PwdCheckQuality = 2 incompatible with phpldapadmin

[antoinetran]

Hi,

Environment: OpenLdap openldap-2.4.44-24.el7_9.x86_64.rpm phpldapadmin 1.2.4 CentOs 7.9 in docker RedHat 7.9 in host Password policy:

# Entry 18: cn=pwd_default,ou=Policies,{{ ldap_root_dn }}
dn: cn=pwd_default,ou=Policies,{{ ldap_root_dn }}
cn: pwd_default
description: Default password policy
objectClass: pwdPolicy
objectClass: applicationProcess
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 864000
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 1
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 86400
# https://ldapwiki.com/wiki/PwdMaxAge
# 15552000s = 6 * 30 days.
# 0 means no expiration.
# Client asks for no expiration by default: https://collaboration.ts-tlse.fr/redmine/issues/7768#change-51965
pwdMaxAge: 0
pwdMaxFailure: 5
# Needed to check the password constraint like min size.
pwdCheckQuality: 2
pwdMinLength: 6
pwdMustChange: TRUE
pwdSafeModify: FALSE

Current behavior: With pwdCheckQuality=2, changing the password does not work if it is any hash like ssha or md5. I mean I put the password like "testTest123$%µ" and that should pass the password policy set beyond. But it says 0x13 (LDAP_CONSTRAINT_VIOLATION). On the contrary, setting this password as clear encryption works.

Expected behavior: With pwdCheckQuality=2 , we can use phpldapadmin to change the password.

I suspect the phpldapadmin hashes the password itself and then send it to Ldap server, which refuses the password by definition of pwdCheckQuality=2, it cannot check the password policy itself. Can we make phpldapadmin send the password without hash, and make the Ldap Server hash itself to solve this issue?

I am thinking about disabling the password policy entirely and implement it with Ldap SSP.

[aaronwmorris]

What you are experiencing is normal behavior with pwdCheckQuality=2. The password has to be sent cleartext in order to be inspected.

The ppolicy_hash_cleartext=TRUE ppolicy option will ensure the password is hashed before storing in the DB.