Manage password policy in OpenLDAP
3 likes7,019 views
The document discusses managing password policy in OpenLDAP. It describes the OpenLDAP ppolicy overlay which implements password policy controls as defined in the LDAP password policy draft. The ppolicy overlay catches BIND, MOD, and PASSMOD operations and uses the version 9 draft to enforce policies like password expiration, history, quality checks and account locking. It can be configured through LDAP entries and works by adding password check modules. Lastly, it mentions using additional overlays for tracking last authentication time and supporting multiple policies per user.
Manage password policy in OpenLDAP
- 1. Manage password policy in OpenLDAP Clément OUDOT
- 2. Table of contents Password policy draft OpenLDAP ppolicy overlay 2
- 3. Resume 3
- 4. Clément OUDOT Engineer since 2003 at LINAGORA company LinID Dream Team Manager: http://linid.org Founder of LDAP Tool Box project: http://ltb-project.org Leader of LemonLDAP::NG project: http://lemonldap-ng.org Password policy draft 4
- 6. Draft history Draft name: draft-behera-ldap-password-policy Version 0: 20 October 1999 Version 10: August 9, 2009 Draft is expired since February 10, 2010 6
- 7. Extended control Password policy is request and response control (OID 1.3.6.1.4.1.42.2.27.8.5.1) The request control indicates the client is ppolicy aware The response control contains flags to advertise client about ppolicy status, it should be parsed by the client Control can be sent on BIND, MOD (if modification contains the password) and PASSMOD operations 7
- 8. Authentication Brute-force prevention with account locking and delay Password expiration, with grace management and warning Account activation (start time, end time) 8
- 9. Modification Size check (size does matter) Presence in history (with check of minimal age) Password quality (implementation specific) Safe modification (require old password)Size check 9
- 10. Password change after reset Someone changes the password of a user An attribute should be added to user entry (pwdReset) At next authentication, the response code is 0 (OK) but the ppolicy control has the “password must change” flag The client should force user to change the password! 10
- 12. Password policy in OpenLDAP Implemented as an overlay Catch BIND, MOD and PASSMOD operations Use version 9 of Behera Draft Possibility to add a pwdChecker module 12
- 13. Overlay configuration Load overlay if compiled as module: olcModuleLoad: ppolicy.la Configure overlay in a backend: dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {1}ppolicy olcPPolicyDefault: ou=default,ou=ppolicy,dc=example,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE 13
- 14. Password policy configuration Configuration in an LDAP specific entry: dn: ou=default,ou=ppolicy,dc=example,dc=com objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: organizationalUnit objectClass: top ou: default 14
- 15. Password policy configuration All parameters as attributes: pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckModule: check_password.so pwdCheckQuality: 2 pwdExpireWarning: 0 pwdInHistory: 10 pwdLockout: TRUE pwdMaxAge: 31536000 pwdMinAge: 600 pwdMaxFailure: 10 pwdMinLength: 8 pwdMustChange: TRUE PwdSafeModify : FALSE 15
- 16. More than one policy Possibility to have several policies: – Several pwdPolicy entries – Use of pwdPolicySubentry in entries dn: uid=bobama,ou=users,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson ObjectClass : person objectClass: top uid : bobama cn : Barack OBAMA sn : OBAMA pwdPolicySubentry : ou=nsa,ou=ppolicy,dc=example,dc=com 16
- 17. Password checker LDAP Tool Box provides a compatible password checker module: – Check against upper case, lower case, digits and punctuation – Cracklib support ITS 7412 in OpenLDAP to add this module as a contribution 17
- 18. Last authentication time The lastbind overlay is available in OpenLDAP contribution Provided in contrib-overlays LTB package Add authTimestamp operational attribute Should be replaced by pwdLastSuccess form version 10 of the draft 18
- 20. Thanks Special thanks to: – LDAPCon ! – Company LINAGORA – All LiniD developers Keep in touch: – Identica: @coudot – Twitter: @clementoudot @LinID_FOSS – IRC: KPTN #LinID@freenode – Web: http://linid.org 20
- 21. Thanks!