In case anyone is interested in how I implemented this.
- I turned off all ppolicy in Samba4 (from my testing, Clement is right,
Samba4 doesn't respect the password policy draft)
- I used a GPO to prevent users from changing their password in windows (
info
<https://support.microsoft.com/en-us/help/324744/how-to-prevent-users-from-changing-a-password-except-when-required-in>
)
- created a folder /usr/share/self-service-password/user-pw-last-reset/"
- chown /usr/share/self-service-password/user-pw-last-reset/ to
www-data:www-data
-
- implement a posthook script with the following in it
*USERPWLASTRESET="/usr/share/self-service-password/user-pw-last-reset/$LOGIN"
echo $(date +"%Y%m%d") > $USERPWLASTRESET*
-
- added the following code to the
/usr/share/self-service-password/pages/change.php file after the
check_username_validity and before the check for newpassword matching
confirmpassword, right around line 60
*# Check the USER-PW-LAST-RESET date, throw an error if it is not older
than the number set in $pwd_min_age if (isset($_REQUEST["login"])) and
($pwd_min_age > 0) { $userpwlastresetfile =
"/usr/share/self-service-password/user-pw-last-reset/" . $login; if
(file_exists($userpwlastresetfile)) {
$userpwlastresetdate = trim(fgets(fopen($userpwlastresetfile, 'r')));
$DT1 = strtotime($userpwlastresetdate); $DT2 =
strtotime(date('Ymd')); $secs = $DT2 - $DT1; $days =
$secs / 86400; if ($days <= $pwd_min_age) {
$result="tosoon"; } } }*
-
- add these lines to /usr/share/self-service-password/conf/config.inc.php
*# Minimum age of passwords, in days, set to 0 to disable $pwd_min_age =
60;*
-
- added the following line to the pwd_policy_config array in
/usr/share/self-service-password/index.php
*"pwd_min_age" => $pwd_min_age*
-
- added "tosoon" to the "get_criticity" function under the warning
section of /usr/share/self-service-password/lib/function.inc.php
- added the following line to the function "show_policy" in
/usr/share/self-service-password/lib/function.inc.php
*if ( $pwd_min_age ) { echo "<li>".$messages["policyminage"]
." $pwd_min_age</li>\n"; }*
-
- added the following lines
to /usr/share/self-service-password/lang/en.inc.php
*$messages['tosoon'] = "You are attempting to change your password before
the minimum password age has been met.<br
/> Minimum password age is
".$pwd_min_age." days."; $messages['policyminage'] = "Minimum age (days):"*
This seems to work pretty well so far in my testing. It isn't the most
elegant solution, but it works :D
Taylor
On Thu, Aug 31, 2017 at 11:37 AM, Clément OUDOT <
clement.ou...@savoirfairelinux.com> wrote:
>
>
> Le 31/08/2017 à 14:19, Taylor Hammerling a écrit :
>
>> Clement - I sincerely appreciate your help on this! Unfortunately if SSP
>> gives a generic "Password was refused by the LDAP directory" if any of the
>> LDAP restrictions are triggered I'm not going to be able to use LDAP
>> password restrictions. My end users absolutely need specific error
>> messages, or they get REALLY ornery :D I'm guessing that LDAP doesn't
>> provide SSP with any more information other than "REFUSED!".
>>
>>
> SSP is coded with PHP, and PHP LDAP library still not has support for LDAP
> control policy. Anyway, I'm not sure Samba4 respect the password policy
> draft either.
>
> For the moment you can configure some restrictions in SSP configuration so
> that if SSP accept the password, then it is strng enough to be accepted by
> the LDAP directory.
>
> What I'm going to do is set up a GPO to prevent users from changing their
>> passwords thru windows. Then I'm going to turn off the LDAP password
>> restrictions entirely. Then I'm going to add a bit into the SSP code that
>> will track how frequently each user has changed their password and throw an
>> error if they have changed their password within the last X days.
>>
>> This way the end user knows exactly why their password change failed, and
>> I could even provide them with the date they can change their password
>> again in the error msg.
>>
>
> You will need to patch SSP code to do that, and see how to get that
> information from Samba 4 directory.
>
>
> Note that a 1.1 will be soon released with a lot of fixes and enhancement:
> https://github.com/ltb-project/self-service-password/milestone/3?closed=1
>
>
>
> --
> Clément OUDOT
> Consultant en logiciels libres, Expert infrastructure et sécurité
> Savoir-faire Linux
> 137 boulevard de Magenta - 75010 PARIS
> Blog: http://sflx.ca/coudot
>
> _______________________________________________
> ltb-users mailing list
> ltb-users@lists.ltb-project.org
> https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users
>
--
*Taylor Hammerling* | *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com
_______________________________________________
ltb-users mailing list
ltb-users@lists.ltb-project.org
https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users
