hi Ulrich, "Ulrich Windl" <[email protected]> writes: >>>> Felix Natter <[email protected]> schrieb am 23.02.2022 um 21:45 in Nachricht > <[email protected]>: >> hello Ulrich, >> >> thanks for your reply! My replies are inline: >> >> "Ulrich Windl" <[email protected]> writes: >>>>>> Felix Natter <[email protected]> schrieb am 22.02.2022 um 19:00 in Nachr= >> icht >>> <[email protected]>: >>>> hello Michael, >>>>=20 >>>> many thanks for your reply! >>>>=20 >>>> Michael Str=C3=B6der <[email protected]> writes: >>>>> On 2/20/22 18:14, Felix Natter wrote: >>>>>> my password policies (openldap 2.5.11) are not enforced and Roland >>>>>> Gruber (author of LAM (Pro)) kindly advised me that passwords must be >>>>>> stored in plaintext (Hash=3DPLAIN) in order to be able to enforce pass= >> word >>>>>> minimal length, password quality etc (i.e. when using passwd(1) on Lin= >> ux >>>>>> or an LDAP client on Windows). >>>>> >>>>> Nope. That sounds like misleading advice, or it's a misunderstanding on >>>>> your side. >>>>> >>>>> 1. The LDAP client should support setting new password via LDAP Modify >>>>> Password extended operation >>>>=20 >>>> I tried with passwd(1), which currently ignores the ppolicy. Does this >>>> mean it does not support an LDAP Modify Password *extended* operation? >>>> If not, can I enable it? >>> >>> I have these lines in /etc/ldap.conf (and it works): >>> # Search the root DSE for the password policy (works >>> # with Netscape Directory Server). Make use of >>> # Password Policy LDAP Control (as in OpenLDAP) >>> pam_lookup_policy yes >>> ... >>> # Use the OpenLDAP password change >>> # extended operation to update the password. >>> pam_password exop >>> ... >> >> This is on the client, right? > > Yes! > >> >> I tried putting the two above options in /etc/openldap/ldap.conf, >> rebooted, but no change. Also man ldap.conf does not mention them. > > > As the "pam_" prefix might indicate, try "man pam_ldap" instead. > > ... > Features of the PADL pam_ldap module include support for transport > layer security, SASL authentication, directory server-enforced password > policy, and host- and group- based logon authorization. > ... > pam_lookup_policy <yes|no> > Specifies whether to search the root DSE for password policy. > The default is "no". > ...
pam_ldap does not exist in RH7 (actually Scientific Linux 7), I think your SLES12 is also a bit older. See Michael's reply, which has an explanation for this. >> >> Which OS do you use? > > SLES 12 SP5 > > I also have: > # grep ldap /etc/nsswitch.conf > group: files ldap > services: files ldap > netgroup: files ldap > aliases: files ldap > passwd_compat: ldap > > and > > /etc/pam.d # cat login > #%PAM-1.0 > auth requisite pam_nologin.so > auth [user_unknown=ignore success=ok ignore=ignore auth_err=die > default=bad]pam_securetty.so > auth include common-auth > account include common-account > password include common-password > session required pam_loginuid.so > session include common-session > session optional pam_lastlog.so nowtmp > session optional pam_mail.so standard > > Maybe this helps. Thank you. As I wrote in the other reply today, pwdCheckQuality:0 was set, and I'm pretty sure I did not need any client changes to make PPs work on SL7 (with pwdCheckQuality:2 on the server). Many Thanks and Best Regards, Felix -- Felix Natter
