On 2/20/22 18:14, Felix Natter wrote:
my password policies (openldap 2.5.11) are not enforced and Roland
Gruber (author of LAM (Pro)) kindly advised me that passwords must be
stored in plaintext (Hash=PLAIN) in order to be able to enforce password
minimal length, password quality etc (i.e. when using passwd(1) on Linux
or an LDAP client on Windows).
Nope. That sounds like misleading advice, or it's a misunderstanding on
your side.
1. The LDAP client should support setting new password via LDAP Modify
Password extended operation
or
2. as you already found out yourself you can use
olcPPolicyHashCleartext: TRUE
if the LDAP client sends a MODIFY operation with a clear-text
userPassword value.
Both options will let slapd hash the password according to the setting
of password-hash (slapd.conf) / olcPasswordHash (cn=config).
Processing simple bind requests are not affected by these settings.
Existing password hashes will not be altered.
[3] The manual states "Unfortunately, as dictionary and brute force
attacks are generally quite easy for attackers to successfully mount,
this advantage is marginal at best (this is why all modern Unix systems
use shadow password files)."
Well, this all is debatable.
1. Implement decent ACLs which forbids any read access to all LDAP
clients (except replicas).
2. Choose a decent hash algorithm, especially understand the parameters.
Recent OpenLDAP support {ARGON2} out-of-the-box. Note that choosing the
right parameters is trading performance with security. ARGON2 is called
"memory-hard" and you should take this literally.
For inspiration read the comments and examples here:
https://code.stroeder.com/AE-DIR/ansible-ae-dir-server/src/branch/main/defaults/main.yml#L712
Ciao, Michael.
