>>> Felix Natter <[email protected]> schrieb am 22.02.2022 um 19:00 in Nachricht
<[email protected]>:
> hello Michael,
>
> many thanks for your reply!
>
> Michael Ströder <[email protected]> writes:
>> On 2/20/22 18:14, Felix Natter wrote:
>>> my password policies (openldap 2.5.11) are not enforced and Roland
>>> Gruber (author of LAM (Pro)) kindly advised me that passwords must be
>>> stored in plaintext (Hash=PLAIN) in order to be able to enforce password
>>> minimal length, password quality etc (i.e. when using passwd(1) on Linux
>>> or an LDAP client on Windows).
>>
>> Nope. That sounds like misleading advice, or it's a misunderstanding on
>> your side.
>>
>> 1. The LDAP client should support setting new password via LDAP Modify
>> Password extended operation
>
> I tried with passwd(1), which currently ignores the ppolicy. Does this
> mean it does not support an LDAP Modify Password *extended* operation?
> If not, can I enable it?
I have these lines in /etc/ldap.conf (and it works):
# Search the root DSE for the password policy (works
# with Netscape Directory Server). Make use of
# Password Policy LDAP Control (as in OpenLDAP)
pam_lookup_policy yes
...
# Use the OpenLDAP password change
# extended operation to update the password.
pam_password exop
...
>
>> or
>>
>> 2. as you already found out yourself you can use
>>
>> olcPPolicyHashCleartext: TRUE
>>
>> if the LDAP client sends a MODIFY operation with a clear-text userPassword
>> value.
>>
>> Both options will let slapd hash the password according to the setting of
>> password-hash (slapd.conf) / olcPasswordHash (cn=config).
>
> Now I added olcPPolicyHashCleartext: TRUE to the ppolicy overlay:
>
> dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
> changetype: modify
> add: olcPPolicyHashCleartext
> olcPPolicyHashCleartext: TRUE
>
> sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f ppolicyoverlay2.ldif
> modifying entry "olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config"
>
> It now looks like this:
> dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcPPolicyConfig
> olcOverlay: {0}ppolicy
> olcPPolicyDefault: cn=default,ou=policies,dc=sidact,dc=com
> structuralObjectClass: olcPPolicyConfig
> entryUUID: <uuid>
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20220215121841Z
> olcPPolicyHashCleartext: TRUE
> entryCSN: 20220222113122.616521Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20220222113122Z
>
> But still, the password policy is not enforced with passwd(1).
>
>> Processing simple bind requests are not affected by these
>> settings.
>
> Bind request means login request, as opposed to password change request?
>
>> Existing password hashes will not be altered.
>
> Yes, I read that ppolicies only work if the password is changed or
> expires.
>
> Could you please advise how to enforce the PP?
>
>>> [3] The manual states "Unfortunately, as dictionary and brute force
>>> attacks are generally quite easy for attackers to successfully mount,
>>> this advantage is marginal at best (this is why all modern Unix systems
>>> use shadow password files)."
>>
>> Well, this all is debatable.
>>
>> 1. Implement decent ACLs which forbids any read access to all LDAP clients
>> (except replicas).
>>
>> 2. Choose a decent hash algorithm, especially understand the
>> parameters. Recent OpenLDAP support {ARGON2} out-of-the-box. Note that
>> choosing the right parameters is trading performance with security. ARGON2
>> is called "memory-hard" and you should take this literally.
>>
>> For inspiration read the comments and examples here:
>>
>>
>
https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/main/defaul
> ts/main.yml#L712
>
> Ok, thanks.
>
> Many Thanks and Best Regards,
> Felix
> --
> Felix Natter
