RMLL 2014 - OpenLDAP - Manage password policy
-
Upload
oudot-clement -
Category
Technology
-
view
745 -
download
6
description
Transcript of RMLL 2014 - OpenLDAP - Manage password policy
![Page 2: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/2.jpg)
LDAPcoholic since many yearsFake developer, real hacker
First time you see me? Let's introduce!
![Page 3: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/3.jpg)
Let's begin with the password policy draft (Behera draft)
![Page 4: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/4.jpg)
A draft? Is it not a standard?
Well, not really.The first draft (version 0) was written in 1999.
![Page 5: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/5.jpg)
The latest version (version 10) was published in 2009
This draft is expired since February 2010
![Page 6: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/6.jpg)
So, can we use it?
Of course!Most of LDAP servers implement it.
![Page 7: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/7.jpg)
What are you waiting for? Explain me how it works!
![Page 8: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/8.jpg)
Ok, let me do the LDAP client. You will play the LDAP server.
![Page 9: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/9.jpg)
Ok, I send you an BIND operation with the extended control 1.3.6.1.4.1.42.2.27.8.5.1
I see your password is expired, I refuse the BIND and I send a flag in the response control.
![Page 10: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/10.jpg)
Thanks to this response control, I can advertise the user.
See, it's easy! Client and Server just need to know how to manage the control.
![Page 11: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/11.jpg)
With which LDAP operations can we use this control?
BIND for authentication. MOD and PASSMOD for password change.
![Page 12: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/12.jpg)
For authentication, it defines account locking, password expiration and password reset
![Page 13: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/13.jpg)
For modification, it can check password size, presence in history, password quality.
With this, administrators will have the power to bother all their users.
Niark Niark
![Page 14: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/14.jpg)
Let me now present you my friend OpenLDAP
Hi! I am the fastest LDAP server on earth!
![Page 15: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/15.jpg)
I own a password policy overlay since many years
I support version 9 of the Behera draft and let the possibility to implement a custom password checker module
![Page 16: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/16.jpg)
I imagine that configuring password policy overlay is a nightmare!
Calm down, you just need a brain!
![Page 17: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/17.jpg)
First, load the overlay:
Then configure it:
olcModuleLoad: ppolicy.la
dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=configobjectClass: olcOverlayConfigobjectClass: olcPPolicyConfigolcOverlay: {1}ppolicyolcPPolicyDefault: ou=default,ou=ppolicy,dc=example,dc=comolcPPolicyHashCleartext: TRUEolcPPolicyUseLockout: FALSEolcPPolicyForwardUpdates: FALSE
![Page 18: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/18.jpg)
So is it over? That was easy!
No, we now need to configure the policy
![Page 19: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/19.jpg)
Policy configuration is an entry in the LDAP directory
The first lines of the entry are:
dn: ou=default,ou=ppolicy,dc=example,dc=comobjectClass: pwdPolicyobjectClass: pwdPolicyCheckerobjectClass: organizationalUnitobjectClass: topou: default
![Page 20: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/20.jpg)
pwdAllowUserChange: TRUEpwdAttribute: userPasswordpwdCheckModule: check_password.sopwdCheckQuality: 2pwdExpireWarning: 0pwdInHistory: 10pwdLockout: TRUEpwdMaxAge: 31536000pwdMinAge: 600pwdMaxFailure: 10pwdMinLength: 8pwdMustChange: TRUEPwdSafeModify : FALSE
Then all parameters are attributes of this entry
![Page 21: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/21.jpg)
Can we have more than one policy ?
Yes we can!
![Page 22: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/22.jpg)
Just create another policy configuration entry
Then link it to a user account:dn: uid=bobama,ou=users,dc=example,dc=comobjectClass: inetOrgPersonobjectClass: organizationalPersonObjectClass : personobjectClass: topuid : bobamacn : Barack OBAMAsn : OBAMAuserPassword: michellemabellepwdPolicySubentry : ou=nsa,ou=ppolicy,dc=example,dc=com
![Page 23: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/23.jpg)
Did you heard about LDAP Tool Box project?
Yes, they provide a password checker module and OpenLDAP package for Debian and CentOS
![Page 24: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/24.jpg)
They also package some contributed overlays like lastbind and smbk5pwd
Indeed, good job!
![Page 25: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/25.jpg)
This is all folks! Any question?
![Page 26: RMLL 2014 - OpenLDAP - Manage password policy](https://reader034.fdocuments.net/reader034/viewer/2022042521/5564a4e1d8b42ab8278b57e3/html5/thumbnails/26.jpg)