LDAP password management (aging)

  • Permalink
  • submit to reddit
  • Email
  • Follow


I was reading the LDAP docs for Solaris 9 and found that "password
management" (password aging, expiration, even account lockout on bad
logins) was introduced in Solaris 9 12/02.

Does anyone know if these features of pam_ldap have been or are going
to be ported to earlier releases, perhaps as patches?

We are planning to move user account management to LDAP and password
aging is one of our requirements.

I saw a pam_ldap patch (113476-06) for Solaris 9 but access is
restricted so I could not read the patch description.
If this patch introduced password management, any plans to make it
public?  Otherwise I guess we can only get it with a Maintenance
Update or service contract.

Perhaps someone can convince Sun to make the patch public since
password aging can be associated with security?  (I know some think
password aging is a bad idea because it encourages users to write them
down, etc, but in some cases it is a good thing).

Patch 108993-14 for Solaris 8 seems to have introduced LDAP password
aging and it is a free patch.

Anyway, in a related note I find it interesting that "account lockout"
has been introduced.  I know most of us believe that locking a user
account after # failed login attempts is a Very Bad Idea (TM), but
every once in a while someone asks if this can be done in Solaris
(usually by request of a PHB), and the answer has usually been (in
addition to "don't do it"), that Solaris does not support it unless
the user writes her own PAM module... I guess now we can tell them
to use pam_ldap.


http://docs.sun.com/db/doc/816-7511/6mdgu0h1t?a=view
"The following password management features are supported through 
pam_ldap(5).

[snip]

       User account lockout
       A user account can be locked out after a given number of repeated 
authentication failures. A user can also be locked out if his account is 
inactivated by an administrator. Authentication will continue to fail 
until the account lockout time is passed or the administrator 
reactivates the account."


0
Reply delrio (67) 7/14/2003 8:52:54 PM

See related articles to this posting

In article <3F131826.7060403@mie.utoronto.ca>,
 Oscar del Rio <delrio@mie.utoronto.ca> wrote:

> I was reading the LDAP docs for Solaris 9 and found that "password
> management" (password aging, expiration, even account lockout on bad
> logins) was introduced in Solaris 9 12/02.
> 
> Does anyone know if these features of pam_ldap have been or are going
> to be ported to earlier releases, perhaps as patches?
> 
> We are planning to move user account management to LDAP and password
> aging is one of our requirements.
> 
> I saw a pam_ldap patch (113476-06) for Solaris 9 but access is
> restricted so I could not read the patch description.
> If this patch introduced password management, any plans to make it
> public?  Otherwise I guess we can only get it with a Maintenance
> Update or service contract.
> 
> Perhaps someone can convince Sun to make the patch public since
> password aging can be associated with security?  (I know some think
> password aging is a bad idea because it encourages users to write them
> down, etc, but in some cases it is a good thing).
> 
> Patch 108993-14 for Solaris 8 seems to have introduced LDAP password
> aging and it is a free patch.
> 
> Anyway, in a related note I find it interesting that "account lockout"
> has been introduced.  I know most of us believe that locking a user
> account after # failed login attempts is a Very Bad Idea (TM), but
> every once in a while someone asks if this can be done in Solaris
> (usually by request of a PHB), and the answer has usually been (in
> addition to "don't do it"), that Solaris does not support it unless
> the user writes her own PAM module... I guess now we can tell them
> to use pam_ldap.
> 
> 
> http://docs.sun.com/db/doc/816-7511/6mdgu0h1t?a=view
> "The following password management features are supported through 
> pam_ldap(5).
> 
> [snip]
> 
>        User account lockout
>        A user account can be locked out after a given number of repeated 
> authentication failures. A user can also be locked out if his account is 
> inactivated by an administrator. Authentication will continue to fail 
> until the account lockout time is passed or the administrator 
> reactivates the account."
> 
> 

This feature is closer to what I recall as "security intrusion".  The 
account login is disabled for a specific time, then it works again, 
unless an admin reactivates the account before the specific time is up.  
VMS did this.  It's a really a Good Thing(tm).

What you've been referring to as "account lockout" is where the account 
is _permenently_ disabled from access after, say, 3 failed login 
attempts.  It would require a security manager or sysadmin to re-enable 
the account.  This could lead to denial of service attack and is a Bad 
Thing(tm) (unless you make the PHB who required it the point of 
contact...).  VMS had this as well.

I still thing you need a pam module to do "account lockout" unless you 
can specify a really long time on a per-account basis rather than only 
system-wide.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...



