SlideShare a Scribd company logo

[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tools to manage it

Worteks
Worteks

We introduce the password policy standard (IETF Behera draft) and its implementation in OpenLDAP. We then present LDAP Tool Box Service Desk, a simple web application do display user account status and providing functions to check and reset password, lock/unlock account.

1 of 24
Download to read offline
UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020
$ ldapwhoami Clément OUDOT Identity Solutions Manager Worteks @clementoudot LemonLDAP::NG LDAP Tool Box LDAP Synchronization Connector FusionIAM W’Sweet KPTN DonJon Legacy Improcité
12/06/2019 3 Password Policy standard
12/06/2019 4 A draft with multiple versions ● Password policy for LDAP is an IETF draft: https://tools.ietf.org/html/draft-behera-ldap-password-poli cy ● First version published in 1999 ● Last version (10) published in 2009, and now expired
12/06/2019 5 Password policy content ● The specification covers: ● LDAP control request and response ● LDAP schema for password policy configuration ● LDAP operationnal attributes for password policy status in user entries ● How to process authentification and password modification requests
12/06/2019 6 Client / Server LDAP Operation + Control 1.3.6.1.4.1.42.2.27.8.5.1 LDAP Operation response + Control response PasswordPolicyResponseValue ::= SEQUENCE { warning [0] CHOICE { timeBeforeExpiration [0] INTEGER (0 .. maxInt), graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL, error [1] ENUMERATED { passwordExpired (0), accountLocked (1), changeAfterReset (2), passwordModNotAllowed (3), mustSupplyOldPassword (4), insufficientPasswordQuality (5), passwordTooShort (6), passwordTooYoung (7), passwordInHistory (8) } OPTIONAL }
12/06/2019 7 Authentication checks ● Expiration: do not allow authentication if password is expired, or manage authentication graces ● Lock: manage failures counter and do not allow authentication if password is locked ● Force change: allow authentication but force password change ● Warnings: time before expiration and graces remaining
12/06/2019 8 Modification checks ● Password size ● Password minimal age ● Password history ● Password complexity (no details about complexity checks)
12/06/2019 9 Password Policy in OpenLDAP
12/06/2019 10 Overlay ppolicy ● In OpenLDAP 2.4: Behera draft v9 ● In OpenLDAP 2.5: Behera draft v10 ● Major changes between v9 and v10: ● Maximum password size ● Authentication delay ● Idle time ● Validity period
12/06/2019 11 Overlay configuration dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE olcPPolicyForwardUpdates: FALSE
12/06/2019 12 Password policy configuration ● Each password policy is represented as an LDAP entry using pwdPolicy objectClass ● Possibility to add pwdPolicyChecker objectClass to load a specific module to check password complexity ● LDAP Tool Box project ships an Open Source pwdChecker module named ppm: https://github.com/ltb-project/ppm
12/06/2019 13 Password policy configuration dn: cn=default,ou=ppolicy,dc=example,dc=com objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: device objectClass: top cn: default pwdAttribute: userPassword pwdCheckModule: ppm.so pwdAllowUserChange: TRUE pwdMustChange: TRUE pwdSafeModify : FALSE pwdCheckQuality: 2 ... ... pwdLockout: TRUE pwdMaxFailure: 10 pwdFailureCountInterval: 30 pwdLockoutDuration: 600 pwdExpireWarning: 0 pwdMaxAge: 31536000 pwdMinAge: 600 pwdGraceAuthnLimit: 2 pwdMinLength: 8 pwdInHistory: 10
12/06/2019 14 Password policy status in user entry ● Some opertionnal attributes are stored in user entry: ● pwdPolicySubentry: active policy for this user ● pwdChangedTime: last password change date ● pwdAccountLockedTime: lock date. If the value is "000001010000Z", means account is locked permanently ● pwdFailureTime: list of last failure dates ● pwdHistory: history of old password ● pwdGraceUseTime: list of grace dates ● pwdReset: flag to request password change at next login
12/06/2019 15 Overlay lastbind ● Specific overlay to remember last successful bind (operational attribute authTimestamp) ● Overlay configuration : dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config objectClass: top objectClass: olcConfig objectClass: olcLastBindConfig objectClass: olcOverlayConfig olcOverlay: lastbind olcLastBindPrecision: 1
12/06/2019 16 Things no one tells you ● Account locking: having a value in pwdAccountLockedTime of a user entry does not mean the user account is locked. Indeed, if current date is greater than lock date and lockout duration, the account is unlocked. The value will be erased at next authentication. ● Password reset: even if password reset is requested, authentication is allowed. OpenLDAP will just limit operations to the password modification, but this has no impact on applications just using OpenLDAP for authentication.
12/06/2019 17
12/06/2019 18 LDAP Tool Box Service Desk
12/06/2019 19 Support your support ● User issues with authentication system is often linked to a lost password, expired password or locked account ● Support team does not have admin access to LDAP directory and do not know how password policy works ● Support team needs to know quickly the account status to give the correct answer to solve the user issue
12/06/2019 20 LDAP Tool Box Service Desk
12/06/2019 21 LDAP Tool Box Service Desk ● Main features: ● Quick search for an account ● View main attributes ● View account and password status ● Test current password ● Reset password and force password change at next connection ● Lock/Unlock account ● Post hook
12/06/2019 22 Want more?
12/06/2019 23 Useful links ● OpenLDAP https://www.openldap.org/ ● LDAP Tool Box https://ltb-project.org ● LDAP Tool Box Service Desk https://github.com/ltb-project/service-desk ● LDAP Tool Box ppm https://github.com/ltb-project/ppm
2424 THANKS info@worteks.com @worteks_com linkedin.com/company/worteks

