Re: Forbidden account password reuse of the last 5 password
Il 16/02/19 15:27, Howard Chu ha scritto: The module was written for Heimdal. Feel free to submit a patch to make it compatible with MIT Kerberos. Sorry I dont think I'm capable to do something like this, I'm not a programmer. I was just asking if it was compatible, I assume your answer means it is not. Regards Simone
Re: Forbidden account password reuse of the last 5 password
On 2/16/19 1:33 PM, Derek Zhou wrote: > With ppolicy, can a user change his password after his password expired? Yes. This feature is called grace logins and the possibe LDAP operations are very limited (e.g. no search). See description for attribute 'pwdGraceAuthnLimit' in man-page slapo-ppolicy(5). Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: Forbidden account password reuse of the last 5 password
On 2/15/19 2:57 AM, Derek Zhou wrote: > Yeah, adding kerberos is a complexity and you cannot change password > via ldap anymore; has to go through the kerberos route. My notion of > "safe" is only referring to the fact that the password text is not > stored anywhere and the rogue admin cannot read user's passwords. If you set the password-hash directive in slapd.conf and use the Password Modify extended operation (e.g. via CLI tool ldappasswd) then no clear-text password is stored. Choose a salted hash-scheme. In opposite to that a KDC must store a reversibly encrypted shared secret derived from user's password which can be directly abused in Kerberos protocol if the KDC system gets hacked. > I haven't found a good and up to date howto with step to step > instrutctions on ppolicy with cn=config. I'd appreciate if someone > here give my a pointer. I have no docs at hand which are better than OpenLDAP's admin guide. Ciao, Michael.
Re: Forbidden account password reuse of the last 5 password
On February 15, 2019 10:50:36 PM GMT+08:00, Howard Chu wrote: >slapd does not store plaintext passwords either. > sorry for spreading mis infomation based on my imagination. With ppolicy, can a user change his password after his password expired? I'd think no, because you have to bind before you modify the userpassword field, and if the password expired I'd think bind will fail. OTOH, kerberos does allow user to change password after expiration. this save me a lot of work, because my users always forgot to change pw in time. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Forbidden account password reuse of the last 5 password
Simone Piccardi wrote: > Il 15/02/19 15:50, Howard Chu ha scritto: >> As for kerberos, you can always run the KDC with OpenLDAP as its backing >> store, >> and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a >> user's LDAP password. IMO this is a superior solution since a single >> LDAP-based >> admin tool can take care of standard LDAP as well as Kerberos administration. >> > But it still work only on heimdal or it can be used aslo with MIT kerberos? The module was written for Heimdal. Feel free to submit a patch to make it compatible with MIT Kerberos. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Forbidden account password reuse of the last 5 password
Il 15/02/19 15:50, Howard Chu ha scritto: As for kerberos, you can always run the KDC with OpenLDAP as its backing store, and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a user's LDAP password. IMO this is a superior solution since a single LDAP-based admin tool can take care of standard LDAP as well as Kerberos administration. But it still work only on heimdal or it can be used aslo with MIT kerberos? Regards Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-103243350142 Firenze http://www.truelite.it Tel. +39-055-7879597