0
Reply Michael 7/14/2003 9:34:22 PM

Oscar del Rio <delrio@mie.utoronto.ca> writes:
>I was reading the LDAP docs for Solaris 9 and found that "password
>management" (password aging, expiration, even account lockout on bad
>logins) was introduced in Solaris 9 12/02.
>
>Does anyone know if these features of pam_ldap have been or are going
>to be ported to earlier releases, perhaps as patches?
>

Solaris 9:  Patch 112960-07

   (from 112960-03)
 
    4357827 pam_ldap should fully support password aging


Solaris 8:  Patch 108993-22

   (from 108993-14)
  
   4357827 pam_ldap should fully support password aging


  -Greg
-- 
Do NOT reply via e-mail.
Reply in the newsgroup.
0
Reply gerg 7/14/2003 10:40:54 PM

> >        User account lockout
> >        A user account can be locked out after a given number of repeated
> > authentication failures. A user can also be locked out if his account is
> > inactivated by an administrator. Authentication will continue to fail
> > until the account lockout time is passed or the administrator
> > reactivates the account."
> >
> >
>
> This feature is closer to what I recall as "security intrusion".  The
> account login is disabled for a specific time, then it works again,
> unless an admin reactivates the account before the specific time is up.
> VMS did this.  It's a really a Good Thing(tm).

How can that be a Good Thing (tm)?
What would stop anyone from writing a script that disables your account
every 5 minutes (or whatever time interval the account is reactivated)?


0
Reply Oscar 7/15/2003 12:24:18 PM

In article <HI2FzA.8Go@mie.utoronto.ca>,
 "Oscar del Rio" <delrio@mie.utoronto.ca> wrote:

> > >        User account lockout
> > >        A user account can be locked out after a given number of repeated
> > > authentication failures. A user can also be locked out if his account is
> > > inactivated by an administrator. Authentication will continue to fail
> > > until the account lockout time is passed or the administrator
> > > reactivates the account."
> > >
> > >
> >
> > This feature is closer to what I recall as "security intrusion".  The
> > account login is disabled for a specific time, then it works again,
> > unless an admin reactivates the account before the specific time is up.
> > VMS did this.  It's a really a Good Thing(tm).
> 
> How can that be a Good Thing (tm)?
> What would stop anyone from writing a script that disables your account
> every 5 minutes (or whatever time interval the account is reactivated)?

There are certain accounts I wouldn't enable this on and I hope that a 
feature of this new capability.  Depends on how paranoid you wanna be or 
are told to be by a PHB.

-- 
DeeDee, don't press that button!  DeeDee!  NO!  Dee...



0
Reply Michael 7/15/2003 7:04:26 PM

In article <6scRa.10156$6a3.120577@twister.rdc-kc.rr.com>, no.s.p.a.m-
dave57@127.0.0.1 says...
> 
> "Oscar del Rio" <delrio@mie.utoronto.ca> wrote in message > How can that be
> a Good Thing (tm)?
> > What would stop anyone from writing a script that disables your account
> > every 5 minutes (or whatever time interval the account is reactivated)?
> 
> What you do is go into the logs and find out who did such a thing and stop
> them either by a firewall or whatever.  If it is from the inside,
> termination works well.
> 
> 
> 
As long as it is termination by beheading. Someone mucking about like 
that would deserve it.

-- 
Mike Miller
If all else fails - READ THE INSTRUCTIONS!
or if you like
"If all else fails - THROW HARDER" Robert Smith(pro bowler)
0
Reply Mike 7/17/2003 12:12:39 PM

We were one of the companies that really pushed Sun to make this patch
but to be honest with you I'm not impressed by this patch.

The new patch makes Solaris 8 LDAP authentication to work exactly like
Solaris 9. There's nothing wrong with that except that all the tools I
wrote for creating profiles, proxyagents etc are not compatible with
the new structure.

