LDAP password management (aging)

I was reading the LDAP docs for Solaris 9 and found that "password
management" (password aging, expiration, even account lockout on bad
logins) was introduced in Solaris 9 12/02.

Does anyone know if these features of pam_ldap have been or are going
to be ported to earlier releases, perhaps as patches?

We are planning to move user account management to LDAP and password
aging is one of our requirements.

I saw a pam_ldap patch (113476-06) for Solaris 9 but access is
restricted so I could not read the patch description.
If this patch introduced password management, any plans to make it
public?  Otherwise I guess we can only get it with a Maintenance
Update or service contract.

Perhaps someone can convince Sun to make the patch public since
password aging can be associated with security?  (I know some think
password aging is a bad idea because it encourages users to write them
down, etc, but in some cases it is a good thing).

Patch 108993-14 for Solaris 8 seems to have introduced LDAP password
aging and it is a free patch.

Anyway, in a related note I find it interesting that "account lockout"
has been introduced.  I know most of us believe that locking a user
account after # failed login attempts is a Very Bad Idea (TM), but
every once in a while someone asks if this can be done in Solaris
(usually by request of a PHB), and the answer has usually been (in
addition to "don't do it"), that Solaris does not support it unless
the user writes her own PAM module... I guess now we can tell them
to use pam_ldap.


http://docs.sun.com/db/doc/816-7511/6mdgu0h1t?a=view
"The following password management features are supported through 
pam_ldap(5).

[snip]

       User account lockout
       A user account can be locked out after a given number of repeated 
authentication failures. A user can also be locked out if his account is 
inactivated by an administrator. Authentication will continue to fail 
until the account lockout time is passed or the administrator 
reactivates the account."


0
delrio (67)
7/14/2003 8:52:54 PM
comp.unix.solaris 25868 articles. 89 followers. Post Follow

6 Replies
327 Views

Similar Articles

[PageSpeed] 30
In article <3F131826.7060403@mie.utoronto.ca>,
 Oscar del Rio <delrio@mie.utoronto.ca> wrote:

> I was reading the LDAP docs for Solaris 9 and found that "password
> management" (password aging, expiration, even account lockout on bad
> logins) was introduced in Solaris 9 12/02.
> 
> Does anyone know if these features of pam_ldap have been or are going
> to be ported to earlier releases, perhaps as patches?
> 
> We are planning to move user account management to LDAP and password
> aging is one of our requirements.
> 
> I saw a pam_ldap patch (113476-06) for Solaris 9 but access is
> restricted so I could not read the patch description.
> If this patch introduced password management, any plans to make it
> public?  Otherwise I guess we can only get it with a Maintenance
> Update or service contract.
> 
> Perhaps someone can convince Sun to make the patch public since
> password aging can be associated with security?  (I know some think
> password aging is a bad idea because it encourages users to write them
> down, etc, but in some cases it is a good thing).
> 
> Patch 108993-14 for Solaris 8 seems to have introduced LDAP password
> aging and it is a free patch.
> 
> Anyway, in a related note I find it interesting that "account lockout"
> has been introduced.  I know most of us believe that locking a user
> account after # failed login attempts is a Very Bad Idea (TM), but
> every once in a while someone asks if this can be done in Solaris
> (usually by request of a PHB), and the answer has usually been (in
> addition to "don't do it"), that Solaris does not support it unless
> the user writes her own PAM module... I guess now we can tell them
> to use pam_ldap.
> 
> 
> http://docs.sun.com/db/doc/816-7511/6mdgu0h1t?a=view
> "The following password management features are supported through 
> pam_ldap(5).
> 
> [snip]
> 
>        User account lockout
>        A user account can be locked out after a given number of repeated 
> authentication failures. A user can also be locked out if his account is 
> inactivated by an administrator. Authentication will continue to fail 
> until the account lockout time is passed or the administrator 
> reactivates the account."
> 
> 

This feature is closer to what I recall as "security intrusion".  The 
account login is disabled for a specific time, then it works again, 
unless an admin reactivates the account before the specific time is up.  
VMS did this.  It's a really a Good Thing(tm).

What you've been referring to as "account lockout" is where the account 
is _permenently_ disabled from access after, say, 3 failed login 
attempts.  It would require a security manager or sysadmin to re-enable 
the account.  This could lead to denial of service attack and is a Bad 
Thing(tm) (unless you make the PHB who required it the point of 
contact...).  VMS had this as well.

