Manage password policy in OpenLDAP

Clément OUDOT

Table of contents

Password policy draft OpenLDAP ppolicy overlay

2

3

Resume

Clément OUDOT

Engineer since 2003 at LINAGORA company LinID Dream Team Manager: http://linid.org Founder of LDAP Tool Box project:

http://ltb-project.org Leader of LemonLDAP::NG project:

http://lemonldap-ng.org Password policy draft

4

5

Password policy draft

Draft history

Draft name: draft-behera-ldap-password-policy Version 0: 20 October 1999 Version 10: August 9, 2009 Draft is expired since February 10, 2010

6

Extended control

Password policy is request and response control (OID 1.3.6.1.4.1.42.2.27.8.5.1)

The request control indicates the client is ppolicy aware

The response control contains flags to advertise client about ppolicy status, it should be parsed by the client

Control can be sent on BIND, MOD (if modification contains the password) and PASSMOD operations

7

Authentication

Brute-force prevention with account locking and delay

Password expiration, with grace management and warning

Account activation (start time, end time)

8

Modification

Size check (size does matter) Presence in history (with check of minimal

age) Password quality (implementation specific) Safe modification (require old password)Size

check

9

Password change after reset

Someone changes the password of a user An attribute should be added to user entry

(pwdReset) At next authentication, the response code is 0

(OK) but the ppolicy control has the “password must change” flag

The client should force user to change the password!

10

11

OpenLDAP ppolicy overlay

Password policy in OpenLDAP

Implemented as an overlay Catch BIND, MOD and PASSMOD operations Use version 9 of Behera Draft Possibility to add a pwdChecker module

12

Overlay configuration

Load overlay if compiled as module:

Configure overlay in a backend:

13

dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=configobjectClass: olcOverlayConfigobjectClass: olcPPolicyConfigolcOverlay: {1}ppolicyolcPPolicyDefault: ou=default,ou=ppolicy,dc=example,dc=comolcPPolicyHashCleartext: TRUEolcPPolicyUseLockout: FALSEolcPPolicyForwardUpdates: FALSE

olcModuleLoad: ppolicy.la

Password policy configuration

Configuration in an LDAP specific entry:

14

dn: ou=default,ou=ppolicy,dc=example,dc=comobjectClass: pwdPolicyobjectClass: pwdPolicyCheckerobjectClass: organizationalUnitobjectClass: topou: default

Password policy configuration

All parameters as attributes:

15

pwdAllowUserChange: TRUEpwdAttribute: userPasswordpwdCheckModule: check_password.sopwdCheckQuality: 2pwdExpireWarning: 0pwdInHistory: 10pwdLockout: TRUEpwdMaxAge: 31536000pwdMinAge: 600pwdMaxFailure: 10pwdMinLength: 8pwdMustChange: TRUEPwdSafeModify : FALSE

More than one policy

Possibility to have several policies:– Several pwdPolicy entries

– Use of pwdPolicySubentry in entries

16

dn: uid=bobama,ou=users,dc=example,dc=comobjectClass: inetOrgPersonobjectClass: organizationalPersonObjectClass : personobjectClass: topuid : bobamacn : Barack OBAMAsn : OBAMApwdPolicySubentry : ou=nsa,ou=ppolicy,dc=example,dc=com

Password checker

LDAP Tool Box provides a compatible password checker module:– Check against upper case, lower case, digits

and punctuation

– Cracklib support ITS 7412 in OpenLDAP to add this module as

a contribution

17

Last authentication time

The lastbind overlay is available in OpenLDAP contribution

Provided in contrib-overlays LTB package Add authTimestamp operational attribute Should be replaced by pwdLastSuccess form

version 10 of the draft

18

19

Almost the end...

20

Thanks

Special thanks to:– LDAPCon !

– Company LINAGORA

– All LiniD developers

Keep in touch:– Identica: @coudot

– Twitter: @clementoudot @LinID_FOSS

– IRC: KPTN #LinID@freenode

– Web: http://linid.org

Thanks!