Recommended

Auth2 and OpenID Connect support in LemonLDAP::NG, OW2online, June 2020
Auth2 and OpenID Connect support in LemonLDAP::NG, OW2online, June 2020Auth2 and OpenID Connect support in LemonLDAP::NG, OW2online, June 2020
Auth2 and OpenID Connect support in LemonLDAP::NG, OW2online, June 2020
OW2
 
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
Worteks
 
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
Worteks
 
[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?
Worteks
 
Webinar: Message Tracing and Debugging in WSO2 Enterprise Service Bus
Webinar: Message Tracing and Debugging in WSO2 Enterprise Service BusWebinar: Message Tracing and Debugging in WSO2 Enterprise Service Bus
Webinar: Message Tracing and Debugging in WSO2 Enterprise Service Bus
WSO2
 
Introduction to Perl Net::LDAP
Introduction to Perl Net::LDAPIntroduction to Perl Net::LDAP
Introduction to Perl Net::LDAPClément OUDOT
 
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
Clément OUDOT
 
[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0
Clément OUDOT
 

Recommended

Auth2 and OpenID Connect support in LemonLDAP::NG, OW2online, June 2020
Auth2 and OpenID Connect support in LemonLDAP::NG, OW2online, June 2020Auth2 and OpenID Connect support in LemonLDAP::NG, OW2online, June 2020
Auth2 and OpenID Connect support in LemonLDAP::NG, OW2online, June 2020
OW2
 
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
Worteks
 
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
Worteks
 
[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?
Worteks
 
Webinar: Message Tracing and Debugging in WSO2 Enterprise Service Bus
Webinar: Message Tracing and Debugging in WSO2 Enterprise Service BusWebinar: Message Tracing and Debugging in WSO2 Enterprise Service Bus
Webinar: Message Tracing and Debugging in WSO2 Enterprise Service Bus
WSO2
 
Introduction to Perl Net::LDAP
Introduction to Perl Net::LDAPIntroduction to Perl Net::LDAP
Introduction to Perl Net::LDAPClément OUDOT
 
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
RMLL 2013 - Build your LDAP management web interface with LinID Directory Man...
Clément OUDOT
 
[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0
Clément OUDOT
 
Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAPLDAPCon
 
LDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG ProjectLDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG Project
Clément OUDOT
 
