Using default policy option does not seems to work

[NoxInmortus]

Hello,

I'm trying to debug the default policy option. Here is a sample of my conf :

$ldap_url = "ldap://myldap.com";
$ldap_starttls = false;                                  
$ldap_binddn = "cn=admin,dc=mydomain";
$ldap_bindpw = "pwd";
$ldap_base = "dc=mydomain";                                  
$ldap_user_base = "ou=users,".$ldap_base;          
$ldap_user_filter = "(objectClass=inetOrgPerson)";
$ldap_group_filter =       
$ldap_size_limit = 100;  
$ldap_default_ppolicy = "cn=default,ou=ppolicies,dc=mydomain"; 

And here is my policy :

dn: cn=default,ou=ppolicies,dc=mydomain
cn: default
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: device
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdCheckModule: pqchecker.so
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 0
pwdLockout: TRUE
pwdLockoutDuration: 7200
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: FALSE

And my pqchecker configuration (it's the default):

# Data format: 0|UULLDDSS@)..
# Or         : 1|UULLDDSS@)..
#
# 1st character is the modified passwords broadcast flag. 1 -> Broadcast, 0 -> Don't broadcast
# 2nd character is a separator
# U: Uppercase, L: Lowercase, D: Digit, S: Special characters -> from 3rd to 10th charater.
# From the 11th character begins the list of forbidden characters
# Defaulti: No broadcast, 1 Uppercase, 1 Lowercase, 1 digit, 1 Special and no forbidden characters
# https://www.meddeb.net/pqchecker/?Idx=2
0|01010100

But if I reset a password from Service-Desk, It will accept anything (qwerty for my latest test). In my ldap logs I can see there is a query for my password policy but that's all. And for service-desk, theses are my only logs :

PHP Notice:  Undefined variable: smarty_compile_dir in /usr/share/service-desk/htdocs/index.php on line 38, referer: https://service-desk.url/index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged
PHP Notice:  Undefined variable: smarty_cache_dir in /usr/share/service-desk/htdocs/index.php on line 39, referer: https://service-desk.url/index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged
172.20.0.6 - myuser [06/Dec/2020:16:40:35 +0100] "POST /index.php?page=resetpassword HTTP/1.1" 302 4737 "https://service-desk.url/index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0"
PHP Notice:  Undefined variable: smarty_compile_dir in /usr/share/service-desk/htdocs/index.php on line 38, referer: https://service-desk.url/index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged
PHP Notice:  Undefined variable: smarty_cache_dir in /usr/share/service-desk/htdocs/index.php on line 39, referer: https://service-desk.url/index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged
172.20.0.6 - myuser [06/Dec/2020:16:40:35 +0100] "GET /index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged HTTP/1.1" 200 2954 "https://service-desk.url/index.php?page=display&dn=cn=testUserFirstName%20testUserName,ou=users,dc=domain&resetpasswordresult=passwordchanged" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0" 

Any hint ?

[coudot]

Using the OpenLDAP rootdn as Bind DN will bypass OpenLDAP ppolicy.

Service Desk is not applying password policy itself, it is done by the LDAP directory. Service Desk reads the password policy configuration to display information about password expiration or account locking.

[NoxInmortus]

Hello @coudot, thanks for your time.

I see, the default policy option in only here to provides information for Service-Desk users about the so said password policy.

My apologies for asking but I did not understand what you mean by Using the OpenLDAP rootdn as Bind DN will bypass OpenLDAP ppolicy. can you elaborate ?

[coudot]

You configured:

$ldap_binddn = "cn=admin,dc=mydomain";
$ldap_bindpw = "pwd";

If cn=admin,dc=mydomain it the rootdn of your OpenLDAP database, then OpenLDAP will bypass any ppolicy check. Use a service account so ppolicy is applied.

[NoxInmortus]

Thanks for the clarification. So in my case, using cn=admin as the binddn, Service Desk will not display information about password expiration or account locking is that correct ?

And so that using a service account, will allow to display the remaining time before password expiration, that kind of stuff.

(Still a bit new in the ldap world, making sure i'm not missing anything)

[coudot]

Service Desk is using the binddn to modify password in the directory. It the binddn is the rootdn, OpenLDAP will bypass ppolicy checks, so you wil be able to use any password value when changing it trough Service Desk.

Service Desk reads ppolicy configuration to display information about account status. This does not depend on which binddn is used.

[NoxInmortus]

Thanks you.