Re: [nssldap] Questions about start_tls

[Andrew Findlay <andrew.findlay [at] skills-1st.co.uk>]

Please keep replies on-list: it helps others in the future.

On Wed, Dec 10, 2008 at 02:25:44PM -0500, maillists0@gmail.com wrote:

> Thanks to both of you for the responses. Changing pam_password from md5
> (which was inserted by Redhat's authconfig) to exop fixed the password
> policy issues.  Also, setting pwdCheckQuality=2 was helpful in
> troubleshooting this issue.
> 
> I still see in the debug output that the old password is being sent in
> cleartext when I change it. To be sure I understand correctly: this is
> normal and necessary for ppolicy to check against the history?

Not so much for the history check, but it is common to require the
client to include the old password in the change request to prevent
someone using a hijacked connection to change a password that they do
not know.

Also, if you are using simple bind on an un-encrypted connection then
the bind password will be sent in clear.

> Andrew, do you know of a handy example of an acl that enforces encryption on
> passwd changes?

Just add a Security Strength Factor to the access control
statement that permits the user to change their password.  Something
like this:

access to attrs=userPassword
        by ssf=64 self =w
        by * auth

That would require at least 64-bit encryption. Remember that it is up
to the *client* to request that encryption using TLS. I would suggest
always using encryption for NSS and PAM clients.

There are some examples using SSF in the Admin Guide:
http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20Examples

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------