The LemonLDAP::NG Project
The LemonLDAP::NG ProjectThe LemonLDAP::NG Project
The LemonLDAP::NG ProjectClément OUDOT
 
Jdll 2010 lemon_ldap-ng_100_preview
Jdll 2010 lemon_ldap-ng_100_previewJdll 2010 lemon_ldap-ng_100_preview
Jdll 2010 lemon_ldap-ng_100_previewClément OUDOT
 
Nagios Conference 2011 - Kimbrough Henley - Using Nagios To Monitor ServiceDesk
Nagios Conference 2011 - Kimbrough Henley - Using Nagios To Monitor ServiceDeskNagios Conference 2011 - Kimbrough Henley - Using Nagios To Monitor ServiceDesk
Nagios Conference 2011 - Kimbrough Henley - Using Nagios To Monitor ServiceDesk
Nagios
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
Deploy your Multi-tier Application in Cloud Foundry
Deploy your Multi-tier Application in Cloud FoundryDeploy your Multi-tier Application in Cloud Foundry
Deploy your Multi-tier Application in Cloud Foundry
cornelia davis
 
Advanced Monitoring for Amazon RDS - AWS 4D Event Manchester 16th June 2023
Advanced Monitoring for Amazon RDS - AWS 4D Event Manchester 16th June 2023Advanced Monitoring for Amazon RDS - AWS 4D Event Manchester 16th June 2023
Advanced Monitoring for Amazon RDS - AWS 4D Event Manchester 16th June 2023
Matt Houghton
 
Online Upgrade Using Logical Replication
Online Upgrade Using Logical Replication Online Upgrade Using Logical Replication
Online Upgrade Using Logical Replication
EDB
 
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Iwantha Lekamge
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-LinuxBalaji Ravi
 
MongoDB World 2019: MongoDB Implementation at T-Mobile
MongoDB World 2019: MongoDB Implementation at T-MobileMongoDB World 2019: MongoDB Implementation at T-Mobile
MongoDB World 2019: MongoDB Implementation at T-Mobile
MongoDB
 
Security practices in OpenShift
Security practices in OpenShiftSecurity practices in OpenShift
Security practices in OpenShift
Nenad Bogojevic
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OpenIDFoundation
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
NomanKhalid56
 
ivanova-samba_backend.pdf
ivanova-samba_backend.pdfivanova-samba_backend.pdf
ivanova-samba_backend.pdf
OrlandoJesusFigueroa
 
Enhancing the default MongoDB Security
Enhancing the default MongoDB SecurityEnhancing the default MongoDB Security
Enhancing the default MongoDB Security
Igor Donchovski
 
b04-DataflowArchitecture.pdf
b04-DataflowArchitecture.pdfb04-DataflowArchitecture.pdf
b04-DataflowArchitecture.pdf
RAJA RAY
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
Worteks
 
[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service
Worteks
 

More Related Content

Similar to [Pass the SALT 2020] Understand password policy in OpenLDAP and discover tools to manage it

Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAPLDAPCon
 
LDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG ProjectLDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG Project
Clément OUDOT
 
The LemonLDAP::NG Project
The LemonLDAP::NG ProjectThe LemonLDAP::NG Project
The LemonLDAP::NG ProjectClément OUDOT
 
Jdll 2010 lemon_ldap-ng_100_preview
Jdll 2010 lemon_ldap-ng_100_previewJdll 2010 lemon_ldap-ng_100_preview
Jdll 2010 lemon_ldap-ng_100_previewClément OUDOT
 
Nagios Conference 2011 - Kimbrough Henley - Using Nagios To Monitor ServiceDesk
Nagios Conference 2011 - Kimbrough Henley - Using Nagios To Monitor ServiceDeskNagios Conference 2011 - Kimbrough Henley - Using Nagios To Monitor ServiceDesk
Nagios Conference 2011 - Kimbrough Henley - Using Nagios To Monitor ServiceDesk
Nagios
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey
 
