Re: [nssldap] Questions about start_tls

[Buchan Milne <bgmilne [at] mandriva.org>]

On Tuesday 09 December 2008 23:32:27 maillists0@gmail.com wrote:
> I'm trying to setup nss_ldap on CentOS 5.2 to authenticate against openldap
> 2.3.27, using ppolicy and a password quality checker. I have two questions.
>
> First, I am using start_tls and everything seems to be working. However, I
> can see in debug mode that the password

Which password? The old one, or the new one? I would expect the old password 
to be sent in the clear ... as a simple bind is being done.

> is being sent clear text when I
> change the password, in spite of the fact that I have "pam_password crypt"
> in ldap.conf --
>
> 0010:  6a 65 66 66 2c 6f 75 3d  50 65 6f 70 6c 65 2c 64   jeff,ou=People,d
> 0020:  63 3d 73 68 75 74 74 65  72 73 74 6f 63 6b 2c 64   c=mydomain,d
> 0030:  63 3d 63 6f 6d 80 08 71  77 65 61 73 64 31 40 a0  
> c=com..mypassword@.
>
> 0040:  1d 30 1b 04 19 31 2e 33  2e 36 2e 31 2e 34 2e 31   .0...1.3.6.1.4.1
> 0050:  2e 34 32 2e 32 2e 32 37  2e 38 2e 35 2e 31         .42.2.27.8.5.1
>
> Is there something else I need to do to encrypt everything, have I
> misconfigured something, or am misunderstanding start_tls?

Well, where are you seeing this (where does the output above come from)? If it 
comes from the debug output, this is normal AFAIK.

> There are no
> complaints in the debug output about tls.
>
> Second, and probably related, the password quality checking isn't working.

You don't provide your password policy, so it's difficult to comment here. 
However, if you have tested the policy with another tool (say ldappasswd) 
which does LDAP password change extended operations, then ... you should 
probably change pam_password to 'exop'. OpenLDAP cant enforce anything if it 
receives the encrypted password.

> Although I can successfully change the password and I do get prompted to
> change the password when time runs out on it, it does not check it against
> its history -- I can enter the same password every other time without
> complaint.

AFAIK, password history can be enforced even with pam_password crypt (or 
similar), but again, you haven't provided anything regarding your OpenLDAP 
configuration.

You should first test that your policy works as expected by using OpenLDAP 
utilities only. Once you are sure your policy works, then I would look at the 
pam_ldap side. Of course, the OpenLDAP lists may be better for assistance in 
ensuring your password policy is working correctly.

> It might be another clue that, when I do change the password, the first
> prompt says "Enter login(LDAP) password:", and the next prompt says "New
> password". I was under the impression that the second prompt should also
> contain "LDAP". Is that correct?
>
> Any help or guidance will be greatly appreciated. I'm about at wit's end
> with this one.
>
> Here's my ldap.conf ...

/etc/ldap.conf ? (just to be sure).

>
> base dc=mydomain,dc=com
> ssl start_tls
> tls_checkpeer no
> use_sasl off
> timelimit 120
> bind_timelimit 120
> bind_timelimit 30
> bind_policy soft
> idle_timelimit 3600
> pam_filter objectclass=posixAccount
> pam_lookup_policy yes
> pam_password crypt
> uri ldap://10.0.1.20/ ldap://10.0.1.21/
> debug 2
>
> Here's /etc/pam.d/system-auth
>
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
>
> password    sufficient    pam_ldap.so
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     optional      pam_ldap.so
> session     required      pam_mkhomedir.so skel=/etc/skel/