I still thing you need a pam module to do "account lockout" unless you 
can specify a really long time on a per-account basis rather than only 
system-wide.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...



0
Michael
7/14/2003 9:34:22 PM
Oscar del Rio <delrio@mie.utoronto.ca> writes:
>I was reading the LDAP docs for Solaris 9 and found that "password
>management" (password aging, expiration, even account lockout on bad
>logins) was introduced in Solaris 9 12/02.
>
>Does anyone know if these features of pam_ldap have been or are going
>to be ported to earlier releases, perhaps as patches?
>

Solaris 9:  Patch 112960-07

   (from 112960-03)
 
    4357827 pam_ldap should fully support password aging


Solaris 8:  Patch 108993-22

   (from 108993-14)
  
   4357827 pam_ldap should fully support password aging


  -Greg
-- 
Do NOT reply via e-mail.
Reply in the newsgroup.
0
gerg
7/14/2003 10:40:54 PM
> >        User account lockout
> >        A user account can be locked out after a given number of repeated
> > authentication failures. A user can also be locked out if his account is
> > inactivated by an administrator. Authentication will continue to fail
> > until the account lockout time is passed or the administrator
> > reactivates the account."
> >
> >
>
> This feature is closer to what I recall as "security intrusion".  The
> account login is disabled for a specific time, then it works again,
> unless an admin reactivates the account before the specific time is up.
> VMS did this.  It's a really a Good Thing(tm).

How can that be a Good Thing (tm)?
What would stop anyone from writing a script that disables your account
every 5 minutes (or whatever time interval the account is reactivated)?


0
Oscar
7/15/2003 12:24:18 PM
In article <HI2FzA.8Go@mie.utoronto.ca>,
 "Oscar del Rio" <delrio@mie.utoronto.ca> wrote:

> > >        User account lockout
> > >        A user account can be locked out after a given number of repeated
> > > authentication failures. A user can also be locked out if his account is
> > > inactivated by an administrator. Authentication will continue to fail
> > > until the account lockout time is passed or the administrator
> > > reactivates the account."
> > >
> > >
> >
> > This feature is closer to what I recall as "security intrusion".  The
> > account login is disabled for a specific time, then it works again,
> > unless an admin reactivates the account before the specific time is up.
> > VMS did this.  It's a really a Good Thing(tm).
> 
> How can that be a Good Thing (tm)?
> What would stop anyone from writing a script that disables your account
> every 5 minutes (or whatever time interval the account is reactivated)?

There are certain accounts I wouldn't enable this on and I hope that a 
feature of this new capability.  Depends on how paranoid you wanna be or 
are told to be by a PHB.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...



0
Michael
7/15/2003 7:04:26 PM
In article <6scRa.10156$6a3.120577@twister.rdc-kc.rr.com>, no.s.p.a.m-
dave57@127.0.0.1 says...
> 
> "Oscar del Rio" <delrio@mie.utoronto.ca> wrote in message > How can that be
> a Good Thing (tm)?
> > What would stop anyone from writing a script that disables your account
> > every 5 minutes (or whatever time interval the account is reactivated)?
> 
> What you do is go into the logs and find out who did such a thing and stop
> them either by a firewall or whatever.  If it is from the inside,
> termination works well.
> 
> 
> 
As long as it is termination by beheading. Someone mucking about like 
that would deserve it.

-- 
Mike Miller
If all else fails - READ THE INSTRUCTIONS!
or if you like
"If all else fails - THROW HARDER" Robert Smith(pro bowler)
0
Mike
7/17/2003 12:12:39 PM
We were one of the companies that really pushed Sun to make this patch
but to be honest with you I'm not impressed by this patch.

The new patch makes Solaris 8 LDAP authentication to work exactly like
Solaris 9. There's nothing wrong with that except that all the tools I
wrote for creating profiles, proxyagents etc are not compatible with
the new structure.

