8:37 a.m.
Here are my results.. Any thoughts as to why this is not working?
As for my ldap version, I'm using the version provided in CentOS 6. I
would prefer to use these prepacked builds whenever possible. If there is
an issue where this will not work on that version, then I'll go ahead and
upgrade.
TESTS: RESULT:
pwdSafeModify: FALSE PASS: Message: LDAP password information
update failed: Insufficient access. Must supply old password to be
changed as well as new one
pwdAllowUserChange: FALSE PASS: Message: LDAP password information
update failed: Insufficient access. User alteration of password is not
allowed
pwdMaxAge: 300 FAIL: Login still allowed after 300 seconds.
pwdExpireWarning: 10 FAIL: No warning message
pwdInHistory: 3 FAIL: I can still flip between 2 passwords
pwdMinLength: 12 FAIL: I can still set a 6 char password
pwdMustChange: FAIL: I am not forced to change passwd.
pwdMaxFailure: 2 FAIL: Still allowed in after 6 failures
Other Info:
pwdLockout: TRUE
pwdLockoutDuration: 600
Thanks,
Dan
On Wed, Apr 10, 2013 at 10:41 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
--On Wednesday, April 10, 2013 9:30 AM -0400 D C
<dc12078(a)gmail.com>
wrote:
> Server is openldap 2.4.23
>
Seriously? You're using a version of OpenLDAP that is nearly 3 years old?
Why would you do that to yourself?
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
8:50 a.m.
New subject: What can I use for pwdCheckModule?
--On Wednesday, April 10, 2013 11:37 AM -0400 D C <dc12078(a)gmail.com> wrote:
Here are my results.. Any thoughts as to why this is not working?
As for my ldap version, I'm using the version provided in CentOS 6. I
would prefer to use these prepacked builds whenever possible. If there
is an issue where this will not work on that version, then I'll go ahead
and upgrade.
The default centos packages are very problematic, being compiled against
NSS. I would also advise reading over
<https://www.openldap.org/software/release/changes.html>;. I would
recommend the pre-compiled packages from
<http://ltb-project.org/wiki/download#openldap> if you don't want to build
it yourself. They are sanely linked to OpenSSL.
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
8:57 a.m.
New subject: What can I use for pwdCheckModule?
2013/4/10 D C <dc12078(a)gmail.com>
Here are my results.. Any thoughts as to why this is not working?
As for my ldap version, I'm using the version provided in CentOS 6. I
would prefer to use these prepacked builds whenever possible. If there is
an issue where this will not work on that version, then I'll go ahead and
upgrade.
TESTS: RESULT:
pwdSafeModify: FALSE PASS: Message: LDAP password information
update failed: Insufficient access. Must supply old password to be
changed as well as new one
pwdAllowUserChange: FALSE PASS: Message: LDAP password information
update failed: Insufficient access. User alteration of password is not
allowed
pwdMaxAge: 300 FAIL: Login still allowed after 300 seconds.
pwdExpireWarning: 10 FAIL: No warning message
pwdInHistory: 3 FAIL: I can still flip between 2 passwords
pwdMinLength: 12 FAIL: I can still set a 6 char password
pwdMustChange: FAIL: I am not forced to change passwd.
pwdMaxFailure: 2 FAIL: Still allowed in after 6 failures
Other Info:
pwdLockout: TRUE
pwdLockoutDuration: 600
As Quanah said, your version is quite old with a lot of bugs on ppolicy.
Upgrade to the latest version.
Clément.
9:29 a.m.
New subject: What can I use for pwdCheckModule?
Fair enough. now I'm updated
$ rpm -qa |grep openldap
openldap-ltb-2.4.35-1.el6.x86_64
openldap-ltb-check-password-1.1-8.el6.x86_64
I dumped and reimported my database, and tried agian. I dont see any
difference.
TESTS: RESULT:
pwdSafeModify: FALSE PASS: Message: LDAP password information
update failed: Insufficient access. Must supply old password to be
changed as well as new one
pwdAllowUserChange: FALSE PASS: Message: LDAP password information
update failed: Insufficient access. User alteration of password is not
allowed
pwdMaxAge: 300 Not Tested.
pwdExpireWarning: 10 Not Tested.
pwdInHistory: 3 FAIL: I can still flip between 2 passwords
pwdMinLength: 12 FAIL: I can still set a 6 char password
pwdMustChange: FAIL: I am not forced to change passwd.
pwdMaxFailure: 2 FAIL: Still allowed in after 3 failures
Thanks,
Dan
On Wed, Apr 10, 2013 at 11:57 AM, Clément OUDOT <clem.oudot(a)gmail.com>wrote:
2013/4/10 D C <dc12078(a)gmail.com>
> Here are my results.. Any thoughts as to why this is not working?
