Hello to all
When I activate the otp-overlay I can login with my userpassword and the 6 digit token. But how can I change the password with otp activ?
Without otp I do "passwd" then giving the old password and then the new password twice and the password is changed
With opt I have to give the old password+6-digit. If I only giving the password the server complains immediately that the password is wrong. When I'm giving the old password plus the 6-digit, the server accepts the password. Then I can give the new password twice, but then I'm getting the massage: Server-message: Old password not accepted.
So how can an user change his password via commandline with otp active?
Thanks
Stefan
On Thu, Apr 24, 2025 at 07:46:12PM +0200, Stefan Kania wrote:
Hello to all
When I activate the otp-overlay I can login with my userpassword and the 6 digit token. But how can I change the password with otp activ?
Without otp I do "passwd" then giving the old password and then the new password twice and the password is changed
With opt I have to give the old password+6-digit. If I only giving the password the server complains immediately that the password is wrong. When I'm giving the old password plus the 6-digit, the server accepts the password. Then I can give the new password twice, but then I'm getting the massage: Server-message: Old password not accepted.
So how can an user change his password via commandline with otp active?
Hi Stefan, there are 2 steps when running ldappasswd: - the bind (Old password+OTP) to authenticate the session (-w/-W) - the password modify against someone (presumably self) with "old password" (-a/-t) and "new password" (-s/-T) provided
Similar when other applications use this.
AFAIK the old-password data shouldn't have the OTP appended to it, should just be the user's current password, but I haven't checked this myself.
Regards,
Hi Ondřej,
changing the password with ldappasswd works as expected. I did a: ------------- u1-verw@ldap02:~$ ldappasswd -x -D cn=u1-verw,ou=users,ou=verwaltung,dc=example,dc=net -S -W New password: Re-enter new password: Enter LDAP Password: ------------- When entering the "LDAP Password" I'm giving "password+token" for the "New password" I'm only giving the new password without any token. After changing the password I can login with the new password+token. But with "passwd" I can't change the password if otp is used. Without otp changing the password works wir "passwd" only.
Am 25.04.25 um 14:53 schrieb Ondřej Kuzník:
On Thu, Apr 24, 2025 at 07:46:12PM +0200, Stefan Kania wrote:
Hello to all
When I activate the otp-overlay I can login with my userpassword and the 6 digit token. But how can I change the password with otp activ?
Without otp I do "passwd" then giving the old password and then the new password twice and the password is changed
With opt I have to give the old password+6-digit. If I only giving the password the server complains immediately that the password is wrong. When I'm giving the old password plus the 6-digit, the server accepts the password. Then I can give the new password twice, but then I'm getting the massage: Server-message: Old password not accepted.
So how can an user change his password via commandline with otp active?
Hi Stefan, there are 2 steps when running ldappasswd:
- the bind (Old password+OTP) to authenticate the session (-w/-W)
- the password modify against someone (presumably self) with "old password" (-a/-t) and "new password" (-s/-T) provided
Similar when other applications use this.
AFAIK the old-password data shouldn't have the OTP appended to it, should just be the user's current password, but I haven't checked this myself.
Regards,
On Fri, Apr 25, 2025 at 07:49:42PM +0200, Stefan Kania wrote:
Hi Ondřej,
changing the password with ldappasswd works as expected. I did a:
u1-verw@ldap02:~$ ldappasswd -x -D cn=u1-verw,ou=users,ou=verwaltung,dc=example,dc=net -S -W New password: Re-enter new password: Enter LDAP Password:
When entering the "LDAP Password" I'm giving "password+token" for the "New password" I'm only giving the new password without any token. After changing the password I can login with the new password+token. But with "passwd" I can't change the password if otp is used. Without otp changing the password works wir "passwd" only.
Yes, that sounds like a limitation how passwd deals with ldap especially when otp changes the meaning of how a Bind is processed. If you want to set pwdSafeModify, not sure if there's a way to make that work with the password modify extop.
If you don't insist on pwdSafeModify, there might be a way for passwd not to send the old password in the op?
Regards,
Hi Ondřej,
Sorry, that it took me so long to answer, but here is a lot of work to do.
Now I set pwdSafeModify=FALSE and still passwd cant change the password if otp is active. So I think I must stay with ldappasswd.
Stefan
Am 29.04.25 um 12:58 schrieb Ondřej Kuzník:
On Fri, Apr 25, 2025 at 07:49:42PM +0200, Stefan Kania wrote:
Hi Ondřej,
changing the password with ldappasswd works as expected. I did a:
u1-verw@ldap02:~$ ldappasswd -x -D cn=u1-verw,ou=users,ou=verwaltung,dc=example,dc=net -S -W New password: Re-enter new password: Enter LDAP Password:
When entering the "LDAP Password" I'm giving "password+token" for the "New password" I'm only giving the new password without any token. After changing the password I can login with the new password+token. But with "passwd" I can't change the password if otp is used. Without otp changing the password works wir "passwd" only.
