-
Notifications
You must be signed in to change notification settings - Fork 1
/
doc.html
140 lines (127 loc) · 6.7 KB
/
doc.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>not24get</title>
<meta name="description" content="Collection of software to make password enforcement easy in OpenLDAP based domains" />
<meta name="keywords" content="OpenLDAP, LDAP, Samba, PAM, password, password policy, password strength checking" />
<!--<base href="" />-->
<!--ICON-->
<link rel="shortcut icon" href="icons/favicon.ico" />
<link rel="apple-touch-icon" href="icons/iphone-icon.png" />
<!--JS-->
<!--<link type="text/javascript" href="js/javascript.js" />-->
<!--STYLESHEET GALORE-->
<style type="text/css">
@import url(css/main.css);
</style>
<!--[if IE]>
<link rel="stylesheet" type="text/css" href="css/ie.css"/>
<![endif]-->
</head>
<body>
<h1>not24get - Collection of software and tips to make password quality enforcement easy</h1>
<h2>About</h2>
<ul>
<li>Module to do password quality checks on LDAP directory level, not on user application level.</li>
<li>Application to duplicate the quality checks for Samba as a work-around for a Samba bug</li>
<li>Recommended configuration for Samba, PAM and OpenLDAP</li>
</ul>
<h2>Big picture and rationale</h2>
<p>Most OpenLDAP deployments are used as back ends for Samba, as NT-style Windows Domains.
While using LDAP directory as a back end for Samba is a very good idea, it also brings problems if our deployment
needs to be compliant with EU Data Protection directive, or similar local laws.
What this means, is that user set passwords need to have specific complexity.
It's done to avoid simple and easy to guess passwords, like "password", "sally" and so on.
Making Samba to enforce the complexity of the password is quite simple, one just need to use the <code>crackcheck</code>
application included in Samba documentation (read <b>Alternative Samba password check setting</b> below to know how).
The problem starts when other applications can authenticate with LDAP directory directly.
If one can connect directly to LDAP directory, one can change his password to anything he wants, default OpenLDAP
configuration won't enforce the password. We have exactly the same problem if there are regular UNIX servers in our
domain that use LDAP directly – we should allow the users to change their passwords using the <code>passwd</code>
command on any computer they can connect to and still have the complexity enforced.
The only way to do it safely, is to delegate the password checking to the LDAP server itself, use
LDAP Password Modify Extended Operation (<a href="http://tools.ietf.org/html/rfc3062">RFC3062)</a>) for password change
and <code>slapo-ppolicy(5)</code> overlay together with <code>pwdCheckModule</code>.
This way, no matter where the change originates from, the password will have to meet the same complexity requirements.
Unfortunately, there's a bug in Samba, where if the password change in LDAP (or PAM for that matter) didn't succeed
the Domain Controller returns "Permission denied" message.
As can be imagined, this is quite confusing for users...
This means, that the script Samba uses for quality checks needs to duplicate the checks the
<code>pwdCheckModule</code> does in LDAP.
</p>
<h2>Downloads and compilation</h2>
<p>You can get the source code for those applications from
<a href="https://github.com/tomato42/not24get">https://github.com/tomato42/not24get</a>
<br/>
To compile the code you will need the <a href="http://www.openwall.com/passwdqc/"><code>libpasswdqc</code></a> library
installed. To compile the code, run:
</p>
<pre>
git clone http://github.com/tomato42/not24get.git not24get
cd not24get
make
</pre>
<h2>Configuration</h2>
<h3>Config file</h3>
<p>The config file at this moment has the same directives as the <code>libpasswdqc</code> config files. Documentation
should be avaiable in passwdqc.conf(5).
The main difference is in location, not24get applications and modules look for config file in following locations:
</p>
<ul>
<li><code>/etc/samba/not24get.conf</code> (compilation configuration dependent)</li>
<li><code>/etc/ldap/not24get.conf</code></li>
<li><code>/etc/not24get.conf</code></li>
<li><code>/etc/ldap/passwdqc.conf</code></li>
<li><code>/etc/passwdqc.conf</code></li>
</ul>
<p>
So it is possible to enforce different password quality for local accounts using <code>pam_passwdqc</code> and
<code>not24get</code> modules.
</p>
<h3>OpenLDAP configuration</h3>
<p>First set up regular ppolicy module in OpenLDAP. After that, copy the <code>not24get.so</code> file to the OpenLDAP
module directory (usually <code>/usr/lib/openldap/</code>) and following entry to all policies in which you need:
</p>
<pre>
pwdCheckModule: not24get.so
</pre>
<p>
Moreover, you will need the <code>smbk5pwd</code> overlay working or the <code>pwdLastSet</code> won't be updated.
</p>
<h3>Samba configuration</h3>
<p>You can configure the Samba using two different ways, the first one is to use the <code>not24get_check</code> the
second one is to use <code>pwqcheck</code> from <code>libpasswdqc</code>.
If you use <code>pwqcheck</code>, you won't have the ability to use the different settings for local accounts and
domain accounts.
</p>
<p>To make Samba use LDAP Extended operation for password changing, you need to change following line:
</p>
<pre>
ldap passwd sync = only
</pre>
<h4>not24get_check configuration</h4>
<p>In <code>/etc/samba/smb.conf</code>, global section, add following line:</p>
<pre>
check password script = /usr/bin/not24get_check
</pre>
<h4>pwqcheck configuration</h4>
<p>In <code>/etc/samba/smb.conf</code>, global section, add following line:</p>
<pre>
check password script = /usr/bin/pwqcheck -1
</pre>
<h4>Alternative Samba password check setting</h4>
<p>
With Samba you can also use the application included in documentation: <code>crackcheck</code>
it should be in <code>examples/auth/crackcheck</code> folder in Samba documentation, available from
<code>samba-doc</code>package.
After compiling (or using the already compiled application if your distribution has one) you set the password options
in <code>smb.conf</code> like that:
</p>
<pre>
check password script = /usr/bin/crackcheck -c -d /usr/share/cracklib/pw_dict
</pre>
</body>
</html>