Rgds,
JTE

Oscar del Rio <delrio@mie.utoronto.ca> wrote in message news:<3F131826.7060403@mie.utoronto.ca>...
> I was reading the LDAP docs for Solaris 9 and found that "password
> management" (password aging, expiration, even account lockout on bad
> logins) was introduced in Solaris 9 12/02.
> 
> Does anyone know if these features of pam_ldap have been or are going
> to be ported to earlier releases, perhaps as patches?
> 
> We are planning to move user account management to LDAP and password
> aging is one of our requirements.
> 
> I saw a pam_ldap patch (113476-06) for Solaris 9 but access is
> restricted so I could not read the patch description.
> If this patch introduced password management, any plans to make it
> public?  Otherwise I guess we can only get it with a Maintenance
> Update or service contract.
> 
> Perhaps someone can convince Sun to make the patch public since
> password aging can be associated with security?  (I know some think
> password aging is a bad idea because it encourages users to write them
> down, etc, but in some cases it is a good thing).
> 
> Patch 108993-14 for Solaris 8 seems to have introduced LDAP password
> aging and it is a free patch.
> 
> Anyway, in a related note I find it interesting that "account lockout"
> has been introduced.  I know most of us believe that locking a user
> account after # failed login attempts is a Very Bad Idea (TM), but
> every once in a while someone asks if this can be done in Solaris
> (usually by request of a PHB), and the answer has usually been (in
> addition to "don't do it"), that Solaris does not support it unless
> the user writes her own PAM module... I guess now we can tell them
> to use pam_ldap.
> 
> 
> http://docs.sun.com/db/doc/816-7511/6mdgu0h1t?a=view
> "The following password management features are supported through 
> pam_ldap(5).
> 
> [snip]
> 
>        User account lockout
>        A user account can be locked out after a given number of repeated 
> authentication failures. A user can also be locked out if his account is 
> inactivated by an administrator. Authentication will continue to fail 
> until the account lockout time is passed or the administrator 
> reactivates the account."
0
jamal
7/17/2003 8:19:46 PM
Reply:
Similar Artilces:

Announcement: Lattix Introduces Next Generation Architecture Management System
Nuremberg, Germany, 2008-February 26, 2008- Lattix Inc. (http:// www.lattix.com), the leading provider of innovative software architecture management solutions, today announced the release of its newest solution, Lattix 4.0. This solution includes powerful new functionality to enable architects, developers and managers to visualize, re-architect, test, and communicate the architecture of their complex software systems. Customer-driven innovations in Lattix 4.0 include support for large- scale re-architecting and service extraction for SOA. Components and services can now be extracted utilizin...

Announcement of LDAP User Authentication for OpenVMS version 1.1
This version include several improvements: 1. Password synchronization when user change password during login or with SET PASSWORD. 2. Mixture of lower case and upper case characters for passwords is supported for OpenVMS 7.3-2 and later versions. 3. Support for LOCAL_PASSWORD qualifier if defined when compiling LGI_IDENTITY.C 4. Added locking to support cluster and addition of users when several logins are made for the new user at the same time. 5. Add code to clear temporary password storage in memory. 6. Added support for secondary password, local verification o...

Mail managment
Hi All i am facing the problem operating with thesendmail any one can send me the sendmail related commands,file,and other mail related extra commands On comp.os.linux.networking, in <1163135646.107428.33280@m73g2000cwd.googlegroups.com>, "Sharad.Dhage@gmail.com" wrote: > Hi All > > i am facing the problem operating with thesendmail any one > can send me the sendmail related commands,file,and other mail > related extra commands > You are using google. Did you know that you can actually search the Web with it? Seriously. Just go to www.google.com...

Content Management Licensing
Hi, We are implementing an ECM solution and trying to understand more about platforms and content management software available. We had done preliminary research on the topic and have identified a few vendors. I am curious as to know the role of a 'platform' in a CMS. Is it an absolute necessity or could individual DM or DAM software run plainly on our OS ? (Windows) Also, is the platform more of a tool on which I could develop my own applications or is it just the interface between my software and the Operating System... ? How is the licensing usually done in selling E...

PAE-CE84 password
I haven't been on this newsgroup for a while, so please excuse if this has already been covered! I recently took note of what someone had commented on about hackers using the default "User name" and "Password" to access ADSL routers, and decided it was time to put my own in. Accessing http://10.0.0.2 to get at the appropriate page, I changed both to my own settings. Now I cannot get onto the page with the password I put in, getting only the window requiring the password back blank each time I try :-(( Where do I go from here in case I need to change any...

Analyst/Consultant level positions at Mercer Management Consulting
Applications for Analyst/Consultant level positions in Marketing Science at Mercer Management Consulting are invited. The applicant should have a bachelor's /Master's degree in Statistics, Econometrics or related fields and should preferably be conversant with the application of statistical techniques (e.g. Logit modeling, SEM, CART, CHAID, Multivariate analysis, Segmentation techniques, Predictive modeling etc..) in marketing. The applicant should be conversant with the use of SAS or other statistical packages like S-plus, STATA etc. Experience working with large databases and relevan...

