ldap oclAccess does not seem to work with pwdPolicy - openldap

I have installed ldap 2.4.3 on Ubuntu 14.04. I have configured pwdPolicy overlay and it works when the users changes his/her own password and when admin changes the password. The problem is that when admin changes the password the policies are not adhered. So, I created another account called usermanagement and added the dn to oclAccess. I can modify all fields I've tried using the usermanagement account except for userpassword.
When running ldappasswd I get Insufficient access (50)
This is My olcAccess:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=zed,dc=com" write by dn="cn=usermanagement,dc=zed,dc=com" write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=zed,dc=com" write by dn="cn=usermanagement,dc=zed,dc=com" write by * read
Edit
I have enabled debugging and then executed ldappasswd -H ldap://localhost -x -D "uid=luis,ou=users,dc=zed,dc=com" -W -S "uid=vixian,ou=users,dc=zed,dc=com". The log shows:
983c0f8 bdb_dn2entry("cn=passworddefault,ou=policies,dc=zed,dc=com")
5983c0f8 => bdb_entry_get: found entry: "cn=passworddefault,ou=policies,dc=zed,dc=com"
5983c0f8 bdb_entry_get: rc=0
5983c0f8 change password must use DELETE followed by ADD/REPLACE
5983c0f8 send_ldap_result: conn=1004 op=1 p=3
5983c0f8 send_ldap_result: err=50 matched="" text="Must supply old password to be changed as well as new one"
5983c0f8 send_ldap_extended: err=50 oid= len=0
5983c0f8 send_ldap_response: msgid=2 tag=120 err=50
I then tried to delete the userPassword using ldapmodify and it was successful but replacing or adding produced the same result permission denied.
I have updated the olcAccess following #ejp suggestion:
olcAccess: {0}to attrs=userPassword,shadowLastChange
by group/groupOfUniqueNames/uniqueMember.exact="cn=itinst,ou=groups,dc=zed,dc=com" write
by anonymous auth
by self write
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to *
by self write
by group/groupOfUniqueNames/uniqueMember.exact="cn=itinst,ou=groups,dc=zed,dc=com" write
by users read by anonymous search

The problem is that when admin changes the password the policies are not adhered.
When the managerDN changes the password 'the policies are not adhered'. You should not use the managerDN for anything. That's the account the server runs as, and it can do anything, of course. You should define a separate admin account in the DIT, and give it the appropriate access rights, as I have for the entire ldap admins group in the example below.
It doesn't have anything to do with your olcAccess. Have a look at the documentation for how to do this properly. I have:
olcAccess {0}to attrs=userPassword
by dn.base="cn=replicator,dc=verismart,dc=com,c=us" write
by group/groupOfUniqueNames/uniqueMember.exact="cn=ldap admins,ou=groups,dc=verismartlabs,dc=com" write
by group/groupOfUniqueNames/uniqueMember.exact="cn=applications,ou=groups,dc=verismartlabs,dc=com" write
by anonymous auth by self write
olcAccess {1}to dn.base="" by * read
olcAccess {2}to *
by self write
by dn.base="cn=replicator,dc=verismart,dc=com,c=us" write
by group/groupOfUniqueNames/uniqueMember.exact="cn=ldap admins,ou=groups,dc=verismartlabs,dc=com" write
by group/groupOfUniqueNames/uniqueMember.exact="cn=applications,ou=groups,dc=verismartlabs,dc=com" write
by users read
by anonymous search
EDIT As you're using the ppolicy overlay:
You should use the -e ppolicy argument to ldappasswd so you can see the extended response if any.
The user must also use the -a option to ldappasswd to specify the old password, as suggested by the log, or -A to get it to prompt you for it. The change log is saying change password must use DELETE followed by ADD/REPLACE, which means you have to supply both the old and the new password. ldappasswd will send a DELETE for the old one and an ADD or a REPLACE for the new value.
How you get the admin to do it without knowing the old password is another question, looking ... Works for me via an application, but I've never done it via ldappasswd. Maybe -e ppolicy is the answer to that too.
EDIT 2 It is because you have pwdSafeModify=TRUE in your password policy. This rather useless setting makes it impossible for administrators to reset passwords without knowing the old one, and if the old one was known there would be no need for the administrative reset at all. I have it turned off, but then all my passwords are changed only by Java code: one piece for the user himself, and another for the administrator, so I can enforce pwdSafeModify myself.

