Manage password policy in OpenLDAP
-
Upload
ldapcon -
Category
Technology
-
view
1.777 -
download
8
description
Transcript of Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Clément OUDOT
Table of contents
Password policy draft OpenLDAP ppolicy overlay
2
3
Resume
Clément OUDOT
Engineer since 2003 at LINAGORA company LinID Dream Team Manager: http://linid.org Founder of LDAP Tool Box project:
http://ltb-project.org Leader of LemonLDAP::NG project:
http://lemonldap-ng.org Password policy draft
4
5
Password policy draft
Draft history
Draft name: draft-behera-ldap-password-policy Version 0: 20 October 1999 Version 10: August 9, 2009 Draft is expired since February 10, 2010
6
Extended control
Password policy is request and response control (OID 1.3.6.1.4.1.42.2.27.8.5.1)
The request control indicates the client is ppolicy aware
The response control contains flags to advertise client about ppolicy status, it should be parsed by the client
Control can be sent on BIND, MOD (if modification contains the password) and PASSMOD operations
7
Authentication
Brute-force prevention with account locking and delay
Password expiration, with grace management and warning
Account activation (start time, end time)
8
Modification
Size check (size does matter) Presence in history (with check of minimal
age) Password quality (implementation specific) Safe modification (require old password)Size
check
9
Password change after reset
Someone changes the password of a user An attribute should be added to user entry
(pwdReset) At next authentication, the response code is 0
(OK) but the ppolicy control has the “password must change” flag
The client should force user to change the password!
10
11
OpenLDAP ppolicy overlay
Password policy in OpenLDAP
Implemented as an overlay Catch BIND, MOD and PASSMOD operations Use version 9 of Behera Draft Possibility to add a pwdChecker module
12
Overlay configuration
Load overlay if compiled as module:
Configure overlay in a backend:
13
dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=configobjectClass: olcOverlayConfigobjectClass: olcPPolicyConfigolcOverlay: {1}ppolicyolcPPolicyDefault: ou=default,ou=ppolicy,dc=example,dc=comolcPPolicyHashCleartext: TRUEolcPPolicyUseLockout: FALSEolcPPolicyForwardUpdates: FALSE
olcModuleLoad: ppolicy.la
Password policy configuration
Configuration in an LDAP specific entry:
14
dn: ou=default,ou=ppolicy,dc=example,dc=comobjectClass: pwdPolicyobjectClass: pwdPolicyCheckerobjectClass: organizationalUnitobjectClass: topou: default
Password policy configuration
All parameters as attributes:
15
pwdAllowUserChange: TRUEpwdAttribute: userPasswordpwdCheckModule: check_password.sopwdCheckQuality: 2pwdExpireWarning: 0pwdInHistory: 10pwdLockout: TRUEpwdMaxAge: 31536000pwdMinAge: 600pwdMaxFailure: 10pwdMinLength: 8pwdMustChange: TRUEPwdSafeModify : FALSE
More than one policy
Possibility to have several policies:– Several pwdPolicy entries
– Use of pwdPolicySubentry in entries
16
dn: uid=bobama,ou=users,dc=example,dc=comobjectClass: inetOrgPersonobjectClass: organizationalPersonObjectClass : personobjectClass: topuid : bobamacn : Barack OBAMAsn : OBAMApwdPolicySubentry : ou=nsa,ou=ppolicy,dc=example,dc=com
Password checker
LDAP Tool Box provides a compatible password checker module:– Check against upper case, lower case, digits
and punctuation
– Cracklib support ITS 7412 in OpenLDAP to add this module as
a contribution
17
Last authentication time
The lastbind overlay is available in OpenLDAP contribution
Provided in contrib-overlays LTB package Add authTimestamp operational attribute Should be replaced by pwdLastSuccess form
version 10 of the draft
18
19
Almost the end...
20
Thanks
Special thanks to:– LDAPCon !
– Company LINAGORA
– All LiniD developers
Keep in touch:– Identica: @coudot
– Twitter: @clementoudot @LinID_FOSS
– IRC: KPTN #LinID@freenode
– Web: http://linid.org
Thanks!