Customizing password change notification in VPN Client?
Hey there. My organization uses Cisco VPN client v5 on Windows XP for our remote users. My question is this...is there any way to customize the password change notification to say something to the effect of "Hey dummy, you've gotta lock the computer now to sync the passwords". This is a big call generator for our help desk, and eliminating the issue is one of my fondest wishes. -- ironcladlou ...

samba + ldap
Hello guys I try to use samba with ldap authentication. I installed Mandrake 10.0 with samba-ldap-server 2.2.8a and openldap 2.1.30 from the source. I configured my smb.conf like this ------------------------------------ passdb backend = ldapsam_compat:ldap://127.0.0.1 ldap admin dn = cn=Manager,dc=i3dc,dc=com ldap suffix = dc=i3dc,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=i3dccommunity ldap group suffix = ou=Group add user script = /usr/share/samba/scripts/smbldap-useradd.pl -w -d /dev/null -g machines -c 'Machine Account' -s /bin/false %u domain admin group =...

US-TX-Austin: Sr. Business Analyst, App Development, Project Management; 10mo. (45390957633)
US-TX-Austin: Sr. Business Analyst, App Development, Project Management; 10mo. (45390957633) ============================================================================================ Position: Sr. Business Analyst Reference: ALM00013 Location: Austin TX Duration: 10mo. Skills: Following detailed application development processes Customer service / client interaction Analysis/requirements gathering/design Testing applications Project management Scope: Operates as a key subject matter expe...

OpenLDAP or SUN ONE DS5.2 HOW-TO updated with sudo+LDAP and apache+LDAP info
On top of instructions of setting up "TLS"+simple bind, "automount" LDAP maps and "netgroup" LDAP maps, I have added instructions of setting up centralized sudo LDAP maps and using LDAP Authentication with Apache. http://web.singnet.com.sg/~garyttt/ Gary ...

[News] Newly-Released Web Database Management Software Supports Linux
Awaresoft Releases Linux-Supported Web Database Management Software ,----[ Quote ] | Initially released in July 2005, Aware IM is now used by many | business professionals, IT administrators and application developers. | Aware IM applications have been deployed in small businesses, large | corporations, educational institutions and non-commercial | organizations. `---- http://linux.sys-con.com/read/246892.htm ...

No longer prompted for password!?!
Here's my latest dilemma... I was going about my usual business on my MandrivaLinux SE 2005 box today. I clicked the KDE menu and selected the menu choice for kdesu kwrite so that I could edit my smb.conf file with root privileges. I was expecting to be prompted for the root password before KWrite would start, like I usually am, but I wasn't. I thought that was odd. Sure enough, I was still able to open smb.conf, edit it, and save it. Later on I decided to restart the machine. When the machine rebooted, instead of bringing up the GUI login, it booted to a shell prompt. I entere...

LDAP and netgroup.byhost / netgroup.byuser
Hi, in migrating from NIS to LDAP, it appears that netgroup.byhost and netgroup.byuser are not "automatically" maintained in LDAP as they were in NIS. Is this a generally known issue we will have to deal with, or is there some fix or standard solution for dealing with this? Thanks, Kevin ...

US-TX-Del Valle: QA Manager, 10 yrs. ext.,process oriented, entrepreneurial,mult (45324132405)
US-TX-Del Valle: QA Manager, 10 yrs. ext.,process oriented, entrepreneurial,mult (45324132405) ============================================================================================== Position: QA Manager Reference: MKL00822 Location: Del Valle TX Duration: 6 m Skills: We have an opportunity for an experienced Software Quality Assurance Manager in Austin to work as a QA Manager on our customer's projects. The work is challenging and highly valuable. The role of the QA Manager is to insure the...

5.2.0.9 not sending user name and password for authenticated SMTP
I have Eudora installed and configued to allow authenticated SMTP, but it is not sending the user name and password to the SMTP server. I checked all the settings in Eudora and checked the SMTP servers logs and this is how I found that the information is not being sent. Has anyone else seen this? If so I would really appreciate a possible solution. Additional info if needed. The SMTP server is in Exchange 2000 and is set to accept basic authentication in clear text. Thank you, JAFO ...

Re: Fw: password changer
G'day mate! Vesoft's Security/3000 will do it for you..... and if you don't have Security/3000 on your box -- shame on you! BMD. On Mon, 7 Jun 2004 11:33:36 +1000, John Pitman <jpitman@ryco.com.au> wrote: > I have one of the password change utilities, but its a bit too high end for > us. > Does anybody know of a tool that will, for instance, change peoples >password > on a time basis (eg monthly), and tell them just before it does it. > Situation is that all normal users dont see MPE prompts, dont all have >email > addresses....

