Re: Forbidden account password reuse of the last 5 password
Il 16/02/19 15:27, Howard Chu ha scritto: The module was written for Heimdal. Feel free to submit a patch to make it compatible with MIT Kerberos. Sorry I dont think I'm capable to do something like this, I'm not a programmer. I was just asking if it was compatible, I assume your answer means it is not. Regards Simone
Re: Forbidden account password reuse of the last 5 password
On 2/16/19 1:33 PM, Derek Zhou wrote: > With ppolicy, can a user change his password after his password expired? Yes. This feature is called grace logins and the possibe LDAP operations are very limited (e.g. no search). See description for attribute 'pwdGraceAuthnLimit' in man-page slapo-ppolicy(5). Ciao, Michael. smime.p7s Description: S/MIME Cryptographic Signature
Re: Forbidden account password reuse of the last 5 password
On 2/15/19 2:57 AM, Derek Zhou wrote: > Yeah, adding kerberos is a complexity and you cannot change password > via ldap anymore; has to go through the kerberos route. My notion of > "safe" is only referring to the fact that the password text is not > stored anywhere and the rogue admin cannot read user's passwords. If you set the password-hash directive in slapd.conf and use the Password Modify extended operation (e.g. via CLI tool ldappasswd) then no clear-text password is stored. Choose a salted hash-scheme. In opposite to that a KDC must store a reversibly encrypted shared secret derived from user's password which can be directly abused in Kerberos protocol if the KDC system gets hacked. > I haven't found a good and up to date howto with step to step > instrutctions on ppolicy with cn=config. I'd appreciate if someone > here give my a pointer. I have no docs at hand which are better than OpenLDAP's admin guide. Ciao, Michael.
Re: Forbidden account password reuse of the last 5 password
On February 15, 2019 10:50:36 PM GMT+08:00, Howard Chu wrote: >slapd does not store plaintext passwords either. > sorry for spreading mis infomation based on my imagination. With ppolicy, can a user change his password after his password expired? I'd think no, because you have to bind before you modify the userpassword field, and if the password expired I'd think bind will fail. OTOH, kerberos does allow user to change password after expiration. this save me a lot of work, because my users always forgot to change pw in time. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: Forbidden account password reuse of the last 5 password
Simone Piccardi wrote: > Il 15/02/19 15:50, Howard Chu ha scritto: >> As for kerberos, you can always run the KDC with OpenLDAP as its backing >> store, >> and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a >> user's LDAP password. IMO this is a superior solution since a single >> LDAP-based >> admin tool can take care of standard LDAP as well as Kerberos administration. >> > But it still work only on heimdal or it can be used aslo with MIT kerberos? The module was written for Heimdal. Feel free to submit a patch to make it compatible with MIT Kerberos. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Forbidden account password reuse of the last 5 password
Il 15/02/19 15:50, Howard Chu ha scritto: As for kerberos, you can always run the KDC with OpenLDAP as its backing store, and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a user's LDAP password. IMO this is a superior solution since a single LDAP-based admin tool can take care of standard LDAP as well as Kerberos administration. But it still work only on heimdal or it can be used aslo with MIT kerberos? Regards Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-103243350142 Firenze http://www.truelite.it Tel. +39-055-7879597
Re: Forbidden account password reuse of the last 5 password
Derek Zhou wrote: > > Michael Ströder writes: > >> On 2/14/19 8:19 AM, Derek Zhou wrote: >>> Better use kerberos for advanced password policy requirements. You can >>> use SASL to bridge LDAP's userPassword checking to a kerberos backend so >>> everything still work and much safer. >> >> By which definition of "safe" is adding more complexity safer? >> >> Especially you don't know how the original poster does password changes. >> Maybe he wants to use ppolicy response controls etc. >> > Yeah, adding kerberos is a complexity and you cannot change password > via ldap anymore; has to go through the kerberos route. My notion of > "safe" is only referring to the fact that the password text is not > stored anywhere and the rogue admin cannot read user's passwords. slapd does not store plaintext passwords either. As for kerberos, you can always run the KDC with OpenLDAP as its backing store, and use e.g. the smbk5pwd overlay to update the kerberos keys when changing a user's LDAP password. IMO this is a superior solution since a single LDAP-based admin tool can take care of standard LDAP as well as Kerberos administration. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Forbidden account password reuse of the last 5 password
Michael Ströder writes: > On 2/14/19 8:19 AM, Derek Zhou wrote: >> Better use kerberos for advanced password policy requirements. You can >> use SASL to bridge LDAP's userPassword checking to a kerberos backend so >> everything still work and much safer. > > By which definition of "safe" is adding more complexity safer? > > Especially you don't know how the original poster does password changes. > Maybe he wants to use ppolicy response controls etc. > Yeah, adding kerberos is a complexity and you cannot change password via ldap anymore; has to go through the kerberos route. My notion of "safe" is only referring to the fact that the password text is not stored anywhere and the rogue admin cannot read user's passwords. I haven't found a good and up to date howto with step to step instrutctions on ppolicy with cn=config. I'd appreciate if someone here give my a pointer. Derek
