYWNl
pwdPolicySubentry: cn=default,ou=pwpolicies,dc=homebox,dc=space
shadowMin: 0
uid: andre
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
shadowFlag: 0
uidNumber: 1001
shadowMax: 999999
gidNumber: 1001
homeDirectory: /home/users/andre
sn: Rodier
shadowInactive: -1
mail: andre(a)homebox.space
givenName:: QW5kcsOp
shadowWarning: 7
structuralObjectClass: inetOrgPerson
cn:: QW5kcsOpIFJvZGllcg==
entryUUID: b12c4db4-7c3a-1037-9572-0f107d4f36ac
creatorsName: cn=admin,dc=homebox,dc=space
createTimestamp: 20171223143831Z
userPassword:: e1NTSEF9SHllVitOazkyekNHYlIwbVRUdkZJZWFpVUo2WElSVWM=
pwdChangedTime: 20171223150211Z
entryCSN: 20171223150211.599058Z#000000#000#000000
modifiersName: cn=admin,dc=homebox,dc=space
modifyTimestamp: 20171223150211Z
I have the whole source code here: https://github.com/progmaticltd/homebox/
The Ansible tasks I am using to configure the LDAP server are here:
https://github.com/progmaticltd/homebox/blob/master/install/playbooks/rol...
Any help welcome.
Kind regards,
André Rodier.
PS: Merry Christmas / Happy new year / for those concerned.
1:29 p.m.
I suggest to check the pam-ldap config. IIRC it should be using the exop
method to change password.
On Dec 23, 2017 1:17 PM, "André Rodier" <andre(a)rodier.me> wrote:
Hello all,
I have an LDAP server, that I use for system authentication, emails,
etc, in a domain (homebox.space)
I have the password policies defined in the LDAP database, but they
don't seem to apply to the users when changing a password.
Both "olcPPolicyDefault" and "olcPPolicyHashCleartext" are set up,
but
only the last is working, i.e. passwords sent in clear text by an LDAP
client are automatically encrypted.
There is an overlay entry for the domain, example:
olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
and a correct entry "pwdPolicySubentry" for each user.
However, when I try change the password with pam_ldap or using the
roundcube password plugin, even the minimal length rule is ignored.
The module configuration:
> dn: cn=module{0},cn=config
> objectClass: olcModuleList
> cn: module{0}
> olcModulePath: /usr/lib/ldap
> olcModuleLoad: {0}back_mdb
> olcModuleLoad: {1}ppolicy.la
> olcModuleLoad: {2}deref.la
> structuralObjectClass: olcModuleList
> entryUUID: acbfbc52-7c3a-1037-9cc1-d74dec6fc011
> creatorsName: cn=admin,cn=config
> createTimestamp: 20171223143824Z
> entryCSN: 20171223143828.930245Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20171223143828Z
The overlay configuration
> dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
> objectClass: olcPPolicyConfig
> objectClass: olcOverlayConfig
> olcOverlay: {0}ppolicy
> olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
> olcPPolicyHashCleartext: TRUE
> olcPPolicyUseLockout: FALSE
> olcPPolicyForwardUpdates: FALSE
> structuralObjectClass: olcPPolicyConfig
> entryUUID: affa09e0-7c3a-1037-956b-0f107d4f36ac
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20171223143829Z
> entryCSN: 20171223143829.643274Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20171223143829Z
The policy:
> dn: cn=default,ou=pwpolicies,dc=homebox,dc=space
> pwdExpireWarning: 259200
> pwdMaxFailure: 5
> cn: default
> objectClass: pwdPolicy
> objectClass: person
> objectClass: top
> pwdMinLength: 8
> pwdCheckQuality: 0
> pwdAttribute: userPassword
> pwdLockoutDuration: 0
> pwdInHistory: 0
> sn: default
> pwdMaxAge: 31536000
> pwdGraceAuthNLimit: 0
> pwdFailureCountInterval: 300
> structuralObjectClass: person
> entryUUID: b083c4d2-7c3a-1037-956d-0f107d4f36ac
> creatorsName: cn=admin,dc=homebox,dc=space
> createTimestamp: 20171223143830Z
> entryCSN: 20171223143830.545905Z#000000#000#000000
> modifiersName: cn=admin,dc=homebox,dc=space
> modifyTimestamp: 20171223143830Z
Example of one user:
> dn:: Y249QW5kcsOpIFJvZGllcixvdT11c2VycyxkYz1ob21lYm94LGRjPXNwYWNl
> pwdPolicySubentry: cn=default,ou=pwpolicies,dc=homebox,dc=space
> shadowMin: 0
> uid: andre
> objectClass: top
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> loginShell: /bin/bash
> shadowFlag: 0
> uidNumber: 1001
> shadowMax: 999999
> gidNumber: 1001
> homeDirectory: /home/users/andre
> sn: Rodier
> shadowInactive: -1
> mail: andre(a)homebox.space
> givenName:: QW5kcsOp
> shadowWarning: 7
> structuralObjectClass: inetOrgPerson
> cn:: QW5kcsOpIFJvZGllcg==
> entryUUID: b12c4db4-7c3a-1037-9572-0f107d4f36ac
> creatorsName: cn=admin,dc=homebox,dc=space
> createTimestamp: 20171223143831Z
> userPassword:: e1NTSEF9SHllVitOazkyekNHYlIwbVRUdkZJZWFpVUo2WElSVWM=
> pwdChangedTime: 20171223150211Z
> entryCSN: 20171223150211.599058Z#000000#000#000000
> modifiersName: cn=admin,dc=homebox,dc=space
> modifyTimestamp: 20171223150211Z
>
I have the whole source code here: https://github.com/
progmaticltd/homebox/
The Ansible tasks I am using to configure the LDAP server are here:
https://github.com/progmaticltd/homebox/blob/master/install/playbooks/
roles/accounts/tasks/main.yml
Any help welcome.
