Allow SSH users to change their passwords on OpenDJ

For a client I started to put in place a connection from ssh to OpenDJ, which I chose for previous reasons.

To setup ssh with PAM and LDAP you can follow several tutorials, the one I found more easy to follow is: https://www.digitalocean.com/community/articles/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps

Depending on your security policy, you could need to allow ssh users to change their passwords with the passwd command, to do so the file /etc/pam.d/sshd has the following include:

# Standard Un*x password updating.
@include common-password

so a common configuration for the file common-password would be:

password        [success=2 default=ignore]      pam_unix.so obscure sha512
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

As we can see when we change a password we check first the user in the system (pam_unix.so). If the change succeed we skip the next 2 lines (success=2) and we allow the change (pam_permit.so). If doesn’t succeed we check on ldap (pam_ldap.so) and if the operation succeed we skip the next line (success=1) and we allow password change (pam_permit.so).  If also the password change on ldap fails then we deny the password change (pam_deny.so).

Further, as we can see on PAM code, the pam-ldap package tries to update the attribute shadowLastChange, which

  • on unix system would correspond to the 3rd value in the /etc/shadow file  which is the number of days, (since January 1, 1970) since the password was last changed
  • on LDAP system, it is defined in the RFC 2307 as an attribute of the object shadowAccount, together with other values for password expiration, see brief description, similar to the /etc/shadow.

Therefore to allow PAM changing a password on OpenDJ we need to:

  • add the attribute shadowLastChange to the user, you can use PhpLdapAdmin to add the shadowAccount object class to your Posix users first.
  • add an ACI in OpenDJ to allow changing shadowLastChange to the binded user

You can learn how to create an ACI on OpenDJ here and also from the Oracle website.

Concerning the ACI for the password change, you could write in a ssh-shadow.ldif file something like:

dn: ou=People,dc=my,dc=domain,dc=com
changetype: modify
add: aci
aci: (targetattr = "shadowLastChange") (target = "ldap:///ou=People,dc=my,dc=domain,dc=com") (version 3.0; acl "change shadow"; allow (write) (userdn = "ldap:///self");)

where you allow the binded users (ldap:///self) to modify (write) the attribute shadowLastChange, which is similar to example reported on the OpendJ documentation to change own password.

Apply then the changes with the command:

./opendj/bin/ldapmodify -h myhost -p 1389 -D "cn=Directory Manager" -W -c -f ssh-shadow.ldif

Once the password is changed with passwd command, you can verify that the value is changed in OpenDJ with PhpLdapAdmin and also check online the correspondent date.

To delete the ACI just replace “add: aci” with “delete: aci” in the file and re-execute ldapmodify command.

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s