manage password policy in openldap
play

Manage password policy in OpenLDAP Clment OUDOT - PowerPoint PPT Presentation

Jul 16, 2023 •206 likes •476 views

Manage password policy in OpenLDAP Clment OUDOT coudot@linagora.com First time you see me? Let's introduce! LDAPcoholic since many years Fake developer, real hacker Let's begin with the password policy draft (Behera draft) A draft? Is it

  1. Manage password policy in OpenLDAP Clément OUDOT coudot@linagora.com

  2. First time you see me? Let's introduce! LDAPcoholic since many years Fake developer, real hacker

  3. Let's begin with the password policy draft (Behera draft)

  4. A draft? Is it not a standard? Well, not really. The fjrst draft (version 0) was written in 1999.

  5. The latest version (version 10) was published in 2009 This draft is expired since February 2010

  6. So, can we use it? Of course! Most of LDAP servers implement it.

  7. What are you waiting for? Explain me how it works!

  8. Ok, let me do the LDAP client. You will play the LDAP server.

  9. Ok, I send you an BIND operation with the extended control 1.3.6.1.4.1.42.2.27.8.5.1 I see your password is expired, I refuse the BIND and I send a fmag in the response control.

  10. Thanks to this response control, I can advertise the user. See, it's easy! Client and Server just need to know how to manage the control.

  11. With which LDAP operations can we use this control? BIND for authentication. MOD and PASSMOD for password change.

  12. For authentication, it defjnes account locking, password expiration and password reset

  13. For modifjcation, it can check password size, presence in history, password quality. With this, administrators will have the power to bother all their users. Niark Niark

  14. Let me now present you my friend OpenLDAP Hi! I am the fastest LDAP server on earth!

  15. I own a password policy overlay since many years I support version 9 of the Behera draft and let the possibility to implement a custom password checker module

  16. I imagine that confjguring password policy overlay is a nightmare! Calm down, you just need a brain!

  17. First, load the overlay: olcModuleLoad: ppolicy.la Then confjgure it: dn: olcOverlay={1}ppolicy,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {1}ppolicy olcPPolicyDefault: ou=default,ou=ppolicy,dc=example,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE

  18. So is it over? That was easy! No, we now need to confjgure the policy

  19. Policy confjguration is an entry in the LDAP directory The fjrst lines of the entry are: dn: ou=default,ou=ppolicy,dc=example,dc=com objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: organizationalUnit objectClass: top ou: default

  20. pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckModule: check_password.so pwdCheckQuality: 2 pwdExpireWarning: 0 pwdInHistory: 10 pwdLockout: TRUE pwdMaxAge: 31536000 pwdMinAge: 600 pwdMaxFailure: 10 pwdMinLength: 8 Then all parameters are pwdMustChange: TRUE PwdSafeModify : FALSE attributes of this entry

  21. Can we have more than one policy ? Yes we can!

  22. Just create another policy confjguration entry Then link it to a user account: dn: uid=bobama,ou=users,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson ObjectClass : person objectClass: top uid : bobama cn : Barack OBAMA sn : OBAMA userPassword: michellemabelle pwdPolicySubentry : ou=nsa,ou=ppolicy,dc=example,dc=com

  23. Did you heard about LDAP Tool Box project? Yes, they provide a password checker module and OpenLDAP package for Debian and CentOS

  24. They also package some contributed overlays like lastbind and smbk5pwd Indeed, good job!

  25. This is all folks! Any question?

Recommend

UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020 $

UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020 $

UNDERSTAND PASSWORD POLICY IN OPENLDAP AND DISCOVER TOOLS TO MANAGE IT Pass the SALT 2020 $ ldapwhoami LemonLDAP::NG LDAP Tool Box LDAP Synchronization Connector FusionIAM WSweet Clment OUDOT KPTN Identity Solutions Manager

508 views • 24 slides
What's New in OpenLDAP Howard Chu CTO, Symas Corp / Chief Architect OpenLDAP FOSDEM'14 OpenLDAP

What's New in OpenLDAP Howard Chu CTO, Symas Corp / Chief Architect OpenLDAP FOSDEM'14 OpenLDAP

What's New in OpenLDAP Howard Chu CTO, Symas Corp / Chief Architect OpenLDAP FOSDEM'14 OpenLDAP Project Open source code project Founded 1998 Three core team members A dozen or so contributors Feature releases every 12-18

627 views • 42 slides
MDB: A Memory-Mapped Database and Backend for OpenLDAP Howard Chu CTO, Symas Corp.

