2012. szeptember 7., péntek

OpenLDAP Password Policy on Ubuntu 12.04 - Part Three

Last time we saw our shiny new ppolicy overlay working and we have a minimal password length and the accounts are locked if we fail to enter our password correctly. But hell we are not told whether our password is about to expire and even if we ask OpenLDAP to force a password chaneg we are still let in.

Basically we have to set two things in the client to get rid of these issues.
First in the file /etc/ldap.conf we uncomment the entry pam_lookup_policy yes.
Second is to change the order of the modules in the file /etc/pam.d/common-account.  Specifically I mean the modules pam_unix.so and pam_ldap.so:
account [success=2 new_authtok_reqd=done default=ignore]        pam_ldap.so
account [success=1 default=ignore]      pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
And this way the password changes are enforced and we get a notice about password expirations.
If you use Kerberos auth like I do you have one more thing to do. The file /etc/pam.d/common-auth looks like this:
auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
The bold part means that upon succesful Kerberos auth the next 3 modules are ignored - i.e. you get right to module pam_permit.so and that lets you in. This way the pam_ldap.so is not activated and you will not be noticed about the expiring password.
If you replace the 3 with a 1 then the good Kerberos password will mean that only the Unix auth can be skipped but not the LDAP auth. As the Kerberos and LDAP passwords are in sync and the module pam_ldap.so does not request a new password because of the option use_first_pass. So the user only gives her password once but the clients authenticates her twice. And this way we get our warning.

If you use the overlay smbkrb5pwd for syncing the password you have one more issue regarding password policies. But I leave it for the next post.

Nincsenek megjegyzések: