hello Michael, many thanks for your reply!
Michael Ströder <[email protected]> writes: > On 2/20/22 18:14, Felix Natter wrote: >> my password policies (openldap 2.5.11) are not enforced and Roland >> Gruber (author of LAM (Pro)) kindly advised me that passwords must be >> stored in plaintext (Hash=PLAIN) in order to be able to enforce password >> minimal length, password quality etc (i.e. when using passwd(1) on Linux >> or an LDAP client on Windows). > > Nope. That sounds like misleading advice, or it's a misunderstanding on > your side. > > 1. The LDAP client should support setting new password via LDAP Modify > Password extended operation I tried with passwd(1), which currently ignores the ppolicy. Does this mean it does not support an LDAP Modify Password *extended* operation? If not, can I enable it? > or > > 2. as you already found out yourself you can use > > olcPPolicyHashCleartext: TRUE > > if the LDAP client sends a MODIFY operation with a clear-text userPassword > value. > > Both options will let slapd hash the password according to the setting of > password-hash (slapd.conf) / olcPasswordHash (cn=config). Now I added olcPPolicyHashCleartext: TRUE to the ppolicy overlay: dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config changetype: modify add: olcPPolicyHashCleartext olcPPolicyHashCleartext: TRUE sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f ppolicyoverlay2.ldif modifying entry "olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config" It now looks like this: dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=sidact,dc=com structuralObjectClass: olcPPolicyConfig entryUUID: <uuid> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20220215121841Z olcPPolicyHashCleartext: TRUE entryCSN: 20220222113122.616521Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20220222113122Z But still, the password policy is not enforced with passwd(1). > Processing simple bind requests are not affected by these > settings. Bind request means login request, as opposed to password change request? > Existing password hashes will not be altered. Yes, I read that ppolicies only work if the password is changed or expires. Could you please advise how to enforce the PP? >> [3] The manual states "Unfortunately, as dictionary and brute force >> attacks are generally quite easy for attackers to successfully mount, >> this advantage is marginal at best (this is why all modern Unix systems >> use shadow password files)." > > Well, this all is debatable. > > 1. Implement decent ACLs which forbids any read access to all LDAP clients > (except replicas). > > 2. Choose a decent hash algorithm, especially understand the > parameters. Recent OpenLDAP support {ARGON2} out-of-the-box. Note that > choosing the right parameters is trading performance with security. ARGON2 > is called "memory-hard" and you should take this literally. > > For inspiration read the comments and examples here: > > https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/main/defaults/main.yml#L712 Ok, thanks. Many Thanks and Best Regards, Felix -- Felix Natter