Rgds,
JTE

Oscar del Rio <delrio@mie.utoronto.ca> wrote in message news:<3F131826.7060403@mie.utoronto.ca>...
> I was reading the LDAP docs for Solaris 9 and found that "password
> management" (password aging, expiration, even account lockout on bad
> logins) was introduced in Solaris 9 12/02.
> 
> Does anyone know if these features of pam_ldap have been or are going
> to be ported to earlier releases, perhaps as patches?
> 
> We are planning to move user account management to LDAP and password
> aging is one of our requirements.
> 
> I saw a pam_ldap patch (113476-06) for Solaris 9 but access is
> restricted so I could not read the patch description.
> If this patch introduced password management, any plans to make it
> public?  Otherwise I guess we can only get it with a Maintenance
> Update or service contract.
> 
> Perhaps someone can convince Sun to make the patch public since
> password aging can be associated with security?  (I know some think
> password aging is a bad idea because it encourages users to write them
> down, etc, but in some cases it is a good thing).
> 
> Patch 108993-14 for Solaris 8 seems to have introduced LDAP password
> aging and it is a free patch.
> 
> Anyway, in a related note I find it interesting that "account lockout"
> has been introduced.  I know most of us believe that locking a user
> account after # failed login attempts is a Very Bad Idea (TM), but
> every once in a while someone asks if this can be done in Solaris
> (usually by request of a PHB), and the answer has usually been (in
> addition to "don't do it"), that Solaris does not support it unless
> the user writes her own PAM module... I guess now we can tell them
> to use pam_ldap.
> 
> 
> http://docs.sun.com/db/doc/816-7511/6mdgu0h1t?a=view
> "The following password management features are supported through 
> pam_ldap(5).
> 
> [snip]
> 
>        User account lockout
>        A user account can be locked out after a given number of repeated 
> authentication failures. A user can also be locked out if his account is 
> inactivated by an administrator. Authentication will continue to fail 
> until the account lockout time is passed or the administrator 
> reactivates the account."
0
Reply jamal 7/17/2003 8:19:46 PM
comp.unix.solaris 25709 articles. 86 followers. Post

6 Replies
159 Views

Similar Articles

[PageSpeed] 28

  • Permalink
  • submit to reddit
  • Email
  • Follow


Reply:

Similar Artilces:

Apache and LDAP (slapd)
Hi everyone, this is a very specific question about getting Apache2 and LDAP to work together. I configured a directory with AuthType Basic AuthBasicProvider ldap AuthName "test" Require valid-user AuthLDAPUrl ldap://localhost:389/dc=gcls,dc=priv But I can't manage to authenticate with these settings although the entered username and password are correct. Before bothering you all I tried the following: (1) *** I used a password-file. Everything works just fine. *I co...

Where to find LDAP Cache Manager and Volume Manager
Hi all, I want to find where LDAP Cache Manager and Volume Manager are installed. lslpp -l | grep ldap ldap.client.adt 5.2.0.0 COMMITTED Directory Client SDK ldap.client.rte 5.2.0.0 COMMITTED Directory Client Runtime (No ldap.max_crypto_client.adt ldap.max_crypto_client.rte ldap.msg.en_US 5.2.0.0 COMMITTED Directory Messages - U.S. ldap.client.rte 5.2.0.0 COMMITTED Directory Client Runtime (No Does this mean Cache Manager is not installed ? Thanks, James James <jzheng22@gmail.com> wrote: > Hi all, > > I wan...

Password Magic Password Manager 1.2
The Password Magic password manager securely stores your passwords and other confidential information in an encrypted data base, retrieves the information to fill out web order forms or complete web logins automatically. Online order forms are quick and easy. One click logs you into your favorite web sites. Password Magic is secured by one master password (the Password Magic Master Password). So, all you need to remember is one password to have access to all the information in the data base. Password Magic has three major functions: Form Filling (using user- defined Identities), Web ...

pam_ldap and password management and rsh/ssh without password
The System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) says that if you enable pam_ldap that rsh/ssh and authentication that doesn't require a password will fail. So it seems my choices are to fall back to pam_unix_account which ignores the fact that accounts may be expired (via ldap). This doesn't make sense to me. (Why isn't there a pam_ldap_account ?) I am not hiding expiry information from my proxy...why is this a problem? At any rate, I'm sure that there are people out there who are using ldap for password management that have a working so...

password aging
hi all, system is solaris 10. lock_after_retries=no makes it possible to exclude a user from the global retry settings. is there a similar mechanism to prevent a user's password to expire when MAXWEEKS and MINWEEKS are set? thanks for all replies. adirtymindisajoyforever wrote: > hi all, > > system is solaris 10. > lock_after_retries=no makes it possible to exclude a user > from the global retry settings. > is there a similar mechanism to prevent a user's password to > expire when MAXWEEKS and MINWEEKS are set? > > thanks for all replies. > Is this...

