Discussion:
Change User Password (passwd vs. ldappasswd)
w***@gmail.com
2010-08-02 20:34:41 UTC
Permalink
Hi,

I have set up and configured openldap 2.3 servers (master-slave) that comes
with CentOS 5.4. I use openldap to centralize Linux/Unix user account
management. Everything works as expected. However, I am confused about
changing user password. Without LDAP, we use file-based authentication
(/etc/passwd and /etc/shadow), so users can change their password
via "passwd" command. Now I have migrated all my users to LDAP with default
password policy, users can still use passwd command to change the password,
but LDAP password policy is not enforced, for example, my ldap password
policy has a minimum password length requirement of 12, and I am able to
change user password to something less than 12 characters. However, if
users use "ldappasswd -x -vv -S -W -D uid=user1,ou=People,dc=IT,dc=Company"
to change their password, the LDAP password policy will be enforced, ie
they will not allow to change to a password less than 12 characters.

Are the users supposed to use passwd OR ldappasswd command to change their
password? It's very inconvenient for users to use ldappassword command to
change password as you can see they have to do much more typing, and some
novice users are not even aware of ldappasswd command. I am confused here.
Any help would be greatly appreciated.

Thanks
Wei
Buchan Milne
2010-08-03 11:31:29 UTC
Permalink
Post by w***@gmail.com
Hi,
I have set up and configured openldap 2.3 servers (master-slave) that comes
with CentOS 5.4. I use openldap to centralize Linux/Unix user account
management. Everything works as expected. However, I am confused about
changing user password. Without LDAP, we use file-based authentication
(/etc/passwd and /etc/shadow), so users can change their password
via "passwd" command. Now I have migrated all my users to LDAP with default
password policy, users can still use passwd command to change the password,
but LDAP password policy is not enforced, for example, my ldap password
policy has a minimum password length requirement of 12, and I am able to
change user password to something less than 12 characters.
Consider how ldappasswd changes the password, and compare it to how your
pam_ldap is configured to change the password.

In this case, most likely, you have pam_ldap configured to hash the new value
for userPassword before sending it to the LDAP server as the new value. So,
the LDAP server doesn't see the clear text, only the hash, thus it can't
enforce any quality controls on the password, as it only gets the hash.
Post by w***@gmail.com
However, if
users use "ldappasswd -x -vv -S -W -D uid=user1,ou=People,dc=IT,dc=Company"
to change their password, the LDAP password policy will be enforced, ie
they will not allow to change to a password less than 12 characters.
In this case, the LDAP client is providing the new password in clear text (so,
you should have transport encryption in place).
Post by w***@gmail.com
Are the users supposed to use passwd OR ldappasswd command to change their
password? It's very inconvenient for users to use ldappassword command to
change password as you can see they have to do much more typing, and some
novice users are not even aware of ldappasswd command. I am confused here.
Any help would be greatly appreciated.
You need to configure your pam_ldap to do a password change via extended
operation, by setting:

pam_password exop

in /etc/ldap.conf

Regards,
Buchan
Chris Jacobs
2010-08-03 14:37:44 UTC
Permalink
And make sure pam_ldap is ref'd in your 'password' pam file (CentOS 5.4: just do it in /etc/pam.d/system-auth).

- chris

Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: ***@apollogrp.edu

----- Original Message -----
From: openldap-technical-***@OpenLDAP.org <openldap-technical-***@OpenLDAP.org>
To: openldap-***@openldap.org <openldap-***@openldap.org>
Cc: ***@gmail.com <***@gmail.com>
Sent: Tue Aug 03 04:31:29 2010
Subject: Re: Change User Password (passwd vs. ldappasswd)
Post by w***@gmail.com
Hi,
I have set up and configured openldap 2.3 servers (master-slave) that comes
with CentOS 5.4. I use openldap to centralize Linux/Unix user account
management. Everything works as expected. However, I am confused about
changing user password. Without LDAP, we use file-based authentication
(/etc/passwd and /etc/shadow), so users can change their password
via "passwd" command. Now I have migrated all my users to LDAP with default
password policy, users can still use passwd command to change the password,
but LDAP password policy is not enforced, for example, my ldap password
policy has a minimum password length requirement of 12, and I am able to
change user password to something less than 12 characters.
Consider how ldappasswd changes the password, and compare it to how your
pam_ldap is configured to change the password.

