Hi;
In my free time, I've been studying openldap and the ppolicy overlay. I started working on password complexity today. While searching for information on implementing complexity, I ran across the link immediately following which seems to indicate that openldap honors the settings in /etc/pam.d/password-auth.
http://ubuntuforums.org/showthread.php?t=2172393
I tried configuring that on a test kvm and can't even get it working with local accounts so obviously I borked something in the password-auth file - like maybe not even the right pam.d file; however, before I spend a whole lot of time troubleshooting this, is my understanding accurate? Will openldap honor the settings in pam.d?
It seems that'd be a whole lot cleaner and more supportable than compiling a specialized password checking module.
Any info greatly appreciated. Thanks for your time.
Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
Doug OLeary wrote:
Hi;
In my free time, I've been studying openldap and the ppolicy overlay. I started working on password complexity today. While searching for information on implementing complexity, I ran across the link immediately following which seems to indicate that openldap honors the settings in /etc/pam.d/password-auth.
No, that's not what that thread says at all.
I tried configuring that on a test kvm and can't even get it working with local accounts so obviously I borked something in the password-auth file - like maybe not even the right pam.d file; however, before I spend a whole lot of time troubleshooting this, is my understanding accurate? Will openldap honor the settings in pam.d?
No, OpenLDAP doesn't know anything about PAM settings. All that that thread is saying is that you must configure PAM correctly if you want PAM to enforce password quality *when you change passwords using PAM*.
If you change LDAP passwords via LDAP, PAM is nowhere in the picture.
It seems that'd be a whole lot cleaner and more supportable than compiling a specialized password checking module.
Any info greatly appreciated. Thanks for your time.
Hey;
Apparently, in my efforts to be brief, I didn't adequately outline the scenario. Users need to be able to change their own passwords once their account is configured in ldap and assigned an initial password. That's where pam comes in. Obviously, if I (or the user) change a user's account via ldap commands, pam restrictions.
I just verified that a test user can change his password to anything he wants via ldappasswd (bad... but have to have access to the command).
I also verified that the pam configuration affects password selection when the user is trying to change the password via the passwd command. (got that working both locally and via ldap).
So, I got the answer to my question and raised a bunch more potential issues that I'll have to ponder.
Thanks for the reply.
Doug O'Leary ------------ Senior UNIX/Security Admin CISSP, CISA, RHCSA, CEH O'Leary Computers Inc dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749 linkedin: http://www.linkedin.com/in/dkoleary resume: http://www.olearycomputers.com/resume.html
Am Sat, 15 Feb 2014 16:28:34 -0600 (CST) schrieb Doug OLeary dkoleary@olearycomputers.com:
Hey;
Apparently, in my efforts to be brief, I didn't adequately outline the scenario. Users need to be able to change their own passwords once their account is configured in ldap and assigned an initial password. That's where pam comes in. Obviously, if I (or the user) change a user's account via ldap commands, pam restrictions.
I just verified that a test user can change his password to anything he wants via ldappasswd (bad... but have to have access to the command).
I also verified that the pam configuration affects password selection when the user is trying to change the password via the passwd command. (got that working both locally and via ldap).
So, I got the answer to my question and raised a bunch more potential issues that I'll have to ponder.
It is not PAM but the name service switch nss which can be configured to us ldap as credentials storage.
-Dieter
openldap-technical@openldap.org
-
Dieter Klünter -
Doug OLeary -
Howard Chu