Re: PAM authentication and PPolicy issues
2012/6/19 Francesco Belli francesco.be...@vegaspace.com: Hi Everybody, I'm have some RHEL6 machines that use an LDAP server to authenticate. I need to introduce in the server some checks on passwords using PPolicy. PPolicy works fine, the problem is that to use pwdCheckQuality and pwdInHistory I need to save passwords in clear text in the LDAP server. I did a search to find out if there is a way to let PAM to use clear text password to authenticate but it seems that it sends SHA hashes, so authentication fails. Do you have any suggestion? Do man pam_ldap and search for pam_password parameter. Clément.
Re: PAM authentication and PPolicy issues
2012/6/20 Francesco Belli francesco.be...@vegaspace.com: Hi Clement, I already used pam_password directive, I set it to cleartext, but this parameter is used for password change and not for authentication. As man pam_ldap says Specifies the password change protocol to use, so not the authentication method. Now my situation is that I have some users in the LDAP server that they have a SHA hash in the userPassword field, and they are correctly authenticated, others that have a clear text password and cannot be authenticated via PAM. Password scheme used in LDAP directory do not prevent any application to authenticate to LDAP. Dig into logs to see what is the real reason of your problem. Clément.
Re: PAM authentication and PPolicy issues
Sent: Wed Jun 20 2012 04:36:03 GMT-0400 (EDT) From: Clément OUDOT clem.ou...@gmail.com To: Francesco Belli francesco.be...@vegaspace.com openldap-technical@openldap.org Subject: Re: PAM authentication and PPolicy issues 2012/6/20 Francesco Bellifrancesco.be...@vegaspace.com: Hi Clement, I already used pam_password directive, I set it to cleartext, but this parameter is used for password change and not for authentication. As man pam_ldap says Specifies the password change protocol to use, so not the authentication method. Now my situation is that I have some users in the LDAP server that they have a SHA hash in the userPassword field, and they are correctly authenticated, others that have a clear text password and cannot be authenticated via PAM. Password scheme used in LDAP directory do not prevent any application to authenticate to LDAP. Dig into logs to see what is the real reason of your problem. Clément. In addition, it is not true that the password must be stored in cleartext for pwdCheckQuality and pwdInHistory to work. Storing passwords in cleartext is bad. -Patrick
Re: PAM authentication and PPolicy issues
2012/6/20 Patrick Hemmer openl...@stormcloud9.net: Sent: Wed Jun 20 2012 04:36:03 GMT-0400 (EDT) From: Clément OUDOT clem.ou...@gmail.com To: Francesco Belli francesco.be...@vegaspace.com openldap-technical@openldap.org Subject: Re: PAM authentication and PPolicy issues 2012/6/20 Francesco Belli francesco.be...@vegaspace.com: Hi Clement, I already used pam_password directive, I set it to cleartext, but this parameter is used for password change and not for authentication. As man pam_ldap says Specifies the password change protocol to use, so not the authentication method. Now my situation is that I have some users in the LDAP server that they have a SHA hash in the userPassword field, and they are correctly authenticated, others that have a clear text password and cannot be authenticated via PAM. Password scheme used in LDAP directory do not prevent any application to authenticate to LDAP. Dig into logs to see what is the real reason of your problem. Clément. In addition, it is not true that the password must be stored in cleartext for pwdCheckQuality and pwdInHistory to work. Storing passwords in cleartext is bad. They can be stored hashed, but they must be sent as clear text in the modification operation so that OpenLDAP can check the quality (min size for example). The ppolicy overlay is then able to hash them when storing accepted password in database. Clément.
RE: PAM authentication and PPolicy issues
Sorry Patric, Maybe the reference that I have is wrong, I'm using the book Mastering OpenLDAP by Matt Butcher that in chapter 6 at pag 323 says if you store password in plain text in the directory then the policy overlay can be configured to maintain a password history. Now I'm using http://www.openldap.org/software/man.cgi?query=slapo-ppolicyapropos=0sektion=5manpath=OpenLDAP+2.3-Releaseformat=html as reference for ppolicy. My authentication error was a trivial problem on an objectClass: posixAccount. Now I'm testing with SHA stored passwords the pwdInHistory directive. Thanks for the suggestions, Regards Francesco From: openldap-technical-boun...@openldap.org [mailto:openldap-technical-boun...@openldap.org] On Behalf Of Patrick Hemmer Sent: 20 June 2012 14:17 To: openldap-technical@openldap.org Subject: Re: PAM authentication and PPolicy issues Sent: Wed Jun 20 2012 04:36:03 GMT-0400 (EDT) From: Clément OUDOT clem.ou...@gmail.commailto:clem.ou...@gmail.com To: Francesco Belli francesco.be...@vegaspace.commailto:francesco.be...@vegaspace.com openldap-technical@openldap.orgmailto:openldap-technical@openldap.org Subject: Re: PAM authentication and PPolicy issues 2012/6/20 Francesco Belli francesco.be...@vegaspace.commailto:francesco.be...@vegaspace.com: Hi Clement, I already used pam_password directive, I set it to cleartext, but this parameter is used for password change and not for authentication. As man pam_ldap says Specifies the password change protocol to use, so not the authentication method. Now my situation is that I have some users in the LDAP server that they have a SHA hash in the userPassword field, and they are correctly authenticated, others that have a clear text password and cannot be authenticated via PAM. Password scheme used in LDAP directory do not prevent any application to authenticate to LDAP. Dig into logs to see what is the real reason of your problem. Clément. In addition, it is not true that the password must be stored in cleartext for pwdCheckQuality and pwdInHistory to work. Storing passwords in cleartext is bad. -Patrick
Re: PAM authentication and PPolicy issues
On Wed, Jun 20, 2012 at 01:44:05PM +, Francesco Belli wrote: Now I’m using http:// www.openldap.org/software/man.cgi?query=slapo-ppolicyapropos=0sektion=5 manpath=OpenLDAP+2.3-Releaseformat=html as reference for ppolicy. My The 2.3 release series is very old now. You should be using 2.4 and the 2.4 manuals: http://www.openldap.org/software/man.cgi I’m testing with SHA stored passwords the pwdInHistory directive. SHA is much better than plaintext, but best practice is to use a salted hash - SSHA in this case. The use of salt frustrates attempts to build a dictionary to invert stolen password records. If LinkedIn had used salt in their password hashes they would now be in less trouble as a result of the recent disclosure... https://community.qualys.com/blogs/securitylabs/2012/06/08/lessons-learned-from-cracking-2-million-linkedin-passwords Andrew -- --- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/+44 1628 782565 | ---