In this case, most likely, you have pam_ldap configured to hash the new value
for userPassword before sending it to the LDAP server as the new value. So,
the LDAP server doesn't see the clear text, only the hash, thus it can't
enforce any quality controls on the password, as it only gets the hash.
Post by w***@gmail.com
However, if
users use "ldappasswd -x -vv -S -W -D uid=user1,ou=People,dc=IT,dc=Company"
to change their password, the LDAP password policy will be enforced, ie
they will not allow to change to a password less than 12 characters.
In this case, the LDAP client is providing the new password in clear text (so,
you should have transport encryption in place).
Post by w***@gmail.com
Are the users supposed to use passwd OR ldappasswd command to change their
password? It's very inconvenient for users to use ldappassword command to
change password as you can see they have to do much more typing, and some
novice users are not even aware of ldappasswd command. I am confused here.
Any help would be greatly appreciated.
You need to configure your pam_ldap to do a password change via extended
operation, by setting:

pam_password exop

in /etc/ldap.conf

Regards,
Buchan


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
w***@gmail.com
2010-08-05 22:19:04 UTC
Permalink
Thank you Buchan. After I added pam_password exop to client /etc/ldap.conf,
the password quality check is now enforced when my users change their
passwords via "passwd" command.

However, I ran into a couple other issues. I have pwdMustChange set to true
in my default ppolicy. I changed a user's password as Manager on LDAP
server or via the following command on my LDAP server

ldappasswd -x -D "cn=Manager,dc=example,dc=company" -W
-S "uid=user1,ou=People,dc=example,dc=company"

Since I have pwdMustChange set to true, the user is required to change his
password when he tries to log in next time. But the system doesn't prompt
the user to change his password. And when I ran slapcat -a '(uid=user1)', I
saw most Operational Attributes except pwdReset. All my settings seem to be
correct. I couldn't figure out what is wrong here.

The other issue I ran into was: In my default ppolicy, I have
pwdExpireWarning set to 1209600 (14 days). My password is going to expire
in 12 days, how come I don't see a warning message when I ssh to my system?

Did anybody else run into these two issues before? Thank you for your help.
Post by w***@gmail.com
Post by w***@gmail.com
Hi,
I have set up and configured openldap 2.3 servers (master-slave) that
comes
Post by w***@gmail.com
with CentOS 5.4. I use openldap to centralize Linux/Unix user account
management. Everything works as expected. However, I am confused about
changing user password. Without LDAP, we use file-based authentication
(/etc/passwd and /etc/shadow), so users can change their password
via "passwd" command. Now I have migrated all my users to LDAP with
default
Post by w***@gmail.com
password policy, users can still use passwd command to change the
password,
Post by w***@gmail.com
but LDAP password policy is not enforced, for example, my ldap password
policy has a minimum password length requirement of 12, and I am able to
change user password to something less than 12 characters.
Consider how ldappasswd changes the password, and compare it to how your
pam_ldap is configured to change the password.
In this case, most likely, you have pam_ldap configured to hash the new
value
for userPassword before sending it to the LDAP server as the new value.
So,
the LDAP server doesn't see the clear text, only the hash, thus it can't
enforce any quality controls on the password, as it only gets the hash.
Post by w***@gmail.com
However, if
users use "ldappasswd -x -vv -S -W -D
uid=user1,ou=People,dc=IT,dc=Company"
Post by w***@gmail.com
to change their password, the LDAP password policy will be enforced, ie
they will not allow to change to a password less than 12 characters.
In this case, the LDAP client is providing the new password in clear text
(so,
you should have transport encryption in place).
Post by w***@gmail.com
Are the users supposed to use passwd OR ldappasswd command to change
their
Post by w***@gmail.com
password? It's very inconvenient for users to use ldappassword command
to
Post by w***@gmail.com
change password as you can see they have to do much more typing, and
some
Post by w***@gmail.com
novice users are not even aware of ldappasswd command. I am confused
here.
Post by w***@gmail.com
Any help would be greatly appreciated.
You need to configure your pam_ldap to do a password change via extended
pam_password exop
in /etc/ldap.conf
Regards,
Buchan
Loading...