Hi,
I'm doing some testing on userPassword management actually with openldap 2.5.9
I noticed that I could MOD a userPassword without checking quality if my admin role was "manage"
However, if I try to ADD a user with its attribute userPassword set, then quality is checked although the role "manage"
ppolicy in both cases are the default one (policy subentry not set)
Is it normal behavior ?
Regards,
As far as I understand, everybody with write access to the userPassword attribute can set this to any value.
In order to involve the ppolicy module you need to use extended ldapmodify functionality (ldappasswd, ldapmodify -E ppolicy or a properly configured passwd/PAM stack).
Am 24.06.22 um 16:59 schrieb tempo@net-c.com:
Hi,
I'm doing some testing on userPassword management actually with openldap 2.5.9
I noticed that I could MOD a userPassword without checking quality if my admin role was "manage"
However, if I try to ADD a user with its attribute userPassword set, then quality is checked although the role "manage"
ppolicy in both cases are the default one (policy subentry not set)
Is it normal behavior ?
Regards,
--On Friday, June 24, 2022 7:20 PM +0200 Uwe Sauter uwe.sauter.de@gmail.com wrote:
As far as I understand, everybody with write access to the userPassword attribute can set this to any value.
In order to involve the ppolicy module you need to use extended ldapmodify functionality (ldappasswd, ldapmodify -E ppolicy or a properly configured passwd/PAM stack).
It is possible to configure ppolicy to intercept MOD ops of userPassword to fix that issue. I don't think you can intercept ADD operations in this regard, however. Generally one has to create the entry and then set the userPassword afterwards with the extended op.
--Quanah
Hi,
Not sure to understand but maybe my question is unclear.
My question is just to know if with an admin having "manage" role it is possible to bypass the ppolicy check when adding a user.
Because this how it works when modifying userPassword of an already existing user.
ADD and MOD looks working differently on userPassword attribute treatment.
:)
De : Uwe Sauter uwe.sauter.de@gmail.com À : openldap-technical@openldap.org Sujet : Re: role manage can bypass pwdCheckQuality with MOD but not with ADD op Date : 24/06/2022 18:20:20 Europe/Paris
As far as I understand, everybody with write access to the userPassword attribute can set this to any value.
In order to involve the ppolicy module you need to use extended ldapmodify functionality (ldappasswd, ldapmodify -E ppolicy or a properly configured passwd/PAM stack).
Am 24.06.22 um 16:59 schrieb tempo@net-c.com:
Hi,
I'm doing some testing on userPassword management actually with openldap 2.5.9
I noticed that I could MOD a userPassword without checking quality if my admin role was "manage"
However, if I try to ADD a user with its attribute userPassword set, then quality is checked although the role "manage"
ppolicy in both cases are the default one (policy subentry not set)
Is it normal behavior ?
Regards,
--On Friday, June 24, 2022 8:32 PM +0200 tempo@net-c.com wrote:
Hi,
Not sure to understand but maybe my question is unclear.
My question is just to know if with an admin having "manage" role it is possible to bypass the ppolicy check when adding a user.
Because this how it works when modifying userPassword of an already existing user.
ADD and MOD looks working differently on userPassword attribute treatment.
a) You should not be using MOD ops on userPassword
b) You probably want to be using the RELAX control when you do the ADD op (mark it critical)
c) I suggest updating to a current OpenLDAP 2.5 release, as there were fixes for ppolicy in 2.5.12 that may be relevant. (ITS#9794)
Regards, Quanah
Hi,
Updating to 2.5.12 solved the differences between operation type.
Thanks.
De : Quanah Gibson-Mount quanah@fast-mail.org À : tempo@net-c.com; uwe.sauter.de@gmail.com; openldap-technical@openldap.org Sujet : Re: role manage can bypass pwdCheckQuality with MOD but not with ADD op Date : 24/06/2022 19:59:21 Europe/Paris
--On Friday, June 24, 2022 8:32 PM +0200 tempo@net-c.com wrote:
Hi,
Not sure to understand but maybe my question is unclear.
My question is just to know if with an admin having "manage" role it is possible to bypass the ppolicy check when adding a user.
Because this how it works when modifying userPassword of an already existing user.
ADD and MOD looks working differently on userPassword attribute treatment.
a) You should not be using MOD ops on userPassword
b) You probably want to be using the RELAX control when you do the ADD op (mark it critical)
c) I suggest updating to a current OpenLDAP 2.5 release, as there were fixes for ppolicy in 2.5.12 that may be relevant. (ITS#9794)
Regards, Quanah
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
tempo@net-c.com -
Uwe Sauter