2012. szeptember 16., vasárnap

OpenLDAP Password Policy on Ubuntu 12.04-en - Part Six

Last time we managed to set up a policy handling almost every aspect of the passwords of the users stored in OpenLDAP. This means the minimal and maximal password length; the already used password which cannot be reused for a while and we arranged to get warned of the passwords about to expire.
This works more or less with Kerberos too with the exception of remembering the last passwords. The Kerberos man page says it does not work when using LDAP backend. And we happen to use one.
We do have a solution to have the user enter a different password when changing passwords and it is more or less as if we could store the last password.
The implementatiion of the Kerberos password policy was interesting because the OpenLDAP overlay we use for password sync - smbkrb5pwd - changes the passwords (Kerberos, Samba) even when the OpenLDAP ppolicy overlay does not allow the change of userPassword attribute (the Linux password). We were lucky because there are cases when the smbkrb5pwd (with admin rights) cannot override the Kerberos policy. And if we happen to have a funtionally identical LDAP and Kerberos policy then the bad passwords (the ones not conforming the policy) are neglected - in the case of userPassword attribute by the ppolicy and in the case of Kerberos and Samba passwords by the Kerberos policy. We are once again lucky because smbkrb5pwd first changes the Kerberos password and if that fails then the Samba password is left alone.

The only problem we have is when one changes password form the Samba side (i.e. from Windows) we still can get a "bad" password. The ppolicy overlay only works when one changes his/her own password and the policies are not forced when being an admin. Since Samba uses an "admin" account when digging holes in LDAP this password change will slip over the police line at least in the case of the userPassword attribute. So we need a separete Samba policy.
This policy is implemented using the pdbedit utility. From now on I try to follow the ppolicy policy created here which was later changed (due to Kerberos and smbkrb5pwd) here. To understand the commands I suggest that you read the Further reading section and the output of man pdbedit.
sudo pdbedit -P "min password length" -C 8
sudo pdbedit -P "bad lockout attempt" -C 3
sudo pdbedit -P "lockout duration" -C 5
sudo pdbedit -P "maximum password age" -C 3024000
sudo pdbedit -P "minimum password age" -C 3600
sudo pdbedit -P "password history" -C 1

If we try to change our password form Windows and we choose a short new password (rum for example) the the error message should reflect the chages made above. And if we change  sambaPwdLastSet attribute to be in the password change warning period ((DAY OF NEW PASSWORD - 1970.01.01)*24*60*60), the we will have a warning too. If the password has already expired then we are warned to change it now.
Hmmm. We did not allow this in the default OpenLDAP ppolicy (though we should) as there we have the pwdGraceAuthNLimit set to 0. And we are warned for example nine days before expiration. Where are these values taken from? See the second link in further reading.

So the only thing left is to make the Samba attributes reflect this expiration time when setting a password. This has to be solved in the settings of smbkrb5pwd. There you have the file smbkrb5pwd_pwdMustChange.ldif where we set up the usual five weeks' time:
dn: olcOverlay={1}smbkrb5pwd,olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcSmbKrb5PwdMustChange
olcSmbKrb5PwdMustChange: 3024000


Further reading:
http://www.linuxtopia.org/online_books/network_administration_guides/samba_reference_guide/18_passdb_15.html
http://www.lockergnome.com/windows/2005/05/09/change-when-users-receive-the-password-expiration-notification-2kxp-pro2003/

Nincsenek megjegyzések: