Here are my results.. Any thoughts as to why this is not working? As for my ldap version, I'm using the version provided in CentOS 6. I would prefer to use these prepacked builds whenever possible. If there is an issue where this will not work on that version, then I'll go ahead and upgrade.
TESTS: RESULT: pwdSafeModify: FALSE PASS: Message: LDAP password information update failed: Insufficient access. Must supply old password to be changed as well as new one pwdAllowUserChange: FALSE PASS: Message: LDAP password information update failed: Insufficient access. User alteration of password is not allowed pwdMaxAge: 300 FAIL: Login still allowed after 300 seconds. pwdExpireWarning: 10 FAIL: No warning message pwdInHistory: 3 FAIL: I can still flip between 2 passwords pwdMinLength: 12 FAIL: I can still set a 6 char password pwdMustChange: FAIL: I am not forced to change passwd. pwdMaxFailure: 2 FAIL: Still allowed in after 6 failures
Other Info: pwdLockout: TRUE pwdLockoutDuration: 600
Thanks, Dan
On Wed, Apr 10, 2013 at 10:41 AM, Quanah Gibson-Mount quanah@zimbra.comwrote:
--On Wednesday, April 10, 2013 9:30 AM -0400 D C dc12078@gmail.com wrote:
Server is openldap 2.4.23
Seriously? You're using a version of OpenLDAP that is nearly 3 years old? Why would you do that to yourself?
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
--On Wednesday, April 10, 2013 11:37 AM -0400 D C dc12078@gmail.com wrote:
Here are my results.. Any thoughts as to why this is not working? As for my ldap version, I'm using the version provided in CentOS 6. I would prefer to use these prepacked builds whenever possible. If there is an issue where this will not work on that version, then I'll go ahead and upgrade.
The default centos packages are very problematic, being compiled against NSS. I would also advise reading over https://www.openldap.org/software/release/changes.html. I would recommend the pre-compiled packages from http://ltb-project.org/wiki/download#openldap if you don't want to build it yourself. They are sanely linked to OpenSSL.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
2013/4/10 D C dc12078@gmail.com
Here are my results.. Any thoughts as to why this is not working? As for my ldap version, I'm using the version provided in CentOS 6. I would prefer to use these prepacked builds whenever possible. If there is an issue where this will not work on that version, then I'll go ahead and upgrade.
TESTS: RESULT: pwdSafeModify: FALSE PASS: Message: LDAP password information update failed: Insufficient access. Must supply old password to be changed as well as new one pwdAllowUserChange: FALSE PASS: Message: LDAP password information update failed: Insufficient access. User alteration of password is not allowed pwdMaxAge: 300 FAIL: Login still allowed after 300 seconds. pwdExpireWarning: 10 FAIL: No warning message pwdInHistory: 3 FAIL: I can still flip between 2 passwords pwdMinLength: 12 FAIL: I can still set a 6 char password pwdMustChange: FAIL: I am not forced to change passwd. pwdMaxFailure: 2 FAIL: Still allowed in after 6 failures
Other Info: pwdLockout: TRUE pwdLockoutDuration: 600
As Quanah said, your version is quite old with a lot of bugs on ppolicy. Upgrade to the latest version.
Clément.
Fair enough. now I'm updated $ rpm -qa |grep openldap openldap-ltb-2.4.35-1.el6.x86_64 openldap-ltb-check-password-1.1-8.el6.x86_64
I dumped and reimported my database, and tried agian. I dont see any difference.
TESTS: RESULT:
pwdSafeModify: FALSE PASS: Message: LDAP password information update failed: Insufficient access. Must supply old password to be changed as well as new one pwdAllowUserChange: FALSE PASS: Message: LDAP password information update failed: Insufficient access. User alteration of password is not allowed pwdMaxAge: 300 Not Tested. pwdExpireWarning: 10 Not Tested. pwdInHistory: 3 FAIL: I can still flip between 2 passwords pwdMinLength: 12 FAIL: I can still set a 6 char password pwdMustChange: FAIL: I am not forced to change passwd. pwdMaxFailure: 2 FAIL: Still allowed in after 3 failures
Thanks, Dan
On Wed, Apr 10, 2013 at 11:57 AM, Clément OUDOT clem.oudot@gmail.comwrote:
2013/4/10 D C dc12078@gmail.com
Here are my results.. Any thoughts as to why this is not working? As for my ldap version, I'm using the version provided in CentOS 6. I would prefer to use these prepacked builds whenever possible. If there is an issue where this will not work on that version, then I'll go ahead and upgrade.