Yes, that sounds like a limitation how passwd deals with ldap especially when otp changes the meaning of how a Bind is processed. If you want to set pwdSafeModify, not sure if there's a way to make that work with the password modify extop.
If you don't insist on pwdSafeModify, there might be a way for passwd not to send the old password in the op?
Regards,
The issue I see with ldappasswd and shadow password attributes being used (in 2.4) is that after a password change the shadow attributes aren't updated (causing inconsistencies between password policy and shadow attributes regarding the time of password expiration). But most likely it does not affect you...
Kind regards, Ulrich Windl
-----Original Message----- From: Stefan Kania stefan@kania-online.de Sent: Monday, May 5, 2025 7:41 PM To: Ondřej Kuzník ondra@mistotebe.net Cc: openldap-technical@openldap.org Subject: [EXT] Re: changing password with otp active
Hi Ondřej,
Sorry, that it took me so long to answer, but here is a lot of work to do.
Now I set pwdSafeModify=FALSE and still passwd cant change the password if otp is active. So I think I must stay with ldappasswd.
Stefan
Am 29.04.25 um 12:58 schrieb Ondřej Kuzník:
On Fri, Apr 25, 2025 at 07:49:42PM +0200, Stefan Kania wrote:
Hi Ondřej,
changing the password with ldappasswd works as expected. I did a:
u1-verw@ldap02:~$ ldappasswd -x -D cn=u1-
verw,ou=users,ou=verwaltung,dc=example,dc=net -S -W
New password: Re-enter new password: Enter LDAP Password:
When entering the "LDAP Password" I'm giving "password+token" for the "New password" I'm only giving the new password without any token. After changing the password I can login with the new password+token. But with "passwd" I can't change the password if otp is used. Without otp changing the password works wir "passwd" only.
Yes, that sounds like a limitation how passwd deals with ldap especially when otp changes the meaning of how a Bind is processed. If you want to set pwdSafeModify, not sure if there's a way to make that work with the password modify extop.
If you don't insist on pwdSafeModify, there might be a way for passwd not to send the old password in the op?
Regards,
-- Stefan Kania Landweg 13 25693 St. Michaelisdonn
Es gibt keine WOLKE, nur die Computer fremder Leute
On Tue, May 06, 2025 at 07:36:24AM +0000, Windl, Ulrich wrote:
The issue I see with ldappasswd and shadow password attributes being used (in 2.4) is that after a password change the shadow attributes aren't updated (causing inconsistencies between password policy and shadow attributes regarding the time of password expiration). But most likely it does not affect you...
Hi Ulrich, assuming you mean rfc2307(bis) attributes here:
With ppolicy in effect, you shouldn't need to manage the shadow attributes since all the ppolicy tracking can and should be done either in the server or by entities who understand how to process and enforce them.
This is why slapo-ppolicy doesn't deal with them in the first place.
Regards,
Ondřej,
that's correct for modern systems, but older systems may deal with the shadow attributes only.
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Tuesday, May 6, 2025 11:37 AM To: Windl, Ulrich u.windl@ukr.de Cc: Stefan Kania stefan@kania-online.de; openldap- technical@openldap.org Subject: [EXT] Re: Re: changing password with otp active
On Tue, May 06, 2025 at 07:36:24AM +0000, Windl, Ulrich wrote:
The issue I see with ldappasswd and shadow password attributes being used (in 2.4) is that after a password change the shadow attributes aren't updated (causing inconsistencies between password policy and shadow attributes regarding the time of password expiration). But most likely it does not affect you...
Hi Ulrich, assuming you mean rfc2307(bis) attributes here:
With ppolicy in effect, you shouldn't need to manage the shadow attributes since all the ppolicy tracking can and should be done either in the server or by entities who understand how to process and enforce them.
This is why slapo-ppolicy doesn't deal with them in the first place.
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
On Tue, May 06, 2025 at 12:11:34PM +0000, Windl, Ulrich wrote:
that's correct for modern systems, but older systems may deal with the shadow attributes only.
SSSD et al.[0] have existed for well over a decade. Are there supportable systems that you can connect to an LDAP directory but can't use one of these tools on?
[0]. And even nslcd can interact with ppolicy.
Hi!
The industry has an interest on providing short-lived product cycles, but in an enterprise environment five to 10 years are not uncommon. Also "new" products are usually full of new bugs, and it's not clear whether they are actually better than what had proved stable over many years. There are even rumors that people using vi are still alive 😉 SSSD has advantages when you are aiming towards MS-Windows IMHO, but (for example) the resource footprint is much larger than that of the old PAM or services method.