Password Manager
I am looking for a simple app to store different passwords in an encrypted data file. I use a program called Password Safe on the PC. I am able to launch it with a function key. I enter one password and then it opens a list of my stored passwords. I can click on an entry and it will put it on the clipboard where I can paste it in to a password field on a web page. Can someone recommend one for OS X? I am looking for a cheap ($10) or free one if possible. Thanks, Steve k_r_a_u_s_t_e_r_a_t_s_b_c_g_l_o_b_a_l_d_o_t_n_e_t In article <bnhen01t11un8laji1jcc35bdt6d4foj0n@4ax.com>, ...

password age?
how does a regular user check the "age" of his password, or how long until it expires? a "superuser" can do "passwd -s <username>" to get the age of a users password... thank you, -Roy Roy Nielsen wrote: > how does a regular user check the "age" of his password, or how long > until it expires? > > a "superuser" can do "passwd -s <username>" to get the age of a users > password... > > thank you, > -Roy For check user itself you can use smuser command: smuser list -- -n <user> -l ...

password ageing
Hi I have some questions about passwd agegin I always add users with -c -d -m options (ok) then passwd and passwd -f and sometimes passwd for user is expired. In etc/default/passwd MAXWEEK = (nothing here -i know it should be -1 to make it ok but only for new users or users who will change their passwd after that). In /etc/shadow i dont have any value about age so it seems ok Questions: - why sometimes some users passwd is expired ( do -f option have some default time for expiring? - for this who never login) - how to check default time for expire (even if MAXWEEKS = nothing - does it req...

Password manager...
Hello, is there any good program for password accessing for unlimited users. I have program, where I want to include password acces with supervisor password, which can change other passwords and user passwords, where users can change their own passwords and the passwords are encrypted in DBF file... So: when user starts the program, he must type correct password or he can not use the program... Thanks, Bye. Alf, This is something you can implement quite easily in Clipper yourself. You have described exactly what you need to do - make sure that the first function/proc called in your ...

Password manager
I need a safe "place" to keep my passwords (because I don't use passwords I can memorize). Is there a de facto standard Linux app for this purpose, or at least a couple of common favorites? Under OS/2 I have a good one, and it exports to a CSV file. One I use under Linux would, if at all possible, import CSV files. Thanks for your suggestions. On Saturday 30 September 2006 07:20, Michael DeBusk stood up and addressed the masses in /comp.os.linux.misc/ as follows...: > I need a safe "place" to keep my passwords (because I don't use > passwords I can memori...

Password manager
I have an ThinkPad R61 running Vista Business x64. I want to disable the ThinkVantage password manager so it doesn't start up every time I turn on the machine. How do I disable it? ...

LDAP for passwords ONLY
I run a Linux file and web server for a small unit of a larger university. The university maintains an LDAP server that has all faculty, staff, and students in it, and includes their main password which is used for e-mail and other online services. What I would like to do is configure Linux on the machine so that already-existing users configured in /etc/passwd and /etc/shadow could use their university password for shell logins and Samba access, but that all other configuration settings, such as which groups they are in, the groups themselves, etc., would continue to be maintained locally o...

Password managers
I'm writing up an informal article for a bunch of friends who use OS X and got a little carried away. Just wondering what people use for password management (apart from Key Chain) and what they think of that method/software. Where did you get it and how much did it cost? I'm leaning towards PasswordWallet or PasswordVault. http://preview.tinyurl.com/2qqyzj <a href="http://mac-tech-switching.blogspot.com/2007/05/review-13-mac-os-x-password-managers_09.html">Mac-Tech-Switching Password Managers</a> - SimonFx On Thu, 10 May 2007 10:01:39 -0500, SimonFx wrot...

Passwords disappeared-Password manager trouble-Netscape 7.2
Hi there, I'm using Netscape 7.2 browser 128 bit. My computer has a 1,9 ghz PIV chip with 1 giga RAM and 200 gb hd, running WXP home. I'm using Norton Systemworks with updated AV protection. I also regularly run Ad-aware SE personal (updated) and MS antispyware. Everything is supossedly clean, and yet, all my passwords have disappeared, and I can't save them again. Every couple minutes, I need to retype my passwords so my computer may check for existing new mail. In password manager, the right button has disappeared, and none of the retyped passwords appear anywhere. Any ...

Password management
I want to be able to do some database administration from an application. The application will contain checks to prevent dangerous actions. The required password is one I never write down or store in plain text anywhere. I've considered using a JDialog to enter it, but the application does not make any other use of Swing. Have other people solved this problem? If so, how? Thanks, Patricia Patricia Shanahan wrote: > I want to be able to do some database administration from an > application. The application will contain checks to prevent dangerous > actions. The required passwo...