Deploy your Multi-tier Application in Cloud Foundry
Deploy your Multi-tier Application in Cloud FoundryDeploy your Multi-tier Application in Cloud Foundry
Deploy your Multi-tier Application in Cloud Foundry
cornelia davis
 
Advanced Monitoring for Amazon RDS - AWS 4D Event Manchester 16th June 2023
Advanced Monitoring for Amazon RDS - AWS 4D Event Manchester 16th June 2023Advanced Monitoring for Amazon RDS - AWS 4D Event Manchester 16th June 2023
Advanced Monitoring for Amazon RDS - AWS 4D Event Manchester 16th June 2023
Matt Houghton
 
Online Upgrade Using Logical Replication
Online Upgrade Using Logical Replication Online Upgrade Using Logical Replication
Online Upgrade Using Logical Replication
EDB
 
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Iwantha Lekamge
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-LinuxBalaji Ravi
 
MongoDB World 2019: MongoDB Implementation at T-Mobile
MongoDB World 2019: MongoDB Implementation at T-MobileMongoDB World 2019: MongoDB Implementation at T-Mobile
MongoDB World 2019: MongoDB Implementation at T-Mobile
MongoDB
 
Security practices in OpenShift
Security practices in OpenShiftSecurity practices in OpenShift
Security practices in OpenShift
Nenad Bogojevic
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OpenIDFoundation
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
NomanKhalid56
 
ivanova-samba_backend.pdf
ivanova-samba_backend.pdfivanova-samba_backend.pdf
ivanova-samba_backend.pdf
OrlandoJesusFigueroa
 
Enhancing the default MongoDB Security
Enhancing the default MongoDB SecurityEnhancing the default MongoDB Security
Enhancing the default MongoDB Security
Igor Donchovski
 
b04-DataflowArchitecture.pdf
b04-DataflowArchitecture.pdfb04-DataflowArchitecture.pdf
b04-DataflowArchitecture.pdf
RAJA RAY
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
EDB
 

Similar to [Pass the SALT 2020] Understand password policy in OpenLDAP and discover tools to manage it (20)

Manage password policy in OpenLDAP
Manage password policy in OpenLDAPManage password policy in OpenLDAP
Manage password policy in OpenLDAP
 
LDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG ProjectLDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG Project
 
The LemonLDAP::NG Project
The LemonLDAP::NG ProjectThe LemonLDAP::NG Project
The LemonLDAP::NG Project
 
Jdll 2010 lemon_ldap-ng_100_preview
Jdll 2010 lemon_ldap-ng_100_previewJdll 2010 lemon_ldap-ng_100_preview
Jdll 2010 lemon_ldap-ng_100_preview
 
Nagios Conference 2011 - Kimbrough Henley - Using Nagios To Monitor ServiceDesk
Nagios Conference 2011 - Kimbrough Henley - Using Nagios To Monitor ServiceDeskNagios Conference 2011 - Kimbrough Henley - Using Nagios To Monitor ServiceDesk
Nagios Conference 2011 - Kimbrough Henley - Using Nagios To Monitor ServiceDesk
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Deploy your Multi-tier Application in Cloud Foundry
Deploy your Multi-tier Application in Cloud FoundryDeploy your Multi-tier Application in Cloud Foundry
Deploy your Multi-tier Application in Cloud Foundry
 
Advanced Monitoring for Amazon RDS - AWS 4D Event Manchester 16th June 2023
Advanced Monitoring for Amazon RDS - AWS 4D Event Manchester 16th June 2023Advanced Monitoring for Amazon RDS - AWS 4D Event Manchester 16th June 2023
Advanced Monitoring for Amazon RDS - AWS 4D Event Manchester 16th June 2023
 
Online Upgrade Using Logical Replication
Online Upgrade Using Logical Replication Online Upgrade Using Logical Replication
Online Upgrade Using Logical Replication
 
Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020Single Sign On Across Drupal 8 - DrupalCon Global 2020
Single Sign On Across Drupal 8 - DrupalCon Global 2020
 