MDB: A Memory-Mapped Database and Backend for OpenLDAP Howard Chu CTO, Symas Corp.

TM S Y M A S The LDAP guys. MDB: A Memory-Mapped Database and Backend for OpenLDAP Howard Chu CTO, Symas Corp. hyc@symas.com Chief Architect, OpenLDAP hyc@openldap.org TM S Y M A S The LDAP guys. OpenLDAP Project Open source

1.01k views • 63 slides
Password Policy John Hally John.hally@comcast.net Why This Policy? Very important aspect of

Password Policy John Hally John.hally@comcast.net Why This Policy? Very important aspect of

Password Policy John Hally John.hally@comcast.net Why This Policy? Very important aspect of security Can easily be the weakest link Set standards for: Creation of strong passwords Password protection Frequency of

202 views • 6 slides
LDAP for MySQL Cluster back-ndb Howard Chu CTO, Symas Corp. hyc@symas.com Chief Architect,

LDAP for MySQL Cluster back-ndb Howard Chu CTO, Symas Corp. hyc@symas.com Chief Architect,

LDAP for MySQL Cluster back-ndb Howard Chu CTO, Symas Corp. hyc@symas.com Chief Architect, OpenLDAP hyc@openldap.org OpenLDAP Project Open source code project Founded 1998 Three core team members A dozen or so contributors

596 views • 34 slides
The Right to Manage (Based on a Series Developed by C. Longstreth) General Policy The

The Right to Manage (Based on a Series Developed by C. Longstreth) General Policy The

The Right to Manage (Based on a Series Developed by C. Longstreth) General Policy The University, through its governance structure, retains and reserves to itself the rights, powers, and authority to plan, manage, control and in all respects

776 views • 39 slides
One Year Solving Infrastructure Management with FusionDirectory and OpenLDAP This work is

One Year Solving Infrastructure Management with FusionDirectory and OpenLDAP This work is

One Year Solving Infrastructure Management with FusionDirectory and OpenLDAP One Year Solving Infrastructure Management with FusionDirectory and OpenLDAP This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported

491 views • 21 slides
Improving Password Management Laura Raderman, Policy and Compliance Coordinator, ISO Ole

Improving Password Management Laura Raderman, Policy and Compliance Coordinator, ISO Ole

Improving Password Management Laura Raderman, Policy and Compliance Coordinator, ISO Ole Villadsen, Research Liaison, Cybersecurity, UL Password Management How many passwords do you have? Are they all different? How different?

395 views • 37 slides
Certificate Retrieval from OpenLDAP The X.509 attribute Parsing Server (XPS)

Certificate Retrieval from OpenLDAP The X.509 attribute Parsing Server (XPS)

Certificate Retrieval from OpenLDAP The X.509 attribute Parsing Server (XPS) d.w.chadwick@salford.ac.uk The Problem PKI clients cannot search for specific X.509 attributes stored in LDAP directories, e.g. Find the encryption PKC for

667 views • 23 slides
} Public Engagement and Consultation Policy and Strategy } Manage Public Engagement and

} Public Engagement and Consultation Policy and Strategy } Manage Public Engagement and

} Public Engagement and Consultation Policy and Strategy } Manage Public Engagement and Consultation } Manage Costs } Its good to talk - Helping people to be heard } Open, Accountable, Transparent } As part of a new service/ initiative } A change

302 views • 15 slides
OpenLDAP Developer Conference 2011 PRESENTED BY: Jan Velk Red Hat Attribution-ShareAlike

OpenLDAP Developer Conference 2011 PRESENTED BY: Jan Velk Red Hat Attribution-ShareAlike

OpenLDAP Developer Conference 2011 PRESENTED BY: Jan Velk Red Hat Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) http://creativecommons.org/licenses/by-sa/3.0/ topics what is LDAP database structure difference from other

381 views • 15 slides
Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com

Team Password Manager Password Management Software for Groups http://teampasswordmanager.com What is Team Password Manager - Password manager for groups and projects - Uses projects to group passwords - Secure, fine grained password sharing -

