Re: [Ltb-users] check_password.conf confusion

Thu, 28 Jan 2016 08:08:31 -0800 


Le 28/01/2016 04:17, Louis Abel a écrit :


Hello.


I’m having a bit of trouble understanding how the password policy 
works in regards to the check_password.so module. This is my issue, 
using the openldap RPM’s.


Below is the configuration for the check_password.conf.

[root@phdevl09 ~]# cat /etc/openldap/check_password.conf

# OpenLDAP pwdChecker library configuration

useCracklib 1

minPoints 2

minUpper 1

minLower 1

minDigit 1

minPunct 1


Below is the logs when a password change attempt is happening. I’m 
attempting to use a password that uses upper, lower, digit. No 
punctuation.


#### Logs


Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: conn=19337 op=1 
PASSMOD new



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |useCracklib 1#012|



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Validating parameter [useCracklib]



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Parameter accepted.



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word 
= useCracklib, value = 1



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |minPoints 2#012|



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Validating parameter [minPoints]



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Parameter accepted.



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word 
= minPoints, value = 2



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |minUpper 1#012|



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Validating parameter [minUpper]



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Parameter accepted.



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word 
= minUpper, value = 1



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |minLower 1#012|



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Validating parameter [minLower]



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Parameter accepted.



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word 
= minLower, value = 1



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |minDigit 1#012|



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Validating parameter [minDigit]



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Parameter accepted.



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word 
= minDigit, value = 1



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |minPunct 1#012|



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Validating parameter [minPunct]



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Parameter accepted.



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Word 
= minPunct, value = 1



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |#012|



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Found 
digit character - quality raise 1



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Found 
lower character - quality raise 2



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: Found 
upper character - quality raise 3



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: check_password: 
Reallocating szErrStr from 64 to 211



Jan 28 01:59:11 phdevl09.chotel.com slapd[1189]: 
check_password_quality: module error: (check_password.so) Password for 
dn="uid=tester_nalika,ou=People,o=POG,dc=example,dc=com" does not pass 
required number of strength checks for the required character sets (3 
of 2).[1]



Clearly this fails. 3 of 2? If I attempt to use punctuation, then the 
password is accepted.



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: conn=19339 op=1 
PASSMOD new



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |useCracklib 1#012|



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: 
Validating parameter [useCracklib]



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: 
Parameter accepted.



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word 
= useCracklib, value = 1



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |minPoints 2#012|



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: 
Validating parameter [minPoints]



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: 
Parameter accepted.



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word 
= minPoints, value = 2



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |minUpper 1#012|



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: 
Validating parameter [minUpper]



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: 
Parameter accepted.



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word 
= minUpper, value = 1



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |minLower 1#012|



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: 
Validating parameter [minLower]



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: 
Parameter accepted.



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word 
= minLower, value = 1



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |minDigit 1#012|



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: 
Validating parameter [minDigit]



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: 
Parameter accepted.



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word 
= minDigit, value = 1



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |minPunct 1#012|



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: 
Validating parameter [minPunct]



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: 
Parameter accepted.



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Word 
= minPunct, value = 1



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Got 
line |#012|



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Found 
lower character - quality raise 1



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Found 
digit character - quality raise 2



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Found 
upper character - quality raise 3



Jan 28 02:00:09 phdevl09.chotel.com slapd[1189]: check_password: Found 
punctuation character - quality raise 4



Why is this? Am I misunderstanding out minPoints works? I didn’t want 
to submit a Bugzilla because I don’t think this is really a “bug”, but 
a misconfiguration on my part somewhere.






Hello Louis,


first, you need to register to be able to post to the list and receive 
answers, see : http://lists.ltb-project.org/listinfo/ltb-users



Regarding your question, you set minPoints but also minUpper, minLower, 
..., so a password can only be valid with at least one upper, one lower, 
one digit and one punct. The log message is not clear, but the behavior 
is normal.



If you use minPoints, you should maybe not use the other configuration 
parameters, or configure them with precaution.


--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux


_______________________________________________
ltb-users mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-users





















					Reply via email to