Your SlideShare is downloading. ×
0
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Manage password policy in OpenLDAP
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Manage password policy in OpenLDAP

2,061

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,061
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
29
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Manage password policy in OpenLDAP Clément OUDOT
  • 2. Table of contents  Password policy draft  OpenLDAP ppolicy overlay 2
  • 3. Resume 3
  • 4. Clément OUDOT  Engineer since 2003 at LINAGORA company  LinID Dream Team Manager: http://linid.org   Founder of LDAP Tool Box project: http://ltb-project.org Leader of LemonLDAP::NG project: http://lemonldap-ng.org Password policy draft 4
  • 5. Password policy draft 5
  • 6. Draft history  Draft name: draft-behera-ldap-password-policy  Version 0: 20 October 1999  Version 10: August 9, 2009  Draft is expired since February 10, 2010 6
  • 7. Extended control     Password policy is request and response control (OID 1.3.6.1.4.1.42.2.27.8.5.1) The request control indicates the client is ppolicy aware The response control contains flags to advertise client about ppolicy status, it should be parsed by the client Control can be sent on BIND, MOD (if modification contains the password) and PASSMOD operations 7
  • 8. Authentication    Brute-force prevention with account locking and delay Password expiration, with grace management and warning Account activation (start time, end time) 8
  • 9. Modification     Size check (size does matter) Presence in history (with check of minimal age) Password quality (implementation specific) Safe modification (require old password)Size check 9
  • 10. Password change after reset     Someone changes the password of a user An attribute should be added to user entry (pwdReset) At next authentication, the response code is 0 (OK) but the ppolicy control has the “password must change” flag The client should force user to change the password! 10
  • 11. OpenLDAP ppolicy overlay 11
  • 12. Password policy in OpenLDAP  Implemented as an overlay  Catch BIND, MOD and PASSMOD operations  Use version 9 of Behera Draft  Possibility to add a pwdChecker module 12
  • 13. Overlay configuration  Load overlay if compiled as module: olcModuleLoad: ppolicy.la  Configure overlay in a backend: dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {1}ppolicy olcPPolicyDefault: ou=default,ou=ppolicy,dc=example,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE 13
  • 14. Password policy configuration  Configuration in an LDAP specific entry: dn: ou=default,ou=ppolicy,dc=example,dc=com objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: organizationalUnit objectClass: top ou: default 14
  • 15. Password policy configuration  All parameters as attributes: pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckModule: check_password.so pwdCheckQuality: 2 pwdExpireWarning: 0 pwdInHistory: 10 pwdLockout: TRUE pwdMaxAge: 31536000 pwdMinAge: 600 pwdMaxFailure: 10 pwdMinLength: 8 pwdMustChange: TRUE PwdSafeModify : FALSE 15
  • 16. More than one policy  Possibility to have several policies: – Several pwdPolicy entries – Use of pwdPolicySubentry in entries dn: uid=bobama,ou=users,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson ObjectClass : person objectClass: top uid : bobama cn : Barack OBAMA sn : OBAMA pwdPolicySubentry : ou=nsa,ou=ppolicy,dc=example,dc=com 16
  • 17. Password checker  LDAP Tool Box provides a compatible password checker module: – Check against upper case, lower case, digits and punctuation – Cracklib support  ITS 7412 in OpenLDAP to add this module as a contribution 17
  • 18. Last authentication time  The lastbind overlay is available in OpenLDAP contribution  Provided in contrib-overlays LTB package  Add authTimestamp operational attribute  Should be replaced by pwdLastSuccess form version 10 of the draft 18
  • 19. Almost the end... 19
  • 20. Thanks Special thanks to: – LDAPCon ! – Company LINAGORA – All LiniD developers Keep in touch: – Identica: @coudot – Twitter: @clementoudot @LinID_FOSS – IRC: KPTN #LinID@freenode – Web: http://linid.org 20
  • 21. Thanks!

×