[Ltb-users] ssp and ppolicy

Clément OUDOT clement.oudot at savoirfairelinux.com
Fri Sep 1 16:17:25 CEST 2017



Le 01/09/2017 à 16:02, Sebastian Perkins - Hoist Group - Switzerland a 
écrit :
>
> Le 01/09/2017 à 14:45, Sebastian Perkins - Hoist Group - Switzerland a 
> écrit :
>
>
> >>If you use a blanck entry as binddn, you will not be able to use reset 
> features (mail/questions/sms) as in this case the old password of the 
> user is not known.
>
> Silly me of course I simply cannot bind without the working pass :D
>
> Some updates on the test I am performing :
>
> ·ldapS is used with root dn bind
>
> ·no salt, no hash ssp side to let the ldap server encode the pass 
> itself (in order to key the pwdHistory entries identical)
>
> Works fine from the classic “change” gui interface  ! (ppolicy returns 
> the generic error message)
>
> However our preferred token via mail option seems to bypasses the 
> tests on policy (but updates the hashes with an identical one)…  and 
> no “current pas” email, (which makes sense for a reset), but still 
> bypasses…
>
> I am using the stock debian Jessie package
> dpkg --list | grep self
>
> ii self-service-password 1.0-2                              
> all          LDAP password change web interface
>
> My understanding is that the reset token via mail – as it has no 
> current password – binds with the root dn instead of the user dn and 
> therefore bypasses ppolicy ?
>

Indeed, as we don't have user old password, the configured binddn is 
used to change the password. If you set the rootdn, it will bypass the 
ppolicy.


Clément.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-users/attachments/20170901/c9f095f8/attachment-0001.html>


More information about the ltb-users mailing list