Re: 答复: 答复: Forbidden account password reuse of the last 5 password
Le 15/02/2019 à 04:08, Tian Zhiying a écrit : > > Clément Oudot, > > > > Thank you. > > I have changed the rootdn from root to other user, it’s still not > working. I can modified the user password same with before. > > > First check that your are sending you password in cleartext, so that OpenLDAP can check the syntax and compare it to passwords in history. You might need to set pwdCheckQuality to 1 or 2 in your ppolicy, but I am not sure it is required to check history. It is needed to check password length and other checks from the optionnal password checker module. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
答复: 答复: Forbidden account password reuse of the last 5 password
Clément Oudot, Thank you. I have changed the rootdn from root to other user, it’s still not working. I can modified the user password same with before. I have set the password policy and added user in this password policy as below: 发件人: openldap-technical [mailto:openldap-technical-boun...@openldap.org] 代表 Clément OUDOT 发送时间: 2019年2月14日 23:19 收件人: openldap-technical@openldap.org 主题: Re: 答复: Forbidden account password reuse of the last 5 password Le 14/02/2019 à 12:17, Tian Zhiying a écrit : But it seems not working, my password is following: First time password: AAbb1122 Second time password: CCdd3344 Third time password: AAbb1122, same with the first time password, it has been modified successfully. Check that the password modification is not done by the rootdn, as the rootdn is bypassing password policy constraints. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com <mailto:clement.ou...@worteks.com> Worteks | https://www.worteks.com
答复: Antw: 答复: Forbidden account password reuse of the last 5 password
Yes, I have set a default password policy and assigned the password policy to user. -邮件原件- 发件人: openldap-technical [mailto:openldap-technical-boun...@openldap.org] 代表 Ulrich Windl 发送时间: 2019年2月14日 22:18 收件人: matthieu.ce...@nbs-system.com; openldap-technical@openldap.org; tianzy1225 主题: Antw: 答复: Forbidden account password reuse of the last 5 password >>> "Tian Zhiying" schrieb am 14.02.2019 um >>> 12:17 in Nachricht <01d4c456$d6b4ed40$841ec7c0$@thundersoft.com>: > Hi Matthieu, > > > > Thank you for your reply. > > > > I have set the "pwdInHistory" attribute to 5 in password policy and > set forbidden their reuse in config.inc.php of Self Service Password. > As below > shown: > Did you also assign the password policy to users, or did you set a default policy? > > > > > > > > > But it seems not working, my password is following: > > First time password: AAbb1122 > > Second time password: CCdd3344 > > Third time password: AAbb1122, same with the first time password, it > has been modified successfully. > > > > Thanks > > > > > > -邮件原件- > 发件人: openldap-technical > [mailto:openldap-technical-boun...@openldap.org] 代表 > Matthieu Cerda > 发送时间: 2019年2月14日 17:38 > 收件人: openldap-technical@openldap.org > 主题: Re: Forbidden account password reuse of the last 5 password > > > > You may set the "pwdInHistory" attribute to 5 to store the last 5 > passwords > used, and forbid their reuse. > > > > Le 14/02/2019 à 10:35, Matthieu Cerda a écrit : > >> Yes, you might want to use the password policy (ppolicy) overlay: > >> <https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/> > https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/ > >> > >> Le 14/02/2019 à 07:58, Tian Zhiying a écrit : > >>> Hi > >>> > >>> Is there a feature that OpenLDAP password policy can forbidden user password > reuse of the last 5 password? > >>> > >>> Thanks. > >>> > >>> > >>> > >>> > > -- > > Matthieu Cerda > > Infrastructure, BU Means @ NBS System > > > >
Antw: 答复: Forbidden account password reuse of the last 5 password
>>> "Tian Zhiying" schrieb am 14.02.2019 um 12:17 in Nachricht <01d4c456$d6b4ed40$841ec7c0$@thundersoft.com>: > Hi Matthieu, > > > > Thank you for your reply. > > > > I have set the "pwdInHistory" attribute to 5 in password policy and set > forbidden their reuse in config.inc.php of Self Service Password. As below > shown: > Did you also assign the password policy to users, or did you set a default policy? > > > > > > > > > But it seems not working, my password is following: > > First time password: AAbb1122 > > Second time password: CCdd3344 > > Third time password: AAbb1122, same with the first time password, it has > been modified successfully. > > > > Thanks > > > > > > -邮件原件- > 发件人: openldap-technical [mailto:openldap-technical-boun...@openldap.org] 代表 > Matthieu Cerda > 发送时间: 2019年2月14日 17:38 > 收件人: openldap-technical@openldap.org > 主题: Re: Forbidden account password reuse of the last 5 password > > > > You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords > used, and forbid their reuse. > > > > Le 14/02/2019 à 10:35, Matthieu Cerda a écrit : > >> Yes, you might want to use the password policy (ppolicy) overlay: > >> <https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/> > https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/ > >> > >> Le 14/02/2019 à 07:58, Tian Zhiying a écrit : > >>> Hi > >>> > >>> Is there a feature that OpenLDAP password policy can forbidden user password > reuse of the last 5 password? > >>> > >>> Thanks. > >>> > >>> > >>> > >>> > > -- > > Matthieu Cerda > > Infrastructure, BU Means @ NBS System > > > >
Antw: Forbidden account password reuse of the last 5 password
>>> "Tian Zhiying" schrieb am 14.02.2019 um 07:58 >>> in Nachricht <012201d4c432$c27c4540$4774cfc0$@thundersoft.com>: > Hi > > Is there a feature that OpenLDAP password policy can forbidden user password > reuse of the last 5 password? > > Thanks. "Password policy" is the name you are looking for.
