Discussion:
[Ltb-users] policy never executing check_password
Jonathan Disher
2013-02-27 21:11:52 UTC
Permalink
I have an Ubuntu box running OpenLDAP 2.4.28 and the ppolicy overlay configured, and I'm trying to use check_password to validate password complexity. For some reason, it doesn't look like it is even getting executed. When I try to change my password to something that should be valid, I get this (I'm running slapd by hand in ?d any mode):

512e5428 send_ldap_result: conn=1008 op=2 p=3
512e5428 send_ldap_result: err=19 matched="" text="Password fails quality checking policy"
512e5428 send_ldap_response: msgid=3 tag=103 err=19

However, I get no logging from check_password.so anywhere, not in syslog, not to the console, even though I compiled it with ?DDEBUG.

My config file is:

useCracklib 1
minPoints 3
minUpper 0
minLower 0
minDigit 0
minPunct 0

My password policy is:

dn: cn=default,ou=policies,dc=bluekai,dc=com
cn: default
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckModule: check_password.so
pwdCheckQuality: 2
pwdMustChange: TRUE
structuralObjectClass: device
pwdSafeModify: FALSE
pwdLockout: TRUE
pwdLockoutDuration: 3600
pwdMaxFailure: 5
pwdFailureCountInterval: 600
pwdMinLength: 8

One of the passwords I tried to use, fwiw, is 'Pa55w0rd', which should be valid. I also tried to use a bunch of other, longer, more complicated passwords.

Any ideas?

-j
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-users/attachments/20130227/5d88a2d8/attachment.htm>
Clément OUDOT
2013-02-27 21:14:57 UTC
Permalink
Post by Jonathan Disher
I have an Ubuntu box running OpenLDAP 2.4.28 and the ppolicy overlay
configured, and I'm trying to use check_password to validate password
complexity. For some reason, it doesn't look like it is even getting
executed. When I try to change my password to something that should be
512e5428 send_ldap_result: conn=1008 op=2 p=3
512e5428 send_ldap_result: err=19 matched="" text="Password fails quality checking policy"
512e5428 send_ldap_response: msgid=3 tag=103 err=19
However, I get no logging from check_password.so anywhere, not in syslog,
not to the console, even though I compiled it with ?DDEBUG.
useCracklib 1
minPoints 3
minUpper 0
minLower 0
minDigit 0
minPunct 0
dn: cn=default,ou=policies,dc=bluekai,dc=com
cn: default
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckModule: check_password.so
pwdCheckQuality: 2
pwdMustChange: TRUE
structuralObjectClass: device
pwdSafeModify: FALSE
pwdLockout: TRUE
pwdLockoutDuration: 3600
pwdMaxFailure: 5
pwdFailureCountInterval: 600
pwdMinLength: 8
One of the passwords I tried to use, fwiw, is 'Pa55w0rd', which should be
valid. I also tried to use a bunch of other, longer, more complicated
passwords.
Any ideas?
You should check if check_password.so is executable by OpenLDAP user,
and check the module_path (or olcModulePatch) OpenLDAP configuration
parameter.

Cl?ment.
Jonathan Disher
2013-02-27 22:10:39 UTC
Permalink
So, a couple other things:

# module{1}, config
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}ppolicy

root at ldap1:~# ls -l /usr/lib/ldap/check_password.so
-rwxr-xr-x 1 openldap openldap 63970 Feb 27 18:43
/usr/lib/ldap/check_password.so

Don't think it's the config file, either:



root at ldap1:~# ls -l /etc/ldap/check_password.conf
-rw-r--r-- 1 openldap openldap 104 Feb 27 18:10
/etc/ldap/check_password.conf
root at ldap1:~# ls -ld /etc/ldap
drwxr-xr-x 5 root root 4096 Feb 27 18:07 /etc/ldap

I continue to be stumped :(
Post by Clément OUDOT
Post by Jonathan Disher
I have an Ubuntu box running OpenLDAP 2.4.28 and the ppolicy overlay
configured, and I'm trying to use check_password to validate password
complexity. For some reason, it doesn't look like it is even getting
executed. When I try to change my password to something that should be
512e5428 send_ldap_result: conn=1008 op=2 p=3
512e5428 send_ldap_result: err=19 matched="" text="Password fails
quality
checking policy"
512e5428 send_ldap_response: msgid=3 tag=103 err=19
However, I get no logging from check_password.so anywhere, not in
syslog,
not to the console, even though I compiled it with ?DDEBUG.
useCracklib 1
minPoints 3
minUpper 0
minLower 0
minDigit 0
minPunct 0
dn: cn=default,ou=policies,dc=bluekai,dc=com
cn: default
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckModule: check_password.so
pwdCheckQuality: 2
pwdMustChange: TRUE
structuralObjectClass: device
pwdSafeModify: FALSE
pwdLockout: TRUE
pwdLockoutDuration: 3600
pwdMaxFailure: 5
pwdFailureCountInterval: 600
pwdMinLength: 8
One of the passwords I tried to use, fwiw, is 'Pa55w0rd', which should
be
valid. I also tried to use a bunch of other, longer, more complicated
passwords.
Any ideas?
You should check if check_password.so is executable by OpenLDAP user,
and check the module_path (or olcModulePatch) OpenLDAP configuration
parameter.
Cl?ment.
Jonathan Disher
2013-02-27 23:30:41 UTC
Permalink
Nevermind, I figured out my problem.

