Re: [nssldap] Questions about start_tls
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] Questions about start_tls
- From: Buchan Milne <bgmilne [at] mandriva.org>
- To: maillists0 [at] gmail.com
- Cc: nssldap [at] padl.com
- Subject: Re: [nssldap] Questions about start_tls
- Date: Wed, 10 Dec 2008 09:08:21 +0200
On Tuesday 09 December 2008 23:32:27 maillists0@gmail.com wrote:
> I'm trying to setup nss_ldap on CentOS 5.2 to authenticate against openldap
> 2.3.27, using ppolicy and a password quality checker. I have two questions.
>
> First, I am using start_tls and everything seems to be working. However, I
> can see in debug mode that the password
Which password? The old one, or the new one? I would expect the old password
to be sent in the clear ... as a simple bind is being done.
> is being sent clear text when I
> change the password, in spite of the fact that I have "pam_password crypt"
> in ldap.conf --
>
> 0010: 6a 65 66 66 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 jeff,ou=People,d
> 0020: 63 3d 73 68 75 74 74 65 72 73 74 6f 63 6b 2c 64 c=mydomain,d
> 0030: 63 3d 63 6f 6d 80 08 71 77 65 61 73 64 31 40 a0
> c=com..mypassword@.
>
> 0040: 1d 30 1b 04 19 31 2e 33 2e 36 2e 31 2e 34 2e 31 .0...1.3.6.1.4.1
> 0050: 2e 34 32 2e 32 2e 32 37 2e 38 2e 35 2e 31 .42.2.27.8.5.1
>
> Is there something else I need to do to encrypt everything, have I
> misconfigured something, or am misunderstanding start_tls?
Well, where are you seeing this (where does the output above come from)? If it
comes from the debug output, this is normal AFAIK.
> There are no
> complaints in the debug output about tls.
>
> Second, and probably related, the password quality checking isn't working.
You don't provide your password policy, so it's difficult to comment here.
However, if you have tested the policy with another tool (say ldappasswd)
which does LDAP password change extended operations, then ... you should
probably change pam_password to 'exop'. OpenLDAP cant enforce anything if it
receives the encrypted password.
> Although I can successfully change the password and I do get prompted to
> change the password when time runs out on it, it does not check it against
> its history -- I can enter the same password every other time without
> complaint.
AFAIK, password history can be enforced even with pam_password crypt (or
similar), but again, you haven't provided anything regarding your OpenLDAP
configuration.
You should first test that your policy works as expected by using OpenLDAP
utilities only. Once you are sure your policy works, then I would look at the
pam_ldap side. Of course, the OpenLDAP lists may be better for assistance in
ensuring your password policy is working correctly.
> It might be another clue that, when I do change the password, the first
> prompt says "Enter login(LDAP) password:", and the next prompt says "New
> password". I was under the impression that the second prompt should also
> contain "LDAP". Is that correct?
>
> Any help or guidance will be greatly appreciated. I'm about at wit's end
> with this one.
>
> Here's my ldap.conf ...
/etc/ldap.conf ? (just to be sure).
>
> base dc=mydomain,dc=com
> ssl start_tls
> tls_checkpeer no
> use_sasl off
> timelimit 120
> bind_timelimit 120
> bind_timelimit 30
> bind_policy soft
> idle_timelimit 3600
> pam_filter objectclass=posixAccount
> pam_lookup_policy yes
> pam_password crypt
> uri ldap://10.0.1.20/ ldap://10.0.1.21/
> debug 2
>
> Here's /etc/pam.d/system-auth
>
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password sufficient pam_ldap.so
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session optional pam_ldap.so
> session required pam_mkhomedir.so skel=/etc/skel/