Re: Forbidden account password reuse of the last 5 password
On 2/14/19 8:19 AM, Derek Zhou wrote: > Tian Zhiying writes: >> Is there a feature that OpenLDAP password policy can forbidden user >> password reuse of the last 5 password?> > Better use kerberos for advanced password policy requirements. You can > use SASL to bridge LDAP's userPassword checking to a kerberos backend so > everything still work and much safer. By which definition of "safe" is adding more complexity safer? Especially you don't know how the original poster does password changes. Maybe he wants to use ppolicy response controls etc. Ciao, Michael.
Re: 答复: Forbidden account password reuse of the last 5 password
Le 14/02/2019 à 12:17, Tian Zhiying a écrit : > > But it seems not working, my password is following: > > First time password: AAbb1122 > > Second time password: CCdd3344 > > *Third time password: AAbb1122, same with the first time password, it > has been modified successfully.* > Check that the password modification is not done by the rootdn, as the rootdn is bypassing password policy constraints. -- Clément Oudot | Identity Solutions Manager clement.ou...@worteks.com Worteks | https://www.worteks.com
Re: Forbidden account password reuse of the last 5 password
Tian Zhiying writes: > Hi > > Is there a feature that OpenLDAP password policy can forbidden user password > reuse of the last 5 password? > Better use kerberos for advanced password policy requirements. You can use SASL to bridge LDAP's userPassword checking to a kerberos backend so everything still work and much safer. Derek
答复: Forbidden account password reuse of the last 5 password
Hi Matthieu, Thank you for your reply. I have set the "pwdInHistory" attribute to 5 in password policy and set forbidden their reuse in config.inc.php of Self Service Password. As below shown: But it seems not working, my password is following: First time password: AAbb1122 Second time password: CCdd3344 Third time password: AAbb1122, same with the first time password, it has been modified successfully. Thanks -邮件原件- 发件人: openldap-technical [mailto:openldap-technical-boun...@openldap.org] 代表 Matthieu Cerda 发送时间: 2019年2月14日 17:38 收件人: openldap-technical@openldap.org 主题: Re: Forbidden account password reuse of the last 5 password You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords used, and forbid their reuse. Le 14/02/2019 à 10:35, Matthieu Cerda a écrit : > Yes, you might want to use the password policy (ppolicy) overlay: > <https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/> > https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/ > > Le 14/02/2019 à 07:58, Tian Zhiying a écrit : >> Hi >> >> Is there a feature that OpenLDAP password policy can forbidden user password >> reuse of the last 5 password? >> >> Thanks. >> >> >> >> -- Matthieu Cerda Infrastructure, BU Means @ NBS System
Re: Forbidden account password reuse of the last 5 password
You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords used, and forbid their reuse. Le 14/02/2019 à 10:35, Matthieu Cerda a écrit : > Yes, you might want to use the password policy (ppolicy) overlay: > https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/ > > Le 14/02/2019 à 07:58, Tian Zhiying a écrit : >> Hi >> >> Is there a feature that OpenLDAP password policy can forbidden user password >> reuse of the last 5 password? >> >> Thanks. >> >> >> >> -- Matthieu Cerda Infrastructure, BU Means @ NBS System
Re: Forbidden account password reuse of the last 5 password
Yes, you might want to use the password policy (ppolicy) overlay: https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/ Le 14/02/2019 à 07:58, Tian Zhiying a écrit : > Hi > > Is there a feature that OpenLDAP password policy can forbidden user password > reuse of the last 5 password? > > Thanks. > > > > -- Matthieu Cerda Infrastructure, BU Means @ NBS System
Forbidden account password reuse of the last 5 password
Hi Is there a feature that OpenLDAP password policy can forbidden user password reuse of the last 5 password? Thanks.