How to keep the password policy clear after calling the PasswordModify method

go-ldap / ldap

Basic LDAP v3 functionality for the GO programming language.

Other

2.19k stars 352 forks source link

How to keep the password policy clear after calling the PasswordModify method #517

Closed eryajf closed 1 month ago

eryajf commented 1 month ago

My user's default password policy is clear. When I change the password using the PasswordModify method, it will automatically change to ssha. How can I keep clear

cpuschma commented 1 month ago

Pardon? Can you elaborate and post some of the code please?

eryajf commented 1 month ago

the one user password policy is:

Now, I use this func change the user password:

func ModifyUserPassword(dn, oldpasswd, newpasswd string) (string, error) {
    passModify := ldap.NewPasswordModifyRequest(
        dn,
        oldpasswd,
        newpasswd)
    result, err := InitCli().PasswordModify(passModify)
    if err != nil {
        return "", err
    }
    return result.GeneratedPassword, nil
}

After changing the password, the password policy changed to ssha：

I saw that this project can specify a policy when changing passwords. How should go ldap also support specifying password policies. see： Password policy

cpuschma commented 1 month ago

The project you're referring to is written in PHP. I don't know where self-service-password is getting it's information from regarding the "policy", but you're better of asking this question in their repository as we can't answer that.

eryajf commented 1 month ago

The mention of self-service-password is to demonstrate the feasibility of specifying password policies when changing passwords

I am currently using go ldap to change the user's password, but the password policy will change. I would like to point out that this is a question for go ldap and I hope to find an answer here

vetinari commented 1 month ago

"You can use these schemes to hash the password before sending it to LDAP directory:" (quote from the page you linked)...

This is two different things:

PasswordModify does a password modify call, which sends the password in clear to the server and the policy on the server which hashing algorithm to use is applied.
The "self-service-password" seems to hash the password before directly modifying the users password attribute. Not sure if I like that idea at all :)

johnweldon commented 1 month ago

Specifically the make_password function takes the $hash method and produces the $password bytes that are sent through the LDAP connection - seems like it's outside of the LDAP library and/or protocol completely.

This is something that you'd need to take up with the maintainers of self-service-password.

eryajf commented 1 month ago

I see that he encapsulates make_password in a separate method: visible here

I'm not sure if OpenLDAP will change Clear to SHA after changing the password, I just want to explore whether the current go-ldap project has a solution or idea to keep the password policy unchanged，Because I am developing based on go-ldap

eryajf commented 1 month ago

The method he actually called to change the password was: https://github.com/ltb-project/ltb-ldap/blob/0ca06f8aafd116f214418efe9e3f22609c94f431/src/Ltb/Ldap.php#L304

This method is called: https://github.com/ltb-project/ltb-ldap/blob/0ca06f8aafd116f214418efe9e3f22609c94f431/src/Ltb/PhpLDAP.php#L79

The final call is the method provided by PHP: https://www.php.net/manual/zh/function.ldap-exop-passwd.php