712 views • 9 slides
Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force

Cisco Passwords - Enforcing Minimum Password Length Common Types of Password Attacks Brute-Force Attack - tries every possible character combination as a password. To recover a single-letter password would require up to 26 combinations. A

415 views • 8 slides
Open Source IAM using Fortress and OpenLDAP LDAPCon October 11, 2011 Shawn.McKinney@ Agenda

Open Source IAM using Fortress and OpenLDAP LDAPCon October 11, 2011 Shawn.McKinney@ Agenda

Open Source IAM using Fortress and OpenLDAP LDAPCon October 11, 2011 Shawn.McKinney@ Agenda Product vision Project status Functional gaps covered Features and technologies Installation and usage demo Where to get more

564 views • 23 slides
Peddle the Pedal to the Metal Howard Chu CTO, Symas Corp. hyc@symas.com Chief Architect,

Peddle the Pedal to the Metal Howard Chu CTO, Symas Corp. hyc@symas.com Chief Architect,

Peddle the Pedal to the Metal Howard Chu CTO, Symas Corp. hyc@symas.com Chief Architect, OpenLDAP hyc@openldap.org 2019-03-05 Overview Context, philosophy, impact Profiling tools Obvious problems and effective solutions More

770 views • 47 slides
WiredTiger Backend for OpenLDAP Open Source Solution Technology Corporation Tsukasa Hamano

WiredTiger Backend for OpenLDAP Open Source Solution Technology Corporation Tsukasa Hamano

WiredTiger Backend for OpenLDAP Open Source Solution Technology Corporation Tsukasa Hamano <hamano@osstech.co.jp> LDAPCon 2015 Edinburgh November 2015 Open Source Solution Technology Corporation 1 WiredTiger Backend for OpenLDAP About

399 views • 23 slides
EVALUATING THE USE OF WEB- BASED SYSTEMS TO MANAGE POLICY DOCUMENTATION IN WINTER MAINTENANCE

EVALUATING THE USE OF WEB- BASED SYSTEMS TO MANAGE POLICY DOCUMENTATION IN WINTER MAINTENANCE

EVALUATING THE USE OF WEB- BASED SYSTEMS TO MANAGE POLICY DOCUMENTATION IN WINTER MAINTENANCE Wilfrid Nixon (Salt Institute) and Fahad Shuja (Ontario Good Roads Association) Learning Outcomes At the end of this presentation, listeners will

245 views • 22 slides
Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo

Is Password InSecurity Inevitable? Cryptographic Enhancements to Password Protocols Hugo Krawczyk (IBM Research) Works with Stanislaw Jarecki, Jiayu Xu (UC Irvine) Aggelos Kiayas (U Edinburgh) Nitesh Saxena, Maliheh Shirvanian (UA Birmingham)

750 views • 32 slides
Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring

LastPass, a Password Manager Application CS 88S Password, Authentication, Password Managers Week 4 Frank Chen | Spring 2017 Frank Chen | Spring 2017 Agenda Review last weeks material Some Definitions Password in the Cloud

584 views • 47 slides
LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your

LastPass An Introduction to Password Managers Why do I need a Password manager? Email is your Master Key When you forget a password, they send a reset link to your email. Anyone with access to your email has the power to reset your other

549 views • 31 slides
Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Again Guideline of IPA Again Guideline of IPA We respect the IPAs policy so that we reported

Extended APOP Password Extended APOP Password Recovery Attack Recovery Attack Yu Sasaki, Lei Wang, Kazuo Ohta and Noboru Kunihiro (The University of Electro-Communications) 31 characters can be recovered. Remark: This research was done only

117 views • 7 slides
Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked

Proactive Password Checking Analyze proposed password for goodness Always invoked Can detect, reject bad passwords for an appropriate definition of bad Discriminate on per-user, per-site basis Needs to do

363 views • 21 slides
Day 3 If you are still using the default password that was assigned when your account was

Day 3 If you are still using the default password that was assigned when your account was

Day 3 If you are still using the default password that was assigned when your account was created, CHANGE IT NOW! (It can be the same as your email password.) Day 3 Steps in compiling: (Optional preprocessing) Lexical analysis

483 views • 17 slides
Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick

Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms Saranga Komanduri Patrick Gage Kelley, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor,

1.88k views • 85 slides

More recommend