Kind regards,
André Rodier.
PS: Merry Christmas / Happy new year / for those concerned.
1:22 a.m.
Hello Andreas,
Thank you very much. I setup try that, probably next year.
Kind regards,
André.
On 23 December 2017 21:29:45 GMT+00:00, Andreas Hasenack <andreas(a)canonical.com>
wrote:
I suggest to check the pam-ldap config. IIRC it should be using the
exop
method to change password.
On Dec 23, 2017 1:17 PM, "André Rodier" <andre(a)rodier.me> wrote:
> Hello all,
>
> I have an LDAP server, that I use for system authentication, emails,
> etc, in a domain (homebox.space)
>
> I have the password policies defined in the LDAP database, but they
> don't seem to apply to the users when changing a password.
>
> Both "olcPPolicyDefault" and "olcPPolicyHashCleartext" are set
up,
but
> only the last is working, i.e. passwords sent in clear text by an
LDAP
> client are automatically encrypted.
>
> There is an overlay entry for the domain, example:
>
> olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
>
> and a correct entry "pwdPolicySubentry" for each user.
>
> However, when I try change the password with pam_ldap or using the
> roundcube password plugin, even the minimal length rule is ignored.
>
> The module configuration:
> > dn: cn=module{0},cn=config
> > objectClass: olcModuleList
> > cn: module{0}
> > olcModulePath: /usr/lib/ldap
> > olcModuleLoad: {0}back_mdb
> > olcModuleLoad: {1}ppolicy.la
> > olcModuleLoad: {2}deref.la
> > structuralObjectClass: olcModuleList
> > entryUUID: acbfbc52-7c3a-1037-9cc1-d74dec6fc011
> > creatorsName: cn=admin,cn=config
> > createTimestamp: 20171223143824Z
> > entryCSN: 20171223143828.930245Z#000000#000#000000
> > modifiersName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > modifyTimestamp: 20171223143828Z
>
> The overlay configuration
> > dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
> > objectClass: olcPPolicyConfig
> > objectClass: olcOverlayConfig
> > olcOverlay: {0}ppolicy
> > olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
> > olcPPolicyHashCleartext: TRUE
> > olcPPolicyUseLockout: FALSE
> > olcPPolicyForwardUpdates: FALSE
> > structuralObjectClass: olcPPolicyConfig
> > entryUUID: affa09e0-7c3a-1037-956b-0f107d4f36ac
> > creatorsName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > createTimestamp: 20171223143829Z
> > entryCSN: 20171223143829.643274Z#000000#000#000000
> > modifiersName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > modifyTimestamp: 20171223143829Z
>
> The policy:
> > dn: cn=default,ou=pwpolicies,dc=homebox,dc=space
> > pwdExpireWarning: 259200
> > pwdMaxFailure: 5
> > cn: default
> > objectClass: pwdPolicy
> > objectClass: person
> > objectClass: top
> > pwdMinLength: 8
> > pwdCheckQuality: 0
> > pwdAttribute: userPassword
> > pwdLockoutDuration: 0
> > pwdInHistory: 0
> > sn: default
> > pwdMaxAge: 31536000
> > pwdGraceAuthNLimit: 0
> > pwdFailureCountInterval: 300
> > structuralObjectClass: person
> > entryUUID: b083c4d2-7c3a-1037-956d-0f107d4f36ac
> > creatorsName: cn=admin,dc=homebox,dc=space
> > createTimestamp: 20171223143830Z
> > entryCSN: 20171223143830.545905Z#000000#000#000000
> > modifiersName: cn=admin,dc=homebox,dc=space
> > modifyTimestamp: 20171223143830Z
>
> Example of one user:
>
> > dn:: Y249QW5kcsOpIFJvZGllcixvdT11c2VycyxkYz1ob21lYm94LGRjPXNwYWNl
> > pwdPolicySubentry: cn=default,ou=pwpolicies,dc=homebox,dc=space
> > shadowMin: 0
> > uid: andre
> > objectClass: top
> > objectClass: person
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: inetOrgPerson
> > loginShell: /bin/bash
> > shadowFlag: 0
> > uidNumber: 1001
> > shadowMax: 999999
> > gidNumber: 1001
> > homeDirectory: /home/users/andre
> > sn: Rodier
> > shadowInactive: -1
> > mail: andre(a)homebox.space
> > givenName:: QW5kcsOp
> > shadowWarning: 7
> > structuralObjectClass: inetOrgPerson
> > cn:: QW5kcsOpIFJvZGllcg==
> > entryUUID: b12c4db4-7c3a-1037-9572-0f107d4f36ac
> > creatorsName: cn=admin,dc=homebox,dc=space
> > createTimestamp: 20171223143831Z
> > userPassword:: e1NTSEF9SHllVitOazkyekNHYlIwbVRUdkZJZWFpVUo2WElSVWM=
> > pwdChangedTime: 20171223150211Z
> > entryCSN: 20171223150211.599058Z#000000#000#000000
> > modifiersName: cn=admin,dc=homebox,dc=space
> > modifyTimestamp: 20171223150211Z
> >
>
>
> I have the whole source code here: https://github.com/
> progmaticltd/homebox/
>
> The Ansible tasks I am using to configure the LDAP server are here:
>
>
https://github.com/progmaticltd/homebox/blob/master/install/playbooks/
> roles/accounts/tasks/main.yml
>
> Any help welcome.
>
> Kind regards,
> André Rodier.
>
> PS: Merry Christmas / Happy new year / for those concerned.
>
>
>
--
André Rodier
2097
days inactive
2098
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Andreas Hasenack -
André Rodier