hello Michael, thanks for the explanations.
Michael Ströder <[email protected]> writes: > On 2/22/22 19:00, Felix Natter wrote: >>> 1. The LDAP client should support setting new password via LDAP >>> Modify Password extended operation > >> I tried with passwd(1), which currently ignores the ppolicy. Does >> this mean it does not support an LDAP Modify Password *extended* >> operation? If not, can I enable it? > passwd(1) is not even an LDAP client. > > ldappasswd(1) is the right tool for the command-line but takes a DN to > specify the user's entry. I tried this (which would be fine as a solution): ldappasswd -H ldap://<ip> -x -D \ cn=ldaptestuser1,ou=users,dc=company,dc=com -W -A -S but it does not enforce the pwdMinLength:3 restriction of the PP. > But for various reasons I usually disallow changing passwords from an > arbitrary system. I'd recommend to force users to use a decent central > password self-service web app. I will look at whether it can be done with LAMPro. >> Now I added olcPPolicyHashCleartext: TRUE to the ppolicy overlay: >> [..] >> But still, the password policy is not enforced with passwd(1). > > passwd(1) should not even cause an LDAP modify operation to reach your > OpenLDAP server. Just in case you've added shadow: ldap in your > nsswitch.conf then remove that immediately because it's an ancient insecure > concept. > >>> Processing simple bind requests are not affected by these >>> settings. >> Bind request means login request, as opposed to password change request? > > Sorry for the nitpicking but the term "login request" is blurry: > > "Simple bind request" means literally a simple bind request as described in > RFC 4511: > > https://datatracker.ietf.org/doc/html/rfc4511#section-4.2 > > This simple bind operation is used by NSS/PAM integration components like > nss-pam-ldapd or sssd (or my own aehostd for Æ-DIR) to let the PAM stack > check the user's password. Maybe this is what you call a "login request". > >> Could you please advise how to enforce the PP? > > I already did. You have to use the right software. Agreed. Thanks and Best Regards, -- Felix Natter