> As for my ldap version, I'm using the version provided in CentOS 6. I
> would prefer to use these prepacked builds whenever possible. If there is
> an issue where this will not work on that version, then I'll go ahead and
> upgrade.
>
>
> TESTS: RESULT:
> pwdSafeModify: FALSE PASS: Message: LDAP password information
> update failed: Insufficient access. Must supply old password to be
> changed as well as new one
> pwdAllowUserChange: FALSE PASS: Message: LDAP password information
> update failed: Insufficient access. User alteration of password is not
> allowed
> pwdMaxAge: 300 FAIL: Login still allowed after 300 seconds.
> pwdExpireWarning: 10 FAIL: No warning message
> pwdInHistory: 3 FAIL: I can still flip between 2 passwords
> pwdMinLength: 12 FAIL: I can still set a 6 char password
> pwdMustChange: FAIL: I am not forced to change passwd.
> pwdMaxFailure: 2 FAIL: Still allowed in after 6 failures
>
> Other Info:
> pwdLockout: TRUE
> pwdLockoutDuration: 600
>
>
>
>
As Quanah said, your version is quite old with a lot of bugs on ppolicy.
Upgrade to the latest version.
Clément.
9:34 a.m.
New subject: What can I use for pwdCheckModule?
2013/4/10 D C <dc12078(a)gmail.com>
Fair enough. now I'm updated
$ rpm -qa |grep openldap
openldap-ltb-2.4.35-1.el6.x86_64
openldap-ltb-check-password-1.1-8.el6.x86_64
I dumped and reimported my database, and tried agian. I dont see any
difference.
TESTS: RESULT:
pwdSafeModify: FALSE PASS: Message: LDAP password information
update failed: Insufficient access. Must supply old password to be
changed as well as new one
pwdAllowUserChange: FALSE PASS: Message: LDAP password information
update failed: Insufficient access. User alteration of password is not
allowed
pwdMaxAge: 300 Not Tested.
pwdExpireWarning: 10 Not Tested.
pwdInHistory: 3 FAIL: I can still flip between 2 passwords
pwdMinLength: 12 FAIL: I can still set a 6 char password
pwdMustChange: FAIL: I am not forced to change passwd.
pwdMaxFailure: 2 FAIL: Still allowed in after 3 failures
Several points:
* Do not use rootdn account to test ppolicy (rootdn bypass ppolicy)
* Do not hash password before modifying it (password in SSHA cannot be
verified against min size for example)
* What client do you use to test?
Clément.
10:09 a.m.
New subject: What can I use for pwdCheckModule?
* Do not use rootdn account to test ppolicy (rootdn bypass ppolicy)
- i have a service account setup in /etc/pam_ldap.conf.
What should the proper acl be for this?
* Do not hash password before modifying it (password in SSHA cannot be
verified against min size for example)
- Ah. i'll change that to send in clear and try again. However shouldn't
this just make the check fail being that the hash will be longer then 12
chars?
* What client do you use to test?
pam_ldap, and apache directory studio (bind as regular user)
Thanks,
Dan
On Wed, Apr 10, 2013 at 12:34 PM, Clément OUDOT <clem.oudot(a)gmail.com>wrote:
2013/4/10 D C <dc12078(a)gmail.com>
> Fair enough. now I'm updated
> $ rpm -qa |grep openldap
> openldap-ltb-2.4.35-1.el6.x86_64
> openldap-ltb-check-password-1.1-8.el6.x86_64
>
> I dumped and reimported my database, and tried agian. I dont see any
> difference.
>
> TESTS: RESULT:
>
> pwdSafeModify: FALSE PASS: Message: LDAP password information
> update failed: Insufficient access. Must supply old password to be
> changed as well as new one
> pwdAllowUserChange: FALSE PASS: Message: LDAP password information
> update failed: Insufficient access. User alteration of password is not
> allowed
> pwdMaxAge: 300 Not Tested.
> pwdExpireWarning: 10 Not Tested.
> pwdInHistory: 3 FAIL: I can still flip between 2 passwords
> pwdMinLength: 12 FAIL: I can still set a 6 char password
> pwdMustChange: FAIL: I am not forced to change passwd.
> pwdMaxFailure: 2 FAIL: Still allowed in after 3 failures
>
>
>
>
Several points:
* Do not use rootdn account to test ppolicy (rootdn bypass ppolicy)
* Do not hash password before modifying it (password in SSHA cannot be
verified against min size for example)
* What client do you use to test?
Clément.
3591
days inactive
3591
days old
openldap-technical@openldap.org
5 comments
3 participants
participants (3)
-
Clément OUDOT -
D C -
Quanah Gibson-Mount