I am using LDAP Account Manager (www.ldap-account-manager.org), and trying
to use their self-service tool to let people change their own passwords.
The problem was that the tool was presenting a pre-SSHA crypted password
to the module, which obviously won't fly.

If I change the self-service tool to send PLAIN (but leave the default
password storage as SSHA), it goes through the check_password module, and
gets stored as an SSHA hash:

Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found punctuation
character - quality raise 1
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found upper character
- quality raise 2
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found digit character
- quality raise 3
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found lower character
- quality raise 4
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Cracklib verification
disabled by configuration

Sorry for the runaround (but maybe someone else will find it useful), and
thanks!


-j
Post by Jonathan Disher
# module{1}, config
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}ppolicy
root at ldap1:~# ls -l /usr/lib/ldap/check_password.so
-rwxr-xr-x 1 openldap openldap 63970 Feb 27 18:43
/usr/lib/ldap/check_password.so
root at ldap1:~# ls -l /etc/ldap/check_password.conf
-rw-r--r-- 1 openldap openldap 104 Feb 27 18:10
/etc/ldap/check_password.conf
root at ldap1:~# ls -ld /etc/ldap
drwxr-xr-x 5 root root 4096 Feb 27 18:07 /etc/ldap
I continue to be stumped :(
Post by Clément OUDOT
Post by Jonathan Disher
I have an Ubuntu box running OpenLDAP 2.4.28 and the ppolicy overlay
configured, and I'm trying to use check_password to validate password
complexity. For some reason, it doesn't look like it is even getting
executed. When I try to change my password to something that should be
512e5428 send_ldap_result: conn=1008 op=2 p=3
512e5428 send_ldap_result: err=19 matched="" text="Password fails
quality
checking policy"
512e5428 send_ldap_response: msgid=3 tag=103 err=19
However, I get no logging from check_password.so anywhere, not in
syslog,
not to the console, even though I compiled it with ?DDEBUG.
useCracklib 1
minPoints 3
minUpper 0
minLower 0
minDigit 0
minPunct 0
dn: cn=default,ou=policies,dc=bluekai,dc=com
cn: default
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckModule: check_password.so
pwdCheckQuality: 2
pwdMustChange: TRUE
structuralObjectClass: device
pwdSafeModify: FALSE
pwdLockout: TRUE
pwdLockoutDuration: 3600
pwdMaxFailure: 5
pwdFailureCountInterval: 600
pwdMinLength: 8
One of the passwords I tried to use, fwiw, is 'Pa55w0rd', which should
be
valid. I also tried to use a bunch of other, longer, more complicated
passwords.
Any ideas?
You should check if check_password.so is executable by OpenLDAP user,
and check the module_path (or olcModulePatch) OpenLDAP configuration
parameter.
Cl?ment.
_______________________________________________
ltb-users mailing list
ltb-users at lists.ltb-project.org
http://lists.ltb-project.org/listinfo/ltb-users
Clément OUDOT
2013-02-28 07:38:12 UTC
Permalink
Post by Jonathan Disher
Nevermind, I figured out my problem.
I am using LDAP Account Manager (www.ldap-account-manager.org), and trying
to use their self-service tool to let people change their own passwords.
The problem was that the tool was presenting a pre-SSHA crypted password
to the module, which obviously won't fly.
If I change the self-service tool to send PLAIN (but leave the default
password storage as SSHA), it goes through the check_password module, and
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found punctuation
character - quality raise 1
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found upper character
- quality raise 2
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found digit character
- quality raise 3
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found lower character
- quality raise 4
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Cracklib verification
disabled by configuration
Sorry for the runaround (but maybe someone else will find it useful), and
thanks!
You could also set pwdCheckQuality to 0 or 1, that will allow to
change password with SSHA scheme, but of course will disallow any
quality checks.

So your solution is the best, to force clients to use plain passwords
in the modify request.

Cl?ment.

Loading...