Related

Encrypting the Web Console password in ActiveMQ

I have to get rid of the clear text password in ActiveMQ server in the jetty-realm.properties file as part of the security requirements of our project.
I followed the procedure for encrypting passwords found here: https://activemq.apache.org/encrypted-passwords.html.
In Jetty-real.properties I replaced plain password with ${activemq.password}
But I could not login into the web console (http://localhost:8161/admin)
Are there additional config parameters I need to change? Any help would be greatly appreciated.
For ecrypt password we can use jetty utility. This can be downloaded from http://download.eclipse.org/jetty/.
use:
java -cp lib/jetty-util-$JETTY_VERSION.jar org.eclipse.jetty.util.security.Password admin admin
admin
OBF:1u2a1toa1w8v1tok1u30
MD5:21232f297a57a5a743894a0e4a801fc3
CRYPT:adpexzg3FUZAk
Add in bus\conf\jetty.xml\jetty-realm.properties
admin: MD5:21232f297a57a5a743894a0e4a801fc3, admin
A very important note: the sequence of data specified by you should be as follows:
org.eclipse.jetty.util.security.Password [username] password
Also note that in some shells (like default on Ubuntu 20.04) the dollar sign inside the password will effectively truncate your password to the part preceding the dollar sign.
(I meant to put a comment to the answer by #dorin.canepa, but clicked on a wrong button and now it's an answer, oh well)

Can't get to the root on juniper ssg5

Can't get to the root on juniper ssg5
After i enter my login username and password I'm stuck on this prompt
'my-fw->'
my-fw-> copy
^------unknown keyword copy
my-fw-> show
^------unknown keyword show
my-fw-> configure
^-----------unknown keyword configure
why can't i get to root#my-fw-> or root#my-fw-# prompt. What can i do to get to root. I'm using putty to console to the juniper ssg5.
[Note- I'm trying to backup config to a tftp server where i require to get to the root access]
You don't need root access. root is an special account and all / most of the commands works without root account. Any account which has privileges to perform configuration changes, can apply the command to archive the configuration on given site.
See junos-os-login-classes-overview for user privileges.
The prompt we get is in this format: user#hostname> Ref
If there is no hostname defined, then it is just: user>
Once you make sure that you have logged in with correct user, i.e. it has requirement permissions, you should be able to execute those commands and apply archival configuration.
I have a working solution, let me know if above doesn't help.

Glassfish Change Admin Password

How can I change the admin password for a Glassfish Domain using a password file? I know the conventional method of manually typing the password upon prompt.
However I want to change the admin password using a script where in I do not have to manually type the password.
This is possible, but you will need 2 password files if you want to script this fully in the easiest way.
Create a temporary file (tmpfile in my example) which will hold the current password (blank by default) and the desired new password:
AS_ADMIN_PASSWORD=
AS_ADMIN_NEWPASSWORD=myNewPassword
Now create a password (pwdfile in my example) file which will contain the changed admin password:
AS_ADMIN_PASSWORD=myNewPassword
You can then use the files to change the password using the commands below, making sure to use tmpfile when changing the password, then pwdfile afterwards
$PAYARA_PATH/bin/asadmin start-domain
$PAYARA_PATH/bin/asadmin --user $ADMIN_USER --passwordfile=/opt/tmpfile change-admin-password
$PAYARA_PATH/bin/asadmin --user $ADMIN_USER --passwordfile=/opt/pwdfile enable-secure-admin
$PAYARA_PATH/bin/asadmin restart-domain
This example was adapted from the way the Payara Server dockerfile works
For anyone still interested in manually setting the admin account password:
I tried to generate the contents of the "admin-keyfile" located in "glassfish/domains/{ACTIVE_DOMAIN_NAME}/config/admin-keyfile" based on the current implementation of the Payara Repo. This file (as the data source for the FileRealm) is used to authenticate the admin user when accessing the admin interface under port 4848.
Each line of this text file represents an account and is structured as
USERNAME;PASSWORD;GROUPS
The field "PASSWORD" is prefixed with a hash algorithm keyword (wrapped in curly braces, e.g. "SSHA" or "SSHA256") followed by a BASE64 encoded hash of the concatenated salted hash and the salt value itself (some random bytes):
{SSHA}BASE64(SHA(password,salt),salt)
Long story short: If you want to generate user accounts manually you could for example use the following Python script:
import hashlib
from base64 import b64encode
from secrets import token_bytes
from getpass import getpass
username = 'admin' # input('Username: ')
plainTextPassword = getpass()
randomSalt = token_bytes(8)
passwordHash = hashlib.sha256()
passwordHash.update(plainTextPassword.encode('utf-8'))
passwordHash.update(randomSalt)
passwordDigest = passwordHash.digest()
# cryptic range reflects the strange implementation... feel free to change it to "range(98)"
# https://github.com/payara/Payara/blob/6488cbdc90fd0f6c42de6a42affcd09f697be715/nucleus/common/common-util/src/main/java/org/glassfish/security/common/SSHA.java#L108
for run in range(2, 101):
passwordHash = hashlib.sha256()
passwordHash.update(passwordDigest)
passwordDigest = passwordHash.digest()
saltedHashAndSalt = b64encode(passwordDigest + randomSalt).decode('utf-8')
result = '{0};{{SSHA256}}{1};asadmin'.format(username, saltedHashAndSalt)
print(result)
Insert the console output into the "admin-keyfile" and (re)start your server.
As far as I know, it is impossible to change it via a file as a parameter for security reasons.
You can consider an alternative solution (pipe) but the confirmation of the password is always necessary. https://docs.oracle.com/cd/E19798-01/821-1758/change-admin-password-1/index.html

