Re: ldapux against openldap (319 Views)
Reply
Occasional Contributor
Robert Mach
Posts: 6
Registered: ‎06-13-2011
Message 1 of 2 (346 Views)

ldapux against openldap

Hello, 

 

we have authentication and authorization of LDAP users working using ldapux (5.01) against Openldap (2.4.23).

We are not able to force the password policy (set in /etc/default/security) to users when they are changing the password using passwd command. 

 

Another problem is that the passwd command stores passwords on ldap in paintext. Does anybody know how to force them to store is in at least hash format?

 

R.

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 2 of 2 (319 Views)

Re: ldapux against openldap

With LDAP authentication, the LDAP client host won't know the history of the password, so it cannot enforce any requirements like "do not reuse X previous passwords". Only the LDAP server can do that. Check out the slapo-ppolicy overlay for the OpenLDAP server (see man slapo-ppolicy).

 

 

Regarding your plaintext password issue:

From the LDAP-UX B.05.01 Release Notes (emphasis mine):

 

------------------

2.7.10 Clear text passwords

 

login(1), passwd(1) and ldappasswd(1) transmit passwords in clear text (unencrypted) over the network unless SSL, TLS, or SASL Digest-MD5 authentication is enabled with setup. To support SASL/DIGEST-MD5, some directory server products (including HP-UX Directory Server) store the password in clear text. By default, when using customized install mode, SSL and SASL/DIGEST-MD5 authentication is disabled. Using SSL or TLS (a default when using guided installation mode) allows passwords to be stored in any format on the directory server (including the Salted Secure Hash Algorithm, SSHA), and also protects password transmission over the network.

------------------ 

The SASL/DIGEST-MD5 authentication requires the directory server to have access to the password in plaintext form, in order to verify the correctness of the digest produced by the client. So, if you use this authentication method, the directory server must store the password either as plaintext, or encrypted in a reversible way (= equivalent to plaintext if the encryption key is available).


If you are not using SASL/DIGEST-MD5, then you should check which password hash algorithm is used by the OpenLDAP server when the "LDAP Password Modify Extended Operation" is used. If you are using a slapd.conf file, the configuration keyword is password-hash; if you are using dynamic configuration, the attribute is olcPasswordHash, located in either olcDatabase=frontend,cn=config (= a global setting) or olcDatabase=<name of your LDAP database>,cn=config (= specific to that particular OpenLDAP database).

 

The preferred password hash choice is {SSHA}. If you need to use the NIS/LDAP Gateway functionality of LDAP-UX for authentication, you'll have to use {CRYPT} instead. In that case, you should pay attention to another OpenLDAP server configuration setting: password-crypt-salt-format (slapd.conf) or olcPasswordCryptSaltFormat (dynamic configuration). The value of this setting determines the format of the salt field submitted to the standard crypt(3) function of the LDAP server OS. The traditional crypt(3) format, which is required by most HP-UX versions, would be achievable with setting "%.2s".  If your HP-UX version is 11.31 and the optional support for long passwords is installed, you might try "$6$%.12s$" for SHA-512 style password hashes.

 

(The use of SHA-512 requires the crypt() implementation of the LDAP server to support the SHA-512 format, and if you authenticate via the NIS/LDAP Gateway, then the clients will need the SHA-512 support too.)

 

MK
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.