Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id A2CB7200CDD for ; Mon, 7 Aug 2017 23:29:44 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id A18F8166229; Mon, 7 Aug 2017 21:29:44 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 99653166222 for ; Mon, 7 Aug 2017 23:29:43 +0200 (CEST) Received: (qmail 60367 invoked by uid 500); 7 Aug 2017 21:29:42 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 60356 invoked by uid 99); 7 Aug 2017 21:29:42 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Aug 2017 21:29:42 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 084A11A067F for ; Mon, 7 Aug 2017 21:29:42 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id WMsLgxVYlast for ; Mon, 7 Aug 2017 21:29:36 +0000 (UTC) Received: from zimbra.rez1.com (zimbra.rez1.com [63.254.154.201]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id C9EA95F6D2 for ; Mon, 7 Aug 2017 21:29:35 +0000 (UTC) Received: from zimbra.rez1.com (localhost [127.0.0.1]) by zimbra.rez1.com (Postfix) with ESMTPS id 78136281B5F for ; Mon, 7 Aug 2017 17:29:35 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.rez1.com (Postfix) with ESMTP id 6B719281B50 for ; Mon, 7 Aug 2017 17:29:35 -0400 (EDT) Received: from zimbra.rez1.com ([127.0.0.1]) by localhost (zimbra.rez1.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 97Eo4Lzft4nZ for ; Mon, 7 Aug 2017 17:29:35 -0400 (EDT) Received: from zimbra.rez1.com (zimbra.rez1.com [10.20.120.18]) by zimbra.rez1.com (Postfix) with ESMTP id 52D492815F3 for ; Mon, 7 Aug 2017 17:29:35 -0400 (EDT) From: Mike Davis To: References: <017c01d30fa6$b12a17f0$137e47d0$@rez1.com> <01a201d30fb7$f1789640$d469c2c0$@rez1.com> <7fb50dd4-151e-8d5e-6f86-b390c897f063@gmail.com> In-Reply-To: <7fb50dd4-151e-8d5e-6f86-b390c897f063@gmail.com> Subject: RE: [ApacheDS] Password Policy not being enforced Thread-Topic: [ApacheDS] Password Policy not being enforced Date: Mon, 7 Aug 2017 17:29:35 -0400 (EDT) Message-ID: <01dd01d30fc4$447b1500$cd713f00$@rez1.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" X-Mailer: Microsoft Outlook 15.0 X-Mailer: Zimbra 8.7.1_GA_1670 (Zimbra-ZCO/8.7.1.1661 (6.1.7601 SP1 en-US) P468 T750 R4103) Content-Language: en-us Thread-Index: AQIbzQyVy7bfUPKWHN18zs+XM2xomwHkVvjAAmAkCCEBqb6XXAKWzphKAdzh70mhlN7hkA== Content-Transfer-Encoding: quoted-printable archived-at: Mon, 07 Aug 2017 21:29:44 -0000 Glad to be of help. -----Original Message----- From: Emmanuel L=C3=A9charny [mailto:elecharny@gmail.com] Sent: Monday, August 07, 2017 5:22 PM To: users@directory.apache.org Subject: Re: [ApacheDS] Password Policy not being enforced Many thanks Mike for having replied to this question, it totally slipped=20 under my view :/ And yes, I conform that the admin user will bypass any passwordPolicy=20 controls, simply because this is the only user able to rectify a bad=20 passwordPolicy configuration (well, there are workarounds, but not on a=20 running server). Le 07/08/2017 =C3=A0 22:26, Sambedi Fahted a =C3=A9crit : > Thanks, Mike. > I'll give this a shot. > > On Mon, Aug 7, 2017 at 4:01 PM, Mike Davis wrote: > >> Hi Sam. >> >> I started with this >> http://directory.apache.org/apacheds/advanced-ug/4.2.7.1- >> enable-authenticated-users-to-browse-and-read-entries.html >> >> And this >> http://directory.apache.org/apacheds/advanced-ug/4.2.7.2- >> allow-self-password-modify.html >> >> From there, I built my own accessControlSubentry with a new >> prescriptiveACI that looks something like this, scoped to=20 >> ou=3Dusers,ou=3Dsystem. >> >> { >> identificationTag "allowEditByApplicationAdmin", >> precedence 15, >> authenticationLevel simple, >> itemOrUserFirst userFirst: >> { >> userClasses >> { >> name { "uid=3DapplicationAdmin,ou=3Dsystem" } >> } >> , >> userPermissions >> { >> { >> protectedItems { entry }, >> grantsAndDenials >> { >> grantRemove, >> grantModify, >> grantBrowse, >> grantFilterMatch, >> grantRead, >> grantRename, >> grantCompare, >> grantAdd, >> grantReturnDN >> } >> } >> , >> { >> protectedItems { allUserAttributeTypesAndValues }, >> grantsAndDenials >> { >> grantRemove, >> grantModify, >> grantBrowse, >> grantFilterMatch, >> grantRead, >> grantRename, >> grantCompare, >> grantAdd, >> grantReturnDN >> } >> } >> } >> } >> } >> >> Be aware that there is a bug in ApacheDS that causes some issues with >> doing this. Right now, once the user's password is expired, the >> password can't be changed (except by uid=3Dadmin,ou=3Dsystem), because= it >> tries to authenticate the user before changing the password, and that >> authentication fails. I worked around that, based on a conversation >> on this this group, by using grace logins, and coding to treat a >> grace login like an expired, rather than honoring the grace logins. >> >> // Mike >> >> >> -----Original Message----- >> From: Sambedi Fahted [mailto:sfahted@gmail.com] >> Sent: Monday, August 07, 2017 2:16 PM >> To: users@directory.apache.org >> Subject: Re: [ApacheDS] Password Policy not being enforced >> >> Hi, Mike. >> Thanks for the quick response. Yes. my (ubuntu) system is using the >> uid=3Dadmin,ou=3Dsystem account in /etc/ldap.conf. >> >> What's the best way to create a user that would work for this? >> Would I create an account like ou=3Dmanager,ou=3Dsystem, as an example= ? >> Or would it need to reside in the org's hierarchy, i.e., >> cn=3Dmanager,ou=3Dusers,dc=3Dredac,dc=3Dcloud,dc=3Dmyorg,dc=3Dcom? >> >> Thanks, again! >> >> Cheers >> -Sam >> >> On Mon, Aug 7, 2017 at 1:57 PM, Mike Davis wrote: >> >>> Hi Sam, >>> >>> What credentials are you using to log in to the LDAP server? If you >>> are using uid=3Dadmin,ou=3Dsystem, that user, from everything I've be= en >>> able to tell, can ignore the password policies. What I've done is >>> create a separate user that my applications use to log in to LDAP. >>> That user gets special rights to be able to change passwords. In >>> that case, the policies are enforced. >>> >>> // Mike >>> >>> -----Original Message----- >>> From: Sambedi Fahted [mailto:sfahted@gmail.com] >>> Sent: Monday, August 07, 2017 1:44 PM >>> To: users@directory.apache.org >>> Subject: [ApacheDS] Password Policy not being enforced >>> >>> Sorry if this creates a duplicate entry. I just read the >>> instructions for list etiquette and I want to honor that. >>> >>> Somewhat reopening an old thread that went cold without a >>> resolution, or at least not one that works for me. >>> I've created a password policy and some test users and ApacheDS >>> isn't enforcing the password policies. >>> I have the policy set to not allow passwords longer than 9 >>> characters and from the linux host that's configured to use the >>> ApacheDS server, I can create a password that's 6 characters long, >>> that's as simple as "123456" >>> >>> I'm using: Apacheds-2.0.0-M24 >>> >>> I created the following password policy: >>> dn: ads-pwdid=3Ddefault,ou=3DpasswordPolicies,ads- >>> interceptorId=3DauthenticationIn >>> terceptor,ou=3Dinterceptors,ads-directoryServiceId=3Ddefault,ou=3Dco= nfig >>> objectclass: ads-passwordPolicy >>> objectclass: ads-base >>> objectclass: top >>> ads-pwdattribute: userPassword >>> ads-pwdid: default >>> ads-enabled: TRUE >>> ads-pwdcheckquality: 1 >>> ads-pwdexpirewarning: 600 >>> ads-pwdfailurecountinterval: 30 >>> ads-pwdgraceauthnlimit: 3 >>> ads-pwdinhistory: 4 >>> ads-pwdlockout: TRUE >>> ads-pwdmaxage: 3600 >>> ads-pwdmaxfailure: 2 >>> ads-pwdmaxlength: 10 >>> ads-pwdminage: 1800 >>> ads-pwdmindelay: 600 >>> ads-pwdminlength: 9 >>> ads-pwdvalidator: org.apache.directory.server. >>> core.api.authn.ppolicy.Default >>> PasswordValidator >>> >>> Here's the ldif export of a test user I created. The operational >>> attributes are created, as you can see, but in