Password policy plugin

Note

The configuration of the ppolicy plugin is optionnal

Installation

Install the packages python-mmc-ppolicy and mmc-web-ppolicy.

OpenLDAP configuration for password policies

On Mandriva, if you used the mandriva-dit setup scripts, the password policy configuration is already done. If not, here are some instructions:

You must add this to your OpenLDAP slapd.conf configuration file:

# Include password policy schema
include /path/to/openldap/schema/ppolicy.schema
...
# Load the ppolicy module
moduleload  ppolicy
...
# Add the overlay ppolicy to your OpenLDAP database
database  bdb
suffix    "dc=mandriva,dc=com"
...
overlay ppolicy
ppolicy_default "cn=default,ou=Password Policies,dc=mandriva,dc=com"

Beware that the ppolicy_default value must match the options “ppolicyDN” and “ppolicyDefault” you set into the ppolicy.ini file.

MMC « ppolicy » plugin configuration

For a full description of the MMC ppolicy plugin configuration file see MMC ppolicy (Password Policy) plugin configuration file.

The only thing you’ll have to modify in the configuration file is the “ppolicyDN” option if needed. The OU parent must be an existing DN. If the OU or the default password policy object doesn’t exist, the MMC agent will create them when it starts.

Password Policy checker module

This module has only been built and tested on Mandriva and Debian. It is installed as /usr/lib/openldap/mmc-check-password.so.

If password quality checking is enabled on the password policy, OpenLDAP calls this module to check password quality when a user password is changed using the LDAP Password Modify Extended operation. MDS will change user passwords with this operation if you set “passwordscheme = passmod” in the base.ini configuration file.

To check a password, mmc-check-password.so will launch the command /usr/bin/mmc-password-helper. The password will pass the quality checks if it contains at least one number, one upper case character, one lower case character and one special character (like #, $, etc.). The password must not contains the same character twice. If python-cracklib is available, a cracklib check is also done.

The mmc-password-helper tool

This tool allows to check a password from the command line. For example:

% echo foo | mmc-password-helper -c
% echo $?
1
# Exit code is set to 1 if the password fails quality checks, else 0
# Use -v for more
# echo foo | mmc-password-helper -c -v
the password must be 8 or longer
% echo $?
1

The tool also generates good passwords:

% mmc-password-helper -n
1NjY0MD:
# Use -l to change the length (default is 8)
% mmc-password-helper -n -l 12
2ND=3OTcwMjY
% mmc-password-helper -n | mmc-password-helper -c
% echo $?
0
# Generated password will always succeed quality checks :)

Using password policies with SAMBA

If the SAMBA module is installed you can benefit of the LDAP password policies when a user changes his password from any Windows machine in the domain or via the MMC web interface.

Since SAMBA can’t handle multiple password policies the MMC won’t set any SAMBA password policies in the SAMBA domain ldap entry. But when SAMBA will try to change the user password in the LDAP, standard LDAP password policies applies.

The OpenLDAP password policies applies when the user password is changed with the “passmod” LDAP operation and when the user running the “passmod” is not the OpenLDAP rootdn.

If the MMC is binded to OpenLDAP with the rootdn as the administrator you will be able to change passwords from the MMC interface without any password policy checks. However, password poclicy is applied on the “change user password page” for normal users.

Note

Password synchronization

Usually the password synchronisation between the SAMBA password and the LDAP password is done by SAMBA itself. When a user changes his password SAMBA updates the sambaNTPassword attribute and run the “passmod” LDAP operation to change the userPassword attribute. This synchronization is done when ldap sync password = yes is set in SAMBA configuration. The problem with this method is that if the password does not pass the password policy check, the SAMBA password will be updated (as it is not changed by a “passmod” operation) but the userPassword attribute won’t.

The second method to synchronize the password is to set ldap sync password = only in SAMBA configuration. In this case, SAMBA will only run the “passmod” LDAP operation when the user changes his password and won’t update the sambaNTPassword attribute of the user. To update this attribute the OpenLDAP overlay smbk5pwd must be used. This overlay will intercept “passmod” operations and update the SAMBA password automatically only if the userPassword attribute has been updated successfully.

In conclusion, in order to use LDAP password policies with SAMBA you have to make sure that:

  • SAMBA is not binded to OpenLDAP with the rootdn
  • The password scheme option is set to “passmod” in /etc/mmc/plugins/base.ini
  • Prefer using the ldap sync password = only method with the smbk5pwd overlay to make sure that passwords are always in sync (Shares -> General options -> Expert mode -> LDAP password sync)

The configuration of the smbk5pwd overlay is pretty forward. In your slapd.conf just add :

moduleload    smbk5pwd
[ ... ]
overlay smbk5pwd
smbk5pwd-enable samba
overlay ppolicy
ppolicy_default "cn=default,ou=Password Policies,dc=mandriva,dc=com"
[ ... ]

Note

The overlays order is important. Overlays will be called in the reverse order that they are defined. So ppolicy check must be done before smbk5pwd synchronization.

SAMBA domain policies

The SAMBA domain policies attributes are synchronized with the default OpenLDAP password policies by the MMC:

  • pwdMinLength -> sambaMinPwdLength
  • pwdMaxAge -> sambaMaxPwdAge
  • pwdMinAge -> sambaMinPwdAge
  • pwdInHistory -> sambaPwdHistoryLength
  • pwdMaxFailure -> sambaLockoutThreshold
  • pwdLockoutDuration -> sambaLockoutDuration