search

ltb-project / slapd-cli

OpenLDAP init script
http://ltb-project.org/wiki/documentation/openldap-initscript
GNU General Public License v3.0
10 stars 10 forks source link

upgrade data templates for new olcPPolicyCheckModule in OpenLDAP 2.6 #46

Closed davidcoutadeur closed 2 years ago

davidcoutadeur commented 3 years ago

See: https://bugs.openldap.org/show_bug.cgi?id=9666

Especially: pwdCheckModule in the password policy entry is now ignored and moved to overlay configuration (olcPPolicyCheckModule)

davidcoutadeur commented 3 years ago

Needs work in:

Waiting for more info about https://bugs.openldap.org/show_bug.cgi?id=9740

vince1711 commented 2 years ago

Please change the password policy overlay ################################################################# dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config changetype: modify replace: olcPPolicyCheckModule olcPPolicyCheckModule: /usr/libexec/openldap/pqchecker.so ################################################################### [root@opldapdrvud01 LDIF]# cat passwordpolicy.ldif dn: cn=default,ou=pwpolicy,dc=localhost,dc=localdomain changetype: modify add: pwdUseCheckModule pwdUseCheckModule: TRUE ########################################################################

davidcoutadeur commented 2 years ago

Hello,

Thanks for your message. Indeed it could be interesting to add by default the pwdUseCheckModule attribute.

For the moment, note that the default template does not provide a ready-to-use password policy, as it is commented:

#pwdCheckModule: /usr/local/openldap/libexec/openldap/ppm.so
#pwdCheckModuleArg: bWluUXVhbGl0eSAzCmNoZWNrUkROIDAKZm9yYmlkZGVuQ2hhcnMKbWF4Q29uc2VjdXRpdmVQZXJDbGFzcyAwCnVzZUNyYWNrbGliIDAKY3JhY2tsaWJEaWN0IC92YXIvY2FjaGUvY3JhY2tsaWIvY3JhY2tsaWJfZGljdApjbGFzcy11cHBlckNhc2UgQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVogMCAxCmNsYXNzLWxvd2VyQ2FzZSBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiAwIDEKY2xhc3MtZGlnaXQgMDEyMzQ1Njc4OSAwIDEKY2xhc3Mtc3BlY2lhbCA8Piw/Oy46LyHCp8O5JSrCtV7CqCTCo8KyJsOpfiIjJ3soWy18w6hgX1zDp17DoEApXcKwPX0rIDAgMQ==

The main reason is for people not using OpenLDAP-LTB packages. They may not have compiled ppm. Thus it is up to the admin to update and enable it.

For my information, what is pqchecker.so? For the moment, I don't plan to enable by default an external library that may not be compiled into OpenLDAP.

vince1711 commented 2 years ago

Pqchecker is used to enforce the password complexity. it's an external package used for the same.

https://github.com/mahiso/pqchecker#:~:text=mahiso%20%2F%20pqchecker%20Public&text=Star%201-,Allows%20to%20check%20passwords%20content%20quality%20for%20OpenLDAP.,passwords%20content%20quality%20settings%2C%20programmatically.

You can download and install it.

As per the OpenLDAP 2,6 guide. There is no inbuilt option to enforce the password complexity. we need an external package to do the same.

coudot commented 2 years ago

pqchecker seems not maintained anymore, you should give a try to ppm which was included in OpenLDAP contrib sources last year

davidcoutadeur commented 2 years ago

olcPPolicyCheckModule is now taken in consideration in slapd-cli in last commit ab5b334