[Ltb-users] check_password.conf confusion

Louis Abel Thu, 28 Jan 2016 00:11:06 -0800

Hello.


I'm having a bit of trouble understanding how the password policy works in
regards to the check_password.so module. This is my issue, using the
openldap RPM's.

 

Below is the configuration for the check_password.conf.

 

[root@phdevl09 ~]# cat /etc/openldap/check_password.conf

# OpenLDAP pwdChecker library configuration

 

useCracklib 1

minPoints 2

minUpper 1

minLower 1

minDigit 1

minPunct 1

 

Below is the logs when a password change attempt is happening. I'm
attempting to use a password that uses upper, lower, digit. No punctuation. 

 

#### Logs

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: conn=19337 op=1 PASSMOD new

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line
|useCracklib 1#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Validating
parameter [useCracklib]

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Parameter
accepted.

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word =
useCracklib, value = 1

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line
|minPoints 2#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Validating
parameter [minPoints]

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Parameter
accepted.

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word =
minPoints, value = 2

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line
|minUpper 1#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Validating
parameter [minUpper]

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Parameter
accepted.

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word =
minUpper, value = 1

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line
|minLower 1#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Validating
parameter [minLower]

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Parameter
accepted.

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word =
minLower, value = 1

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line
|minDigit 1#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Validating
parameter [minDigit]

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Parameter
accepted.

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word =
minDigit, value = 1

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line
|minPunct 1#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Validating
parameter [minPunct]

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Parameter
accepted.

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word =
minPunct, value = 1

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got line
|#012|

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Found digit
character - quality raise 1

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Found lower
character - quality raise 2

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Found upper
character - quality raise 3

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password:
Reallocating szErrStr from 64 to 211

Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password_quality:
module error: (check_password.so) Password for
dn="uid=tester_nalika,ou=People,o=POG,dc=example,dc=com" does not pass
required number of strength checks for the required character sets (3 of
2).[1]

 

Clearly this fails. 3 of 2? If I attempt to use punctuation, then the
password is accepted.

 

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: conn=19339 op=1 PASSMOD new

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line
|useCracklib 1#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Validating
parameter [useCracklib]

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Parameter
accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word =
useCracklib, value = 1

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line
|minPoints 2#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Validating
parameter [minPoints]

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Parameter
accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word =
minPoints, value = 2

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line
|minUpper 1#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Validating
parameter [minUpper]

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Parameter
accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word =
minUpper, value = 1

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line
|minLower 1#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Validating
parameter [minLower]

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Parameter
accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word =
minLower, value = 1

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line
|minDigit 1#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Validating
parameter [minDigit]

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Parameter
accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word =
minDigit, value = 1

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line
|minPunct 1#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Validating
parameter [minPunct]

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Parameter
accepted.

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word =
minPunct, value = 1

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got line
|#012|

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Found lower
character - quality raise 1

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Found digit
character - quality raise 2

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Found upper
character - quality raise 3

Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Found
punctuation character - quality raise 4

 

Why is this? Am I misunderstanding out minPoints works? I didn't want to
submit a Bugzilla because I don't think this is really a "bug", but a
misconfiguration on my part somewhere. 

 

-L

_______________________________________________
ltb-users mailing list
ltb-users@lists.ltb-project.org
http://lists.ltb-project.org/listinfo/ltb-users

[Ltb-users] check_password.conf confusion

Reply via email to