Currently we still need those for a few systems that aren't upgraded yet.
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Tuesday, May 6, 2025 2:52 PM To: Windl, Ulrich u.windl@ukr.de Cc: Stefan Kania stefan@kania-online.de; openldap- technical@openldap.org Subject: [EXT] Re: Re: Re: changing password with otp active
On Tue, May 06, 2025 at 12:11:34PM +0000, Windl, Ulrich wrote:
that's correct for modern systems, but older systems may deal with the shadow attributes only.
SSSD et al.[0] have existed for well over a decade. Are there supportable systems that you can connect to an LDAP directory but can't use one of these tools on?
[0]. And even nslcd can interact with ppolicy.
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
On Thu, May 08, 2025 at 05:31:02AM +0000, Windl, Ulrich wrote:
Hi!
The industry has an interest on providing short-lived product cycles, but in an enterprise environment five to 10 years are not uncommon. Also "new" products are usually full of new bugs, and it's not clear whether they are actually better than what had proved stable over many years. There are even rumors that people using vi are still alive 😉 SSSD has advantages when you are aiming towards MS-Windows IMHO, but (for example) the resource footprint is much larger than that of the old PAM or services method.
Currently we still need those for a few systems that aren't upgraded yet.
Hi Ulrich, ppolicy draft 9 was issued 20 years ago in July 2005, draft 10 was issued 16 years ago in 2009. As I mentioned even nslcd (pam-ldap(d)) has supported these for well over a decade. So I'm not sure what sort of system you're trying to make work but either you give up on ppolicy and manage everything yourself or embrace the tools at your disposal. Anything else would require a "new" product usually full of new bugs.
Not even sure how you got it to work with OpenLDAP 2.4 because that's what I hear you implying and it's not like the interfaces have changed in this regard in 2.5/2.6. Perhaps you had some bespoke integration in-house you haven't mentioned that was doing what you suggest and now isn't?
We only know what you choose to share...
Regards,
Ondřej,
from what I remember is that password expiry worked well, BUT users were not warned about the password expiring (they claimed) unless that information was provided via the shadow attribute. Maybe that's due to the fact that we use a mixture of local users and LDAP users typically. Obviously both need some common interface....
Mit freundlichen Grüßen Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Thursday, May 8, 2025 10:12 AM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Re: Re: Re: changing password with otp active
On Thu, May 08, 2025 at 05:31:02AM +0000, Windl, Ulrich wrote:
Hi!
The industry has an interest on providing short-lived product cycles, but in an enterprise environment five to 10 years are not uncommon. Also "new" products are usually full of new bugs, and it's not clear whether they are actually better than what had proved stable over many years. There are even rumors that people using vi are still alive 😉 SSSD has advantages when you are aiming towards MS-Windows IMHO,
but
(for example) the resource footprint is much larger than that of the old PAM or services method.
Currently we still need those for a few systems that aren't upgraded yet.
Hi Ulrich, ppolicy draft 9 was issued 20 years ago in July 2005, draft 10 was issued 16 years ago in 2009. As I mentioned even nslcd (pam-ldap(d)) has supported these for well over a decade. So I'm not sure what sort of system you're trying to make work but either you give up on ppolicy and manage everything yourself or embrace the tools at your disposal. Anything else would require a "new" product usually full of new bugs.
Not even sure how you got it to work with OpenLDAP 2.4 because that's what I hear you implying and it's not like the interfaces have changed in this regard in 2.5/2.6. Perhaps you had some bespoke integration in-house you haven't mentioned that was doing what you suggest and now isn't?
We only know what you choose to share...
Regards,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
On Fri, May 09, 2025 at 09:56:17AM +0000, Windl, Ulrich wrote:
Ondřej,
from what I remember is that password expiry worked well, BUT users were not warned about the password expiring (they claimed) unless that information was provided via the shadow attribute. Maybe that's due to the fact that we use a mixture of local users and LDAP users typically. Obviously both need some common interface....
Hi Ulrich, policy objectclass allows the pwdExpireWarning attribute which will result in the client being notified if they understand ppolicy (i.e. they sent the ppolicy control with their request). Are you sure you have it set?
Regards,
On Mon, May 05, 2025 at 07:41:16PM +0200, Stefan Kania wrote:
Hi Ondřej,
Sorry, that it took me so long to answer, but here is a lot of work to do.
Now I set pwdSafeModify=FALSE and still passwd cant change the password if otp is active. So I think I must stay with ldappasswd.
Hi Stefan, if old password is provided in the extended operation, it is still validated, what I was saying is that you also need to persuade passwd not to provide it.
That is where I have no ideas whether it's possible or how to make this happen. If you do find out, I assume it will be useful to others.
Regards,
openldap-technical@openldap.org
-
Ondřej Kuzník -
Stefan Kania -
Windl, Ulrich