2012. szeptember 9., vasárnap

OpenLDAP Password Policy on Ubuntu 12.04 - Part Four

Today let me think about some new darknesses of policy making. A quick recap and the phrasing of the problem follows.

  • Users are able to logon using LDAP auth.
  • We enabled them to change their passwords.
  • We deployed the ppolicy overlay.
  • We are using it for checking the minimal password length and for storing the hash of the last three passwords preventing to reuse them. After three failed logon attempts it locks the account and after another 300 seconds the account is automatically re-enabled. We can have the user reset her password. Password expirations are handled.
  • We arranged that the Ubuntu 12.04 warns us when a password change is due and tells us if the passowrd is to be changed immediately (only in the command line, LightDM is kinda bad fella).
  • Our LDAP server acts as a backend of a Samba server.
  • We set up smbkrb5pwd overlay to keep Linux and Windows passwords synced.
  • We set up MIT-Kerberos. The Linux clients use Kerberos fo authentication but passwords changes are done using LDAP since...
  • The smbkrb5pwd overlay synchronises not only Samba, but MIT-Kerberos passwords with LDAP.
Everything is shiny and lovely. No, they are not.

The problem follows. Let us see some password changes:
suser1@ubuclient:~$ passwd 
Enter login(LDAP) password: 
New password: 
Password too short
New password: 
Re-enter new password: 
LDAP password information update failed: Constraint violation
Password fails quality checking policy
passwd: Engedély megtagadva
passwd: password unchanged
In the red bold line we enter our current password. Right. In the orange we enter the new one which is in this case shoter than six characters. PAM by default does not alllow this. The password change request does not even reach LDAP. In the blue bold line we enter a six characters long password. PAM says it is okay and passes it to the LDAP where the overlay ppolicy has the minimal password length set to eight characters. LDAP tells us about the violated constratint and refuses the change. What is wrong then?

Let us see the syslog.You will find something like this there:
smbkrb5pwd conn=1040 op=9 : changed password for user suser1@ITTHON.CUCC
Well this is the problem. If we issue the commands
kinit suser1
as suser1 then the new six characters long password will be accepted by Kerberos. Reset the password using the
ldappasswd -D cn=admin,dc=itthon,dc=cucc -w secret -s newpassword uid=suser1,ou=People,dc=itthon,dc=cucc
command. Log on to a Windows machine and change the password there. As Samba uses an admin account to change the password (or someone able to update all the nessecary attributes) the password can be anything. By default Windows XP requires a five characters long password but if you satisfy this with a - let us say - seven characters long one then regardless of the LDAP policy the password is accepted. This is the other problem we have got.

Once more:
  1. The exop password changes made on a Linux client trigger both ppolicy and smbkrb5pwd overlays. The former may deny the change of the Linux password (userPassword LDAP attribute) but the latter completes and changes the other passwords.
  2. Password changes made on Windows clients are made using anoter user mentioned in smb.conf as far as I remember and not the user we are logged on with. And the ppolicy overlay works only if one wants to change her own password.
These are the nice issues we have to deal with.

1 megjegyzés:

tylerdurden írta...

Stupid question: I thought defining the order of overlays in slapd.conf influences their functionality. So if you define smbkrb5pwd BEFORE ppolicy it will only sync passwords if the userPassword passed the policy checks. See also: http://mandriva-management-console.readthedocs.org/en/MMC_CORE_3_0_5_1/mmc/plugins/ppolicy.html#using-password-policies-with-samba