Practical-LDAP-and-Linux
Practical-LDAP-and-LinuxPractical-LDAP-and-Linux
Practical-LDAP-and-Linux
 
MongoDB World 2019: MongoDB Implementation at T-Mobile
MongoDB World 2019: MongoDB Implementation at T-MobileMongoDB World 2019: MongoDB Implementation at T-Mobile
MongoDB World 2019: MongoDB Implementation at T-Mobile
 
Security practices in OpenShift
Security practices in OpenShiftSecurity practices in OpenShift
Security practices in OpenShift
 
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group UpdateOIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
OIDF Workshop at Verizon Media -- 9/30/2019 -- FastFed Working Group Update
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
5675212318661411677_TRN4034_How_to_Migrate_to_Oracle_Autonomous_Database_Clou...
 
ivanova-samba_backend.pdf
ivanova-samba_backend.pdfivanova-samba_backend.pdf
ivanova-samba_backend.pdf
 
Enhancing the default MongoDB Security
Enhancing the default MongoDB SecurityEnhancing the default MongoDB Security
Enhancing the default MongoDB Security
 
b04-DataflowArchitecture.pdf
b04-DataflowArchitecture.pdfb04-DataflowArchitecture.pdf
b04-DataflowArchitecture.pdf
 
Best Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQLBest Practices in Security with PostgreSQL
Best Practices in Security with PostgreSQL
 

More from Worteks

[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
Worteks
 
[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service
Worteks
 
[Identity Days 2021] Quel avenir pour OpenLDAP ?
[Identity Days 2021] Quel avenir pour OpenLDAP ?[Identity Days 2021] Quel avenir pour OpenLDAP ?
[Identity Days 2021] Quel avenir pour OpenLDAP ?
Worteks
 
[AFUP Lyon 2021] LDAP Tool Box Self Service Password
[AFUP Lyon 2021] LDAP Tool Box Self Service Password[AFUP Lyon 2021] LDAP Tool Box Self Service Password
[AFUP Lyon 2021] LDAP Tool Box Self Service Password
Worteks
 
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
Worteks
 
[Campus du Libre 2020] Présentation de la solution W'Sweet
[Campus du Libre 2020] Présentation de la solution W'Sweet[Campus du Libre 2020] Présentation de la solution W'Sweet
[Campus du Libre 2020] Présentation de la solution W'Sweet
Worteks
 
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
Worteks
 
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
Worteks
 
[OW2online 2020] LDAP Synchronization Connector
[OW2online 2020] LDAP Synchronization Connector[OW2online 2020] LDAP Synchronization Connector
[OW2online 2020] LDAP Synchronization Connector
Worteks
 
[Aperhologramme 2020] Comment faire du logiciel libre ?
[Aperhologramme 2020] Comment faire du logiciel libre ?[Aperhologramme 2020] Comment faire du logiciel libre ?
[Aperhologramme 2020] Comment faire du logiciel libre ?
Worteks
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
Worteks
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies
Worteks
 
[POSS 2019] Learn AWK in 15 minutes
[POSS 2019] Learn AWK in 15 minutes[POSS 2019] Learn AWK in 15 minutes
[POSS 2019] Learn AWK in 15 minutes
Worteks
 
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
Worteks
 
[LDAPCon 2019] The FusionIAM initiative
[LDAPCon 2019] The FusionIAM initiative[LDAPCon 2019] The FusionIAM initiative
[LDAPCon 2019] The FusionIAM initiative
Worteks
 
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
Worteks
 
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
Worteks
 
[OW2con19] LemonLDAP::NG success stories
[OW2con19] LemonLDAP::NG success stories[OW2con19] LemonLDAP::NG success stories
[OW2con19] LemonLDAP::NG success stories
Worteks
 
[BlueMindSummit] Présentation de la solution W'Sweet
[BlueMindSummit] Présentation de la solution W'Sweet[BlueMindSummit] Présentation de la solution W'Sweet
[BlueMindSummit] Présentation de la solution W'Sweet
Worteks
 
[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0
Worteks
 

More from Worteks (20)

[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
 
[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service
 
[Identity Days 2021] Quel avenir pour OpenLDAP ?
[Identity Days 2021] Quel avenir pour OpenLDAP ?[Identity Days 2021] Quel avenir pour OpenLDAP ?
[Identity Days 2021] Quel avenir pour OpenLDAP ?
 
[AFUP Lyon 2021] LDAP Tool Box Self Service Password
[AFUP Lyon 2021] LDAP Tool Box Self Service Password[AFUP Lyon 2021] LDAP Tool Box Self Service Password
[AFUP Lyon 2021] LDAP Tool Box Self Service Password
 
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
 
[Campus du Libre 2020] Présentation de la solution W'Sweet
[Campus du Libre 2020] Présentation de la solution W'Sweet[Campus du Libre 2020] Présentation de la solution W'Sweet
[Campus du Libre 2020] Présentation de la solution W'Sweet
 
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
 
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
 
[OW2online 2020] LDAP Synchronization Connector
[OW2online 2020] LDAP Synchronization Connector[OW2online 2020] LDAP Synchronization Connector
[OW2online 2020] LDAP Synchronization Connector
 
[Aperhologramme 2020] Comment faire du logiciel libre ?
[Aperhologramme 2020] Comment faire du logiciel libre ?[Aperhologramme 2020] Comment faire du logiciel libre ?
[Aperhologramme 2020] Comment faire du logiciel libre ?
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies
 
[POSS 2019] Learn AWK in 15 minutes
[POSS 2019] Learn AWK in 15 minutes[POSS 2019] Learn AWK in 15 minutes
[POSS 2019] Learn AWK in 15 minutes
 
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
 
[LDAPCon 2019] The FusionIAM initiative
[LDAPCon 2019] The FusionIAM initiative[LDAPCon 2019] The FusionIAM initiative
[LDAPCon 2019] The FusionIAM initiative
 
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
 
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
 
[OW2con19] LemonLDAP::NG success stories
[OW2con19] LemonLDAP::NG success stories[OW2con19] LemonLDAP::NG success stories
[OW2con19] LemonLDAP::NG success stories
 
[BlueMindSummit] Présentation de la solution W'Sweet
[BlueMindSummit] Présentation de la solution W'Sweet[BlueMindSummit] Présentation de la solution W'Sweet
[BlueMindSummit] Présentation de la solution W'Sweet
 
[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0[FOSDEM 2019] LemonLDAP::NG 2.0
[FOSDEM 2019] LemonLDAP::NG 2.0
 

Recently uploaded

Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 

Recently uploaded (20)

Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 

[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tools to manage it

  • 1. UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020
  • 2. $ ldapwhoami Clément OUDOT Identity Solutions Manager Worteks @clementoudot LemonLDAP::NG LDAP Tool Box LDAP Synchronization Connector FusionIAM W’Sweet KPTN DonJon Legacy Improcité
  • 4. 12/06/2019 4 A draft with multiple versions ● Password policy for LDAP is an IETF draft: https://tools.ietf.org/html/draft-behera-ldap-password-poli cy ● First version published in 1999 ● Last version (10) published in 2009, and now expired
  • 5. 12/06/2019 5 Password policy content ● The specification covers: ● LDAP control request and response ● LDAP schema for password policy configuration ● LDAP operationnal attributes for password policy status in user entries ● How to process authentification and password modification requests
  • 6. 12/06/2019 6 Client / Server LDAP Operation + Control 1.3.6.1.4.1.42.2.27.8.5.1 LDAP Operation response + Control response PasswordPolicyResponseValue ::= SEQUENCE { warning [0] CHOICE { timeBeforeExpiration [0] INTEGER (0 .. maxInt), graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL, error [1] ENUMERATED { passwordExpired (0), accountLocked (1), changeAfterReset (2), passwordModNotAllowed (3), mustSupplyOldPassword (4), insufficientPasswordQuality (5), passwordTooShort (6), passwordTooYoung (7), passwordInHistory (8) } OPTIONAL }
  • 7. 12/06/2019 7 Authentication checks ● Expiration: do not allow authentication if password is expired, or manage authentication graces ● Lock: manage failures counter and do not allow authentication if password is locked ● Force change: allow authentication but force password change ● Warnings: time before expiration and graces remaining
  • 8. 12/06/2019 8 Modification checks ● Password size ● Password minimal age ● Password history ● Password complexity (no details about complexity checks)
  • 10. 12/06/2019 10 Overlay ppolicy ● In OpenLDAP 2.4: Behera draft v9 ● In OpenLDAP 2.5: Behera draft v10 ● Major changes between v9 and v10: ● Maximum password size ● Authentication delay ● Idle time ● Validity period
  • 11. 12/06/2019 11 Overlay configuration dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE olcPPolicyForwardUpdates: FALSE
  • 12. 12/06/2019 12 Password policy configuration ● Each password policy is represented as an LDAP entry using pwdPolicy objectClass ● Possibility to add pwdPolicyChecker objectClass to load a specific module to check password complexity ● LDAP Tool Box project ships an Open Source pwdChecker module named ppm: https://github.com/ltb-project/ppm
  • 13. 12/06/2019 13 Password policy configuration dn: cn=default,ou=ppolicy,dc=example,dc=com objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: device objectClass: top cn: default pwdAttribute: userPassword pwdCheckModule: ppm.so pwdAllowUserChange: TRUE pwdMustChange: TRUE pwdSafeModify : FALSE pwdCheckQuality: 2 ... ... pwdLockout: TRUE pwdMaxFailure: 10 pwdFailureCountInterval: 30 pwdLockoutDuration: 600 pwdExpireWarning: 0 pwdMaxAge: 31536000 pwdMinAge: 600 pwdGraceAuthnLimit: 2 pwdMinLength: 8 pwdInHistory: 10
  • 14. 12/06/2019 14 Password policy status in user entry ● Some opertionnal attributes are stored in user entry: ● pwdPolicySubentry: active policy for this user ● pwdChangedTime: last password change date ● pwdAccountLockedTime: lock date. If the value is "000001010000Z", means account is locked permanently ● pwdFailureTime: list of last failure dates ● pwdHistory: history of old password ● pwdGraceUseTime: list of grace dates ● pwdReset: flag to request password change at next login
  • 15. 12/06/2019 15 Overlay lastbind ● Specific overlay to remember last successful bind (operational attribute authTimestamp) ● Overlay configuration : dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config objectClass: top objectClass: olcConfig objectClass: olcLastBindConfig objectClass: olcOverlayConfig olcOverlay: lastbind olcLastBindPrecision: 1
  • 16. 12/06/2019 16 Things no one tells you ● Account locking: having a value in pwdAccountLockedTime of a user entry does not mean the user account is locked. Indeed, if current date is greater than lock date and lockout duration, the account is unlocked. The value will be erased at next authentication. ● Password reset: even if password reset is requested, authentication is allowed. OpenLDAP will just limit operations to the password modification, but this has no impact on applications just using OpenLDAP for authentication.
  • 18. 12/06/2019 18 LDAP Tool Box Service Desk
  • 19. 12/06/2019 19 Support your support ● User issues with authentication system is often linked to a lost password, expired password or locked account ● Support team does not have admin access to LDAP directory and do not know how password policy works ● Support team needs to know quickly the account status to give the correct answer to solve the user issue
  • 20. 12/06/2019 20 LDAP Tool Box Service Desk
  • 21. 12/06/2019 21 LDAP Tool Box Service Desk ● Main features: ● Quick search for an account ● View main attributes ● View account and password status ● Test current password ● Reset password and force password change at next connection ● Lock/Unlock account ● Post hook
  • 23. 12/06/2019 23 Useful links ● OpenLDAP https://www.openldap.org/ ● LDAP Tool Box https://ltb-project.org ● LDAP Tool Box Service Desk https://github.com/ltb-project/service-desk ● LDAP Tool Box ppm https://github.com/ltb-project/ppm