[Fedora-directory-users] Issues with TLS, password modify operation, and password expiration

Richard Megginson rmeggins at redhat.com
Fri Apr 27 14:47:06 UTC 2007


François Beretti wrote:
> Hi,
>
> I am implementing password policy in my LDAP-based software. When
> using Fedora DS I encountered several problems (or questions) :
>
> 1) when password expired, no request other than modifying its
> userPassword attribute is allowed. Two requests would have been
> usefull in my opinion :
>
> * Start TLS : I want to enable TLS just before changing my password, 
> but :
>        - Start TLS is not allowed, since it is not the only allowed
> modify request on userpassword
Can you do the StartTLS extended operation first, before the bind 
request, then the password modify?
>        - After Start TLS (when the password is not expired), it seems
> that the connection become sometimes anonymous, and needs a new bind.
I'm not sure what you mean.  Can you elaborate on this?
> I thought only the Stop TLS operation must disable the authentication
> on the LDAP connection
Do you mean authentication or transport encryption?
>
> * Password Modify Extended operation : I just thought it would be a
> good idea to use it to change a password, but it is not allowed
Even if you do this as the first operation, before the bind?
>
> 2) when changing the password using a standard ldap modify request, if
> I send two modify operations in the same request, the first one to
> remove the old password and the second one to add the new password, do
> I need to hash the old password for it to be in the same format than
> in the directory ?
No.  You should not send pre-hashed passwords, you should let the DS 
hash the passwords.
>
> 3) when using the Password Modify Extended operation, then at the next
> logon the server requires the user to change its password ! So I
> definitly can't use this operation on a server implementing password
> policy. I believe that in the Fedora DS password policy code this
> operation is only seen as an administration request, not intended to
> be done by a user : it is handled as a "force password" request, not a
> "change password" request.
Hmm - that could be a bug in that we perhaps do not reset the password 
expiration time.  It's supposed to - it goes through the same code as 
regular password modify.
>
> 4) I use the Novell LDAP client API. Any call to ldap_stop_tls_s
> blocks the calling thread. I don't know if it comes from the server,
> the client API, or both. It is not too bad since I can just call
> ldap_unbind and ldap_init instead.
>
>
> François
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070427/5cae1307/attachment.bin>


More information about the Fedora-directory-users mailing list