addition to the min >>> password length, the pwdmaxage isn't enforced, either. >>> >>> dn: cn=3Dtestuser,ou=3Dusers,dc=3Dredac,dc=3Dcloud,dc=3Dmyorg,dc=3Dco= m >>> objectClass: organizationalPerson >>> objectClass: person >>> objectClass: inetOrgPerson >>> objectClass: top >>> objectClass: posixAccount >>> cn: testuser >>> gidNumber: 500 >>> homeDirectory: /home/users/testuser >>> sn: User >>> uid: testuser >>> uidNumber: 1049 >>> givenName: Test >>> loginShell: /bin/bash >>> mail: test@myorg.com >>> userPassword:: >>> e2NyeXB0fSQxJG9UYWNpSUF3JDV2c0dqLnVHeUtpL0RpMXNMQVFTMDA=3D >>> createTimestamp: 20170802133738.851Z >>> creatorsName: 0.9.2342.19200300.100.1.1=3Dadmin,2.5.4.11=3Dsystem >>> entryCSN: 20170804213220.210000Z#000000#001#000000 >>> entryDN: cn=3Dtestuser,ou=3Dusers,dc=3Dredac,dc=3Dcloud,dc=3Dmyorg,dc= =3Dcom >>> entryParentId: b97b014f-2c00-4266-b578-1aa21053c437 >>> entryUUID:: YmFmNDI4YjQtYzMyYy00NGM0LThkNTUtNDM2OGZkMjU1N2I3 >>> modifiersName: 0.9.2342.19200300.100.1.1=3Dadmin,2.5.4.11=3Dsystem >>> modifyTimestamp: 20170804203344.706Z >>> nbChildren: 0 >>> nbSubordinates: 0 >>> pwdChangedTime: 20170804203344.705Z >>> pwdFailureTime: 20170804213220.200Z >>> pwdHistory:: >>> MjAxNzA4MDQwNTM4NTQuNjA0WiMxLjMuNi4xLjQuMS4xNDY2LjExNS4xMjEu >>> MS4 >>> 0MCM1NiNlMk55ZVhCMGZTUXhKRVZHTUM5Wk9VUmtKRTlwWWtkbWVXaEJSbk4 >>> zZURkUVNWaEtRMF >>> JNZFRFPQ=3D=3D >>> pwdHistory:: >>> MjAxNzA4MDQxOTMwMzQuMDIxWiMxLjMuNi4xLjQuMS4xNDY2LjExNS4xMjEu >>> MS4 >>> 0MCM1NiNlMk55ZVhCMGZTUXhKSEkxTUU1RVJtNXhKR1F3ZVdaQlEwOU9Wa1Y >>> xUWxSeVR6RlBiam >>> xJUXk4PQ=3D=3D >>> pwdHistory:: >>> MjAxNzA4MDQyMDI4NDguODA2WiMxLjMuNi4xLjQuMS4xNDY2LjExNS4xMjEu >>> MS4 >>> 0MCM1NiNlMk55ZVhCMGZTUXhKRkpGTkRCSmQwcGxKRlIxVVU1MWFtRjZkaTl >>> zTVd3dkxqQk1kaT >>> h4ZUM4PQ=3D=3D >>> pwdHistory:: >>> MjAxNzA4MDQyMDMzNDQuNzA1WiMxLjMuNi4xLjQuMS4xNDY2LjExNS4xMjEu >>> MS4 >>> 0MCM1NiNlMk55ZVhCMGZTUXhKRzlVWVdOcFNVRjNKRFYyYzBkcUxuVkhlVXR >>> wTDBScE1YTk1RVk >>> ZUTURBPQ=3D=3D >>> subschemaSubentry: cn=3Dschema >>> >>> I think I'm missing one thing to make this work but I can't find >>> what that one thing. >>> Can anyone please provide some insight? >>> >>> ~~Incidentally.~~ >>> >>> Even the pwdAccountLockedTime operational attribute gets created >>> after the allotted number of bad login attempts, but despite that I >>> am still able to log in with the account with the correct password. >>> >>> dn: cn=3Dtestuser,ou=3Dusers,dc=3Dredact,dc=3Dcloud,dc=3Dmyorg,dc=3Dc= om >>> objectClass: organizationalPerson >>> objectClass: person >>> objectClass: inetOrgPerson >>> objectClass: top >>> objectClass: posixAccount >>> cn: testuser >>> gidNumber: 500 >>> homeDirectory: /home/users/testuser >>> sn: User >>> uid: testuser >>> uidNumber: 1049 >>> givenName: Test >>> loginShell: /bin/bash >>> mail: test@myorg.com >>> userPassword:: >>> e2NyeXB0fSQxJG9UYWNpSUF3JDV2c0dqLnVHeUtpL0RpMXNMQVFTMDA=3D >>> createTimestamp: 20170802133738.851Z >>> creatorsName: 0.9.2342.19200300.100.1.1=3Dadmin,2.5.4.11=3Dsystem >>> entryCSN: 20170807173256.649000Z#000000#001#000000 >>> entryDN: cn=3Dtestuser,ou=3Dusers,dc=3Dredact,dc=3Dcloud,dc=3Dmyorg,d= c=3Dcom >>> entryParentId: b97b014f-2c00-4266-b578-1aa21053c437 >>> entryUUID:: YmFmNDI4YjQtYzMyYy00NGM0LThkNTUtNDM2OGZkMjU1N2I3 >>> modifiersName: 0.9.2342.19200300.100.1.1=3Dadmin,2.5.4.11=3Dsystem >>> modifyTimestamp: 20170804203344.706Z >>> nbChildren: 0 >>> nbSubordinates: 0 >>> pwdAccountLockedTime: 20170807173256.648Z >>> pwdChangedTime: 20170804203344.705Z >>> pwdFailureTime: 20170807173236.454Z >>> pwdFailureTime: 20170807173239.031Z >>> pwdFailureTime: 20170807173243.325Z >>> pwdFailureTime: 20170807173249.384Z >>> pwdFailureTime: 20170807173252.878Z >>> pwdFailureTime: 20170807173256.648Z >>> >>> Thanks, again. >>> >>> -Sam >>> >> >> >> -- >> Cheers >> -Sam >> > > -- Emmanuel Lecharny Symas.com directory.apache.org