Postfix: how to block incoming emails to a specific recipient?

I have Postfix set up to deliver all incoming email to 〈any_random_address〉#mydomain.com to myname#mydomain.com. I've recently noticed that a large percentage of spam is going to the same non-existent username, and I'd like to block incoming email to that username, while still sending all other emails to my inbox. What is the best way to accomplish that?
Aside from the fact that catch-all doesn't really make sense:
In your virtual aliases map (e.g. /etc/postfix/virtual_alias_maps), add the following line:
john.doe#example.com devnull
In /etc/aliases, add the following line:
devnull: /dev/null
This defines a mailbox named devnull and stores its contents in /dev/null.
Don't forget to update the alias caches and restart Postfix, for example like
sudo postmap /etc/postfix/virtual_alias_maps
sudo newaliases
sudo service postfix restart
Now you should be fine.

OpanLdap password policies

I have installed the openldap version 2.4.23 on windows xp and using the apache DS as a client.I can authenticate users on a client server I set up for testing.
My next step is to turn on a password policy. This is where things have gotten a bit hazy for me and I'm hoping someone can help me out.
i added a password policy also by using the followin command
ldapadd -x -c -f -D "cn=Manager,dc=maxcrc,dc=com" -w secret
but after addition of password policies how do i make them in effect.
The openldap documentation says the password policy module should be configured with the DN of the default policy.
i added the following lines in slapd.conf file
# invokes password policies for this DIT only
overlay ppolicy
# Default ppolicy
ppolicy_default "cn=passwordDefault,ou=policies,dc=maxcrc,dc=com"
but somehow it is not getting loaded , i have already spent more a lot of time on this, but i am not getting the proper guide for the same.
Can anyone shed some light on this in plain, layman's terms?
Thanks in advance.
My ldif file is as follows.
dn: cn=passwordDefault,ou=policies,dc=localdomain,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinAge: 1
pwdMaxAge: 90
pwdMinLength: 6
pwdInHistory: 4
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 604800
pwdGraceAuthNLimit: 3
pwdMustChange: TRUE
pwdSafeModify: TRUE
after adding this policy and restarting the server i tried changing the password of existing as well as newly added users.
The server allows me to change the password to a string with length less than 6
whereas i have mentioned pwdMinLength: 6 in ldif.
as well as i tried changing the password more than once , but it allows me to change the password to recently used password, whereas the pwdInHistory: 4 in ldif.
The password policy doesn't work if you use the rootDN to execute the updates. You must use an existing admin account, or the user's own account.
It is not clear how you are setting the password when testing, but I would check if you are passing the password in the correct format, meaning that the server needs to receive the password in cleartext. Some clients would hash the value before sending the value to the OpenLDAP server, in which case it would be impossible for the OpenLDAP server to determine the length of password. The communication can and should be encrypted, but it shouldn't be pre-hashed. Hashing can be handled by the server:
pwdCheckQuality
If the value is 1 and the supplied password is in cleartext then a user supplied function (defined using the pwdCheckModule - if defined - will be called to check the password quality. If this function is not available then the password will be accepted (assuming it passes all the other tests defined by the various pwdPolicy attributes).
reference: http://www.zytrax.com/books/ldap/ch6/ppolicy.html
the rootdn bypass password policy, so do not use rootdn in your
ldappasswd command.
https://www.openldap.org/lists/openldap-technical/201102/msg00262.html
You can basically put any password (not empty thou) if setting passwords using ldappasswd and binding with rootdn.
It's a bit tricky situation since you cannot change the password with "passwd" command either for the user. In this case the password policy would kick in.
If you know the rootdn password, you can bypass everything.

Resources