Hi community,
We want implement password politics in our DIT, and are testing ppolicy
and found issues using olcPasswordHash, Password Modify Extension and
so. Here are my testings:
1) My cn=config with olcPasswordHash and olcSuffix values
$ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b "cn=config"
olcPasswordHash olcSuffix
dn: cn=config
olcPasswordHash: {SSHA}
...
# {-1}frontend, config
dn: olcDatabase={-1}frontend,cn=config
olcPasswordHash: {SSHA}
olcPasswordHash: {SHA}
olcPasswordHash: {SMD5}
olcPasswordHash: {MD5}
olcPasswordHash: {CRYPT}
...
# {2}hdb, config
dn: olcDatabase={2}hdb,cn=config
olcSuffix: dc=ktu,dc=lt
$
2) My testing user exists without userPassword attribute
$ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b
"[email protected],ou=People,ou=Users,dc=ktu,dc=lt"
userPassword
Enter LDAP Password:
dn: [email protected],ou=People,ou=Users,dc=ktu,dc=lt
$
3) Making a password for a test user. As documentation says "ldappasswd
uses the LDAPv3 Password Modify (RFC 3062) extended operation."
$ ldappasswd -h localhost -D "cn=admin,dc=ktu,dc=lt" -x -W -S
"[email protected],ou=People,ou=Users,dc=ktu,dc=lt"
New password:
Re-enter new password:
Enter LDAP Password:
$
4) userPassword is somehow gets multivalued
$ ldapsearch -D "cn=admin,dc=ktu,dc=lt" -W -x -b
"[email protected],ou=People,ou=Users,dc=ktu,dc=lt"
userPassword
Enter LDAP Password:
# [email protected], People, Users, ktu.lt
dn: [email protected],ou=People,ou=Users,dc=ktu,dc=lt
userPassword:: e1NTSEF9RlE3VjRYa003RVJ6eGFTNjR4ZkFRSzRGZEk4cFk0UDQ=
--> {SSHA}FQ7V4XkM7ERzxaS64xfAQK4FdI8pY4P4
userPassword:: e1NTSEF9K1JtbWl3M0RxTTV3aEl0U3g5TjVrZWRETlpES3NROUg=
--> {SSHA}+Rmmiw3DqM5whItSx9N5kedDNZDKsQ9H
userPassword:: e1NIQX1maVFONTAreDdRajZDTk9BWS9hbXFSUmlxQlU9 -->
{SHA}fiQN50+x7Qj6CNOAY/amqRRiqBU=
userPassword:: e1NNRDV9VUdaa3ZDSWI5Qld4a1VNcUhyZEl3ZElTbnJ3PQ==
--> {SMD5}UGZkvCIb9BWxkUMqHrdIwdISnrw=
userPassword:: e01ENX1SN3pseDA5WW4waG4yOVYrbktuNENBPT0= -->
{MD5}R7zlx09Yn0hn29V+nKn4CA==
userPassword:: e0NSWVBUfTFNZVAud1ZxenEvdWM= -->
{CRYPT}1MeP.wVqzq/uc
$
I guess "frontend" database has so called global olcPasswordHash
directive in effect over all databases. I also guess, that 1 SSHA form
comes from cn=config, and other 5 forms comes from "frontend". Does
anyone know if this is true?
5) if above is true, overwriting globals in local database config seems
like a solution to me, but ...
$ ldapmodify -D "cn=admin,dc=ktu,dc=lt" -W -x <<EOF
> dn: olcDatabase={2}hdb,cn=config
> changetype: modify
> add: olcPasswordHash
> olcPasswordHash: {SSHA}
> EOF
Enter LDAP Password:
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: Object class violation (65)
additional info: attribute 'olcPasswordHash' not allowed
$
Is it possible to get rid of not secure forms of password schemes? I
always believed, that password-hash (olcPasswordHash) should help to do
that. Maybe I don't know something? I also think, that it could be
related to ITS#7625
<http://www.openldap.org/its/index.cgi/Incoming?id=7625;expression=ppolicy;page=2>,
why ppolicy shows "Additional info: Password policy only allows one
password value" error message. Please, help to clear things out.
System: Debian 7.0 (wheezy)
OpenLDAP: 2.4.31 (from package)
Thank you.
--
Pagarbiai,
Nerijus Kislauskas
KTU ITD, Litnet valdymo centras
Studentu g. 48a - 101, Kaunas
tel.: (8~37) 30 06 45
mob. tel.: 8-614-93889
e-mail.: [email protected]