TESTS: RESULT: pwdSafeModify: FALSE PASS: Message: LDAP password information update failed: Insufficient access. Must supply old password to be changed as well as new one pwdAllowUserChange: FALSE PASS: Message: LDAP password information update failed: Insufficient access. User alteration of password is not allowed pwdMaxAge: 300 FAIL: Login still allowed after 300 seconds. pwdExpireWarning: 10 FAIL: No warning message pwdInHistory: 3 FAIL: I can still flip between 2 passwords pwdMinLength: 12 FAIL: I can still set a 6 char password pwdMustChange: FAIL: I am not forced to change passwd. pwdMaxFailure: 2 FAIL: Still allowed in after 6 failures
Other Info: pwdLockout: TRUE pwdLockoutDuration: 600
As Quanah said, your version is quite old with a lot of bugs on ppolicy. Upgrade to the latest version.
Clément.
2013/4/10 D C dc12078@gmail.com
Fair enough. now I'm updated $ rpm -qa |grep openldap openldap-ltb-2.4.35-1.el6.x86_64 openldap-ltb-check-password-1.1-8.el6.x86_64
I dumped and reimported my database, and tried agian. I dont see any difference.
TESTS: RESULT:
pwdSafeModify: FALSE PASS: Message: LDAP password information update failed: Insufficient access. Must supply old password to be changed as well as new one pwdAllowUserChange: FALSE PASS: Message: LDAP password information update failed: Insufficient access. User alteration of password is not allowed pwdMaxAge: 300 Not Tested. pwdExpireWarning: 10 Not Tested. pwdInHistory: 3 FAIL: I can still flip between 2 passwords pwdMinLength: 12 FAIL: I can still set a 6 char password pwdMustChange: FAIL: I am not forced to change passwd. pwdMaxFailure: 2 FAIL: Still allowed in after 3 failures
Several points: * Do not use rootdn account to test ppolicy (rootdn bypass ppolicy) * Do not hash password before modifying it (password in SSHA cannot be verified against min size for example) * What client do you use to test?
Clément.
* Do not use rootdn account to test ppolicy (rootdn bypass ppolicy) - i have a service account setup in /etc/pam_ldap.conf. What should the proper acl be for this?
* Do not hash password before modifying it (password in SSHA cannot be verified against min size for example) - Ah. i'll change that to send in clear and try again. However shouldn't this just make the check fail being that the hash will be longer then 12 chars?
* What client do you use to test? pam_ldap, and apache directory studio (bind as regular user)
Thanks, Dan
On Wed, Apr 10, 2013 at 12:34 PM, Clément OUDOT clem.oudot@gmail.comwrote:
2013/4/10 D C dc12078@gmail.com
Fair enough. now I'm updated $ rpm -qa |grep openldap openldap-ltb-2.4.35-1.el6.x86_64 openldap-ltb-check-password-1.1-8.el6.x86_64
I dumped and reimported my database, and tried agian. I dont see any difference.
TESTS: RESULT:
pwdSafeModify: FALSE PASS: Message: LDAP password information update failed: Insufficient access. Must supply old password to be changed as well as new one pwdAllowUserChange: FALSE PASS: Message: LDAP password information update failed: Insufficient access. User alteration of password is not allowed pwdMaxAge: 300 Not Tested. pwdExpireWarning: 10 Not Tested. pwdInHistory: 3 FAIL: I can still flip between 2 passwords pwdMinLength: 12 FAIL: I can still set a 6 char password pwdMustChange: FAIL: I am not forced to change passwd. pwdMaxFailure: 2 FAIL: Still allowed in after 3 failures
Several points:
- Do not use rootdn account to test ppolicy (rootdn bypass ppolicy)
- Do not hash password before modifying it (password in SSHA cannot be
verified against min size for example)
- What client do you use to test?
Clément.
openldap-technical@openldap.org
-
Clément OUDOT -
D C -
Quanah Gibson-Mount