US-TX-Round Rock Director of Women's Servi, 3-5 years of Healthcare Management (45353432404)
US-TX-Round Rock Director of Women's Servi, 3-5 years of Healthcare Management (45353432404) ============================================================================================= Position: Director of Women's Services Reference: CAM00005 Location: Round Rock, TX Duration: Perm Skills: 3-5 years of Healthcare Management is required. Must have a Bachelor degree in area of expertise or equilivant experience. Current Texas Registered Nurse License. Certification in basic cardiopulmonary resusciation required for working in clinal/patient care area. ...

password protection
Hi can anyone please tel me if there is a free version of a software for password file protection in Autocad. That is that someone can view a drawing but cannot edit it if one does not know the password. Thank you very much for your information On 4/17/2005 12:39 PM Tomica wrote: > Hi > > can anyone please tel me if there is a free version of a software for > password file protection in Autocad. That is that someone can view a drawing > but cannot edit it if one does not know the password. No. Assuming that when you say "drawing", that you ...

LDAP routing + LDAP virtusertable
Good day folks, I'm looking to migrate our existing sendmail servers to using a common LDAP backend for configuration. I've been working with the LDAP routing part of this for a while now and am quite happy with the results; however I've come to an issue I'm unable to unravel when it comes to adding virtusertables to this mix. First of all, I'd like to explain why I'm keen on using both features. Even though LDAP routing can do 90% of what we currently use our virtusertables for, it would seem that it doesn't support full domain mapping ala "@foo.com -> ...

User groups (LDAP & Co.)
Hi. That's not a simple question probably. I'm using remote user informations from ldap, and I have the necessity to make all logged in users belong to some groups, without modifying ldap. Every user will belong to his primary posixGroup, but on some machines, they have to belong also to some local groups, like audio, video, plugdev... and of course, adding them to passwd and groups it's not so nice :) Can anyone help me? -- Sensei <senseiwa@mac.com> The difference between stupidity and genius is that genius has its limits. (A. Einstein) ...

ssh and forced password changes
I have a wrapper on my password that prints out directions to my users. This works with everything other than ssh. When using ssh the directions do not print out, and the user is dropped right into the passwd command. What am I doing wrong? Thanks - On 2007-08-23, bll991@yahoo.com <bll991@yahoo.com> wrote: > I have a wrapper on my password that prints out directions to my > users. This works with everything other than ssh. When using ssh the > directions do not print out, and the user is dropped right into the > passwd command. What am I doing wrong? Which SSH imple...

General: Every Manager's Guide to OS/2
++ From the VOICE OS/2-eCS News Service http://www.os2voice.org ++ From: martinDESPAM@DESPAMos2world.com With all the articles talking about the 25th birthday of OS/2 posted two weeks ago I found this one from David Strom. (Windows 8: The OS/2 of Today - http://www.readwriteweb.com/archives/windows_8s_destiny_to_become_the_os2_of_today.php) On this article he said he wrote an OS/2 book that never got finished or released. So I contacted the author and requested his permission to release the book under a license that allows derivative works. David Strom released his 1988 book "...

D865GBFL
Hello, Tired of playing the overclocking game and needed a fast but STABLE system. So I've just installed this board with XP Pro SP1, 2.4C P4, 2x256MB Crucial DDR400 in Dual Channel mode. Using the onboard graphics, audio and LAN. Updated all the drivers from Intel's site and the flashed the BIOS from P10 from P13. In Device Manager it shows the system to be a multiprocessor system and even shows two 2.4C P4's and two sets of Primary and Secondary IDE channels. What's up here?? Also when booting, it gets to where it detects the processor, memory, hard drive and two CDRW driv...

how to get the Personal License Password (PLP)
how can I do to get the Personal License Password (PLP) ? please tell me in detell..... thank you very much ! "weifeng " <824029597@qq.com> wrote in message <ha3ljl$2td$1@fred.mathworks.com>... > how can I do to get the Personal License Password (PLP) ? > please tell me in detell..... > thank you very much ! Contact Customer Support at The Mathworks. James Tursa I would start by contacting the Mathworks support site and ask them. This unmoderated newsgroup is mostly unpaid MATLAB enthusiasts, and is not an official outlet fo...

Password length #2
What is the longest password you can have on a solaris 8 < system. And were do I configure this? -Ian ...