Re: Issues with TLS, password modify operation, and password expiration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

François Beretti wrote:

Hi,

I am implementing password policy in my LDAP-based software. When
using Fedora DS I encountered several problems (or questions) :

1) when password expired, no request other than modifying its
userPassword attribute is allowed. Two requests would have been
usefull in my opinion :
* Start TLS : I want to enable TLS just before changing my password, but : 
       - Start TLS is not allowed, since it is not the only allowed
modify request on userpassword
Can you do the StartTLS extended operation first, before the bind request, then the password modify? 
       - After Start TLS (when the password is not expired), it seems
that the connection become sometimes anonymous, and needs a new bind.

I'm not sure what you mean.  Can you elaborate on this?

I thought only the Stop TLS operation must disable the authentication
on the LDAP connection

Do you mean authentication or transport encryption?


* Password Modify Extended operation : I just thought it would be a
good idea to use it to change a password, but it is not allowed

Even if you do this as the first operation, before the bind?


2) when changing the password using a standard ldap modify request, if
I send two modify operations in the same request, the first one to
remove the old password and the second one to add the new password, do
I need to hash the old password for it to be in the same format than
in the directory ?
No. You should not send pre-hashed passwords, you should let the DS hash the passwords. 

3) when using the Password Modify Extended operation, then at the next
logon the server requires the user to change its password ! So I
definitly can't use this operation on a server implementing password
policy. I believe that in the Fedora DS password policy code this
operation is only seen as an administration request, not intended to
be done by a user : it is handled as a "force password" request, not a
"change password" request.
Hmm - that could be a bug in that we perhaps do not reset the password expiration time. It's supposed to - it goes through the same code as regular password modify. 

4) I use the Novell LDAP client API. Any call to ldap_stop_tls_s
blocks the calling thread. I don't know if it comes from the server,
the client API, or both. It is not too bad since I can just call
ldap_unbind and ldap_init instead.


François

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux