Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

password policy soup

807573May 9 2008 — edited May 19 2008
Hello,

I am testing Solaris 10 pam_ldap against both DSEE 6.3 and OpenLDAP. I am trying to gain a better understanding of LDAP password policies, and what features are supported in LDAP client and server implementations.

In my testing, I am using the configuration documented on BigAdmin:

http://www.sun.com/bigadmin/features/articles/nis_ldap_part1.jsp

I am reading over the LDAP password policy draft:

http://tools.ietf.org/html/draft-behera-ldap-password-policy-09

I am also looking at the OpenSolaris source code here:

http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libsldap/common/ns_connect.c#process_pwd_mgmt

In particular, the code and comments that specify OID 2.16.840.1.113730.3.4.4. This OID corresponds with what I see in the response from DSEE 6.3 if I set pwdReset to TRUE on a user's record. In other words, if I snoop the LDAP traffic, I can see this OID returned by DSEE as a control in the bind response, and then the Solaris LDAP client reacts by prompting the user for the password.

In OpenLDAP, on the other hand, I see no mention of OID 2.16.840.1.113730.3.4.4 as a supported control, nor do I find it anywhere in the source. I understand this to be the "Netscape Password Expired LDAPv3 control."

I understand this is not an OpenLDAP forum, but OpenLDAP (I'm testing 2.4.x) seems to implement this:

#define LDAP_CONTROL_PASSWORDPOLICYREQUEST "1.3.6.1.4.1.42.2.27.8.5.1"

I also see 1.3.6.1.4.1.42.2.27.8.5.1 as the password policy control in the IETF draft. My understanding is that this control must be requested as part of the bind, and then it is returned by the LDAP server with the response for processing by the client.

So, all that being said, it seems pretty clear that the Solaris pam_ldap is not requesting the 1.3.6.1.4.1.42.2.27.8.5.1 control and therefore some password policy features are not compatible between Solaris and OpenLDAP. Do these observations seem accurate? I would welcome any discussion or comments on this subject. Based on my testing, it seems that Solaris is only looking for the Netscape password control OIDs when it comes to administrative password resets, warning messages and the like.
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jun 16 2008
Added on May 9 2008
#identity-management, #oracle-unified-directory-oud-oracle-directory-server-enterprise-edition-sun-dsee
2 comments
182 views