Password managers
I'm writing up an informal article for a bunch of friends who use OS X and got a little carried away. Just wondering what people use for password management (apart from Key Chain) and what they think of that method/software. Where did you get it and how much did it cost? I'm leaning towards PasswordWallet or PasswordVault. http://preview.tinyurl.com/2qqyzj <a href="http://mac-tech-switching.blogspot.com/2007/05/review-13-mac-os-x-password-managers_09.html">Mac-Tech-Switching Password Managers</a> SimonFx wrote: > bah Sorry, moved post to comp.sys.mac....

how to manage passwords
many of my ruby apps have the password hard coded. i am looking for a way so that i can control the password not to be stored as text file. what are the ruby options that are available. [Note: parts of this message were removed to make it a legal post.] You may be looking for this: http://www.ruby-doc.org/core/classes/Base64.html#M004726 On 19 set, 18:55, Junkone <junko...@gmail.com> wrote: > many of my ruby apps have the password hard coded. i am looking for a > way so that i can control the password not to be stored as text file. > what are the ruby options that are avail...

Password Manager
Password Manager generally either supplies login information or asks me if I want it to remember details for a new site. The exception is the site of Network Solutions. I do not remember telling it never to ask be for this site, and I don't think I ever did. Is there something about the site that prevents this convenient feature from operating? Is there a way to get it to function? -- Stan Goodman Qiryat Tiv'on Israel Saddam is gone. Ceterum, censeo Arafat esse delendum. To send me email, please replace the CAPITAL_LETTERS with "sig". ...

Managing a password
I'm developing a software that can be used by two people: a boy and an adult. The Windows user is unfortunately the same. The boy can use the software with certain restrictions. The adult can use the software in full mode. When the application starts, it is in "boy mode". After inserting a password, the software enters in "adult mode". How and where can I store the adult password? Of course, it should be saved in a coded way, but where should I store the password? If I use a file for the password, the boy could find the file, delete it and run the appl...

Password manager? 119713
Please will you share your experience with password managers? I have been using notes in Now Contact but it is becoming unworkable and I'm looking for a better solution. I would appreciate recommendations please! Thanks Merl In article <1gyk0py.nzsla41e1wkq4N%Merlin@the.Court.of.King.Arthur>, Merlin@the.Court.of.King.Arthur (Merlin) wrote: > Please will you share your experience with password managers? I have > been using notes in Now Contact but it is becoming unworkable and I'm > looking for a better solution. I would appreciate recommendations > please! ...

LDAP and Call Manager
Hi, I am sys admin for our Call Manager Cluster; we have the Pub, 5 Sub's, MOH, Exchange, and Unity. We are running: OS Image 2000 2.3 OS Upgrade 2000 2.5 OS SR 2000 2.5 (sr6) CCM Admin CCM System Version 3.3 (3) sr 3 CCM Admin Version 3.3 (0.161) CCM Installation ID 3.3 (3) sr3 DC Directory Integrated Install 3.3.3.14 We are trying to migrate to Open LDAP and running into all kinds of problems. Has any one done this, have you been successful? I am not the Directory Administrator, however; I am working with him and can provide specifics on failures. In addition all Open LDAP replie...

LDAP with Call Manager
Hello, I would like to know how the Call Manager is using LDAP for users directory. Does Call Manager come with an embedded LDAP server? What type of users synchronization can you expect between Call Manager and Active Directory for instance... Thanks a lot, ...

How to disable password aging?
I've enabled password aging for numerous users on a hp-UX 11.11 system, and now want to disable password aging for several users. I tried simply deleting the additional password aging field from an entry in the /etc/passwd file, and the user said that they were prompted to change their password when they logged in. In the example below, I deleted the ",BAmQ" part of the password field. Is this enough to disable aging, or are there more files involved? -Thanks jsmith:tH6.jqq5s160U,BAmQ:9611:6400:John Smith:/home/jsmith:/bin/bash In article <pan.2005.04.22.21.06.35.797364@...

Min password age
Hello list, I've been unable to get the minimum password life feature to work. I set the default policy to make the minimum password life equal to 300, yet I can change passwords over and over again immediately. What am I doing wrong? -- DK ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >I've been unable to get the minimum password life feature to work. I >set the default policy to make the minimum password life equal to 300, >yet I can change passwords over and over ag...