Re: libpam-ldap and password policies

[André Rodier <andre.rodier [at] gmail.com>]

On 03/04/18 02:08, Trent W. Buck wrote:
> André Rodier wrote:
>> I am struggling … with password policies.
>>
>> Is there any way to configure libpam-ldap to [enforce] the password
>> policies specified in the directory?
>>
>>     dn: cn=default,ou=pwpolicies,dc=homebox,dc=space
>>     objectClass: pwdPolicy
>>     objectClass: top
>>     objectClass: person
>>     pwdExpireWarning: 259200
>>     pwdMaxFailure: 5
>>     pwdMinLength: 8
>>     pwdCheckQuality: 0
>>     pwdAttribute: userPassword
>>     pwdLockoutDuration: 0
>>     pwdInHistory: 0
>>     pwdMaxAge: 31536000
>>     pwdGraceAuthNLimit: 0
>>     pwdFailureCountInterval: 300
>>     sn: default
>>     …
>>
>> However, if I logon on the system as "andre", I can change my password,
>> type a three letters new password, and libpam-ldap will not complain at all.
> 
> This is enforced by the server (i.e. slapd), not by libpam_ldapd.
> The client issues an EXOP password change request, and the server just goes 
> "nope".
> The client should not even need read access to the pwdPolicy object.
> 
> IIRC slapd IGNORES pwdMinLength UNLESS you enable password expiry (or 
> lockout?).
> The following policy is working for me (but I haven't checked pwdMinLength 
> recently; I might misrember that working).
> Hrm, I thought I kept notes about this issue, but I can't find them.
> I can't see anything obviously missing in your object, either.
> 
> More things to try:
> 
>  • Read slapo-ppolicy(5) manpage if you haven't already.
>  • Double-check that the ppolicy overlay is actually enabled.
>  • If you can't get this working, and you trust root on the client side,
>    you can use other libpam_* modules to enforce length constraints.
> 
> PS: pwdCheckQuality has NO EFFECT unless you write your own quality check as 
> a C function and load it into slapd.
> 
> PPS: AFAIK the attributes we're talking about are specific to OpenLDAP 
> (slapd).
> If you're using some other server (e.g. 389ds), say so.
> 
> PPPS: it's silly (but harmless) for your policy object to be 
> objectclass=person.
> 
> 
>         cat <<EOF
>         dn: cn=policy,o=REDACTED
>         objectClass: pwdPolicy
>         objectClass: device
>         pwdAttribute: userPassword
>         # Password must change at least once every ten years.
>         pwdMaxAge:      $((365 * 24 * 60 * 60*10))
>         # Start warning the user one week before that.
>         pwdExpireWarning: $((7 * 24 * 60 * 60))
>         # Remember the last two passwords.
>         pwdInHistory: 2
>         # pwdCheckQuality MUST be set or pwdMinLength is ignored.
>         pwdCheckQuality: 2
>         pwdMinLength: 8
>         # Without this, expired passwords can't be reset from xdm.
>         # NB: nss-pam-ldapd v0.9.3 does TWO binds,
>         # so this should be set to double what you actually want.
>         pwdGraceAuthnLimit: 16
>         # This is to mitigate brute-force password guessing.
>         pwdMaxFailure: 4
>         pwdLockout: TRUE
>         pwdLockoutDuration: $((30 * 60))
>         pwdFailureCountInterval: $((5 * 60))
>         pwdMustChange: TRUE
>         # FIXME: turn off pwdAllowUserChange?
>         pwdAllowUserChange: TRUE
>         pwdSafeModify: FALSE
>         EOF
> 

Thank a lot, Trent.

I am going to check all of this.

Kind regards,
André

-- 
https://github.com/progmaticltd/homebox
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/