Re: libpam-ldap and password policies

["Trent W. Buck" <twb-nss-pam-ldapd-users [at] cyber.com.au>]

André Rodier wrote:
> I am struggling … with password policies.
>
> Is there any way to configure libpam-ldap to [enforce] the password
> policies specified in the directory?
>
>     dn: cn=default,ou=pwpolicies,dc=homebox,dc=space
>     objectClass: pwdPolicy
>     objectClass: top
>     objectClass: person
>     pwdExpireWarning: 259200
>     pwdMaxFailure: 5
>     pwdMinLength: 8
>     pwdCheckQuality: 0
>     pwdAttribute: userPassword
>     pwdLockoutDuration: 0
>     pwdInHistory: 0
>     pwdMaxAge: 31536000
>     pwdGraceAuthNLimit: 0
>     pwdFailureCountInterval: 300
>     sn: default
>     …
>
> However, if I logon on the system as "andre", I can change my password,
> type a three letters new password, and libpam-ldap will not complain at all.

This is enforced by the server (i.e. slapd), not by libpam_ldapd.
The client issues an EXOP password change request, and the server just goes 
"nope".
The client should not even need read access to the pwdPolicy object.

IIRC slapd IGNORES pwdMinLength UNLESS you enable password expiry (or lockout?).
The following policy is working for me (but I haven't checked pwdMinLength 
recently; I might misrember that working).
Hrm, I thought I kept notes about this issue, but I can't find them.
I can't see anything obviously missing in your object, either.

More things to try:

 • Read slapo-ppolicy(5) manpage if you haven't already.
 • Double-check that the ppolicy overlay is actually enabled.
 • If you can't get this working, and you trust root on the client side,
   you can use other libpam_* modules to enforce length constraints.

PS: pwdCheckQuality has NO EFFECT unless you write your own quality check as a 
C function and load it into slapd.

PPS: AFAIK the attributes we're talking about are specific to OpenLDAP (slapd).
If you're using some other server (e.g. 389ds), say so.

PPPS: it's silly (but harmless) for your policy object to be objectclass=person.


        cat <<EOF
        dn: cn=policy,o=REDACTED
        objectClass: pwdPolicy
        objectClass: device
        pwdAttribute: userPassword
        # Password must change at least once every ten years.
        pwdMaxAge:      $((365 * 24 * 60 * 60*10))
        # Start warning the user one week before that.
        pwdExpireWarning: $((7 * 24 * 60 * 60))
        # Remember the last two passwords.
        pwdInHistory: 2
        # pwdCheckQuality MUST be set or pwdMinLength is ignored.
        pwdCheckQuality: 2
        pwdMinLength: 8
        # Without this, expired passwords can't be reset from xdm.
        # NB: nss-pam-ldapd v0.9.3 does TWO binds,
        # so this should be set to double what you actually want.
        pwdGraceAuthnLimit: 16
        # This is to mitigate brute-force password guessing.
        pwdMaxFailure: 4
        pwdLockout: TRUE
        pwdLockoutDuration: $((30 * 60))
        pwdFailureCountInterval: $((5 * 60))
        pwdMustChange: TRUE
        # FIXME: turn off pwdAllowUserChange?
        pwdAllowUserChange: TRUE
        pwdSafeModify: FALSE
        EOF
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/