[Ltb-users] policy never executing check_password

Jonathan Disher jdisher at bluekai.com
Thu Feb 28 00:30:41 CET 2013


Nevermind, I figured out my problem.

I am using LDAP Account Manager (www.ldap-account-manager.org), and trying
to use their self-service tool to let people change their own passwords.
The problem was that the tool was presenting a pre-SSHA crypted password
to the module, which obviously won't fly.

If I change the self-service tool to send PLAIN (but leave the default
password storage as SSHA), it goes through the check_password module, and
gets stored as an SSHA hash:

Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found punctuation
character - quality raise 1
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found upper character
- quality raise 2
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found digit character
- quality raise 3
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found lower character
- quality raise 4
Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Cracklib verification
disabled by configuration

Sorry for the runaround (but maybe someone else will find it useful), and
thanks!


-j

On 2/27/13 2:10 PM, "Jonathan Disher" <jdisher at bluekai.com> wrote:

>So, a couple other things:
>
># module{1}, config
>dn: cn=module{1},cn=config
>objectClass: olcModuleList
>cn: module{1}
>olcModulePath: /usr/lib/ldap
>olcModuleLoad: {0}ppolicy
>
>root at ldap1:~# ls -l /usr/lib/ldap/check_password.so
>-rwxr-xr-x 1 openldap openldap 63970 Feb 27 18:43
>/usr/lib/ldap/check_password.so
>
>Don't think it's the config file, either:
>
>
>
>root at ldap1:~# ls -l /etc/ldap/check_password.conf
>-rw-r--r-- 1 openldap openldap 104 Feb 27 18:10
>/etc/ldap/check_password.conf
>root at ldap1:~# ls -ld /etc/ldap
>drwxr-xr-x 5 root root 4096 Feb 27 18:07 /etc/ldap
>
>I continue to be stumped :(
>
>
>On 2/27/13 1:14 PM, "Clément OUDOT" <clem.oudot at gmail.com> wrote:
>
>>2013/2/27 Jonathan Disher <jdisher at bluekai.com>:
>>> I have an Ubuntu box running OpenLDAP 2.4.28 and the ppolicy overlay
>>> configured, and I'm trying to use check_password to validate password
>>> complexity.  For some reason, it doesn't look like it is even getting
>>> executed.  When I try to change my password to something that should be
>>> valid, I get this (I'm running slapd by hand in ­d any mode):
>>>
>>> 512e5428 send_ldap_result: conn=1008 op=2 p=3
>>> 512e5428 send_ldap_result: err=19 matched="" text="Password fails
>>>quality
>>> checking policy"
>>> 512e5428 send_ldap_response: msgid=3 tag=103 err=19
>>>
>>> However, I get no logging from check_password.so anywhere, not in
>>>syslog,
>>> not to the console, even though I compiled it with ­DDEBUG.
>>>
>>> My config file is:
>>>
>>> useCracklib 1
>>> minPoints 3
>>> minUpper 0
>>> minLower 0
>>> minDigit 0
>>> minPunct 0
>>>
>>> My password policy is:
>>>
>>> dn: cn=default,ou=policies,dc=bluekai,dc=com
>>> cn: default
>>> objectClass: device
>>> objectClass: pwdPolicy
>>> objectClass: pwdPolicyChecker
>>> objectClass: top
>>> pwdAllowUserChange: TRUE
>>> pwdAttribute: userPassword
>>> pwdCheckModule: check_password.so
>>> pwdCheckQuality: 2
>>> pwdMustChange: TRUE
>>> structuralObjectClass: device
>>> pwdSafeModify: FALSE
>>> pwdLockout: TRUE
>>> pwdLockoutDuration: 3600
>>> pwdMaxFailure: 5
>>> pwdFailureCountInterval: 600
>>> pwdMinLength: 8
>>>
>>> One of the passwords I tried to use, fwiw, is 'Pa55w0rd', which should
>>>be
>>> valid.  I also tried to use a bunch of other, longer, more complicated
>>> passwords.
>>>
>>> Any ideas?
>>
>>
>>You should check if check_password.so is executable by OpenLDAP user,
>>and check the module_path (or olcModulePatch) OpenLDAP configuration
>>parameter.
>>
>>Clément.
>
>_______________________________________________
>ltb-users mailing list
>ltb-users at lists.ltb-project.org
>http://lists.ltb-project.org/listinfo/ltb-users



More information about the ltb-users mailing list