changing only sambaNTPassword independently

[markus-96]

Hi!

This is mainly for sharing my claims and findings to ldap ssp. This is not a feature request since you would need to update all translations, which is too much for this little feature.

Since NTLM-Hashes are known to be insecure, I wanted them to represent another password then the actual user password.

Here is my little story why I need NTLM-Hashes: I have an LDAP-Directory in 389-ds with users mainly beeing managed by Keycloak. The user password is hashed with pbkdf2 in both applications, a pretty secure hashing method. I wanted the same user accounts to be also able to connect to our WLAN via PEAP-MSCHAPV2, so I needed either cleartext passwords or, for a little bit of extra security, NTLM-Hashes. But since I wanted to preserve the security of pbkdf2, there needed to be two independent passwords: one for the actual user, represented by pbkdf2 hash, and one "WLAN" password, represented by the NTLM hash.

The authentication and changing flow I needed was:

1. User lookup by ldap ssp
2. bind with user credentials (username and "old password")
3. hash the given password with ntlm ("new password")
4. update sambaNTPassword with the new hash as the binded user, actual user password remains unchanged.

How I accomplished this I will post here later on, I only needed to comment out like 3-4 lines.

tl;dr Update NTLM-Hashes independently to the actual user password for PEAP-MSCHAPV2 to preserve security of better hashing algorithms

[coudot]

Hello, thanks for your message. Indeed you can achieve this by commenting a few lines.

Maybe this can be developped as a feature in a new tab, like changing the SSH key.

[markus-96]

yes, I thought so too.. It would be great if I could work on a pull request for this, but I will only have time for this next month. But I would call it something like "App Password Change", since I can imagine that there are several other usecases for this besides the sambaNTPassword attribute. I think it would be great to specify:

• Attribute name in LDAP containing the hash
• hash algorithm
• who changes?
• name of the application the password will be used for
• may the password be the same as the users main password?

Also, it would be great to accomplish somehow the option to not only be able to change the password of only one app, but as many as you want. So there should be an option for specifying how many applications you want to cover and for each application a config array. So something like:

app-pwd = 2;     # how many apps?

app-conf = array(
    array(
        'attribute' => 'sambaNTPassword',
        'hash-algo' => 'ntlm',
        'who_change_password' => 'user',
        'app-name' => 'wlan',
        'unique' => true
    ),
    array(
        'attribute' => 'app2-password',
        'hash-algo' => 'sha254',
        'who_change_password' => 'user',
        'app-name' => 'app2',
        'unique' => false
    ),
)

What do you think?

[markus-96]

This is what is in my config.inc.local.php:

$who_change_password = "user";
$samba_mode = true;
$ad_mode = false;
$use_exop_passwd = false;

These lines are commented out:

• in lib/functions.php:

[...]
    # Set Samba password value
    if ( $samba_mode ) {
        $userdata["sambaNTPassword"] = make_md4_password($password);
#        $userdata["sambaPwdLastSet"] = $time;
#        if ( isset($samba_options['min_age']) && $samba_options['min_age'] > 0 ) {
#             $userdata["sambaPwdCanChange"] = $time + ( $samba_options['min_age'] * 86400 );
#        }
#        if ( isset($samba_options['max_age']) && $samba_options['max_age'] > 0 ) {
#             $userdata["sambaPwdMustChange"] = $time + ( $samba_options['max_age'] * 86400 );
#        }
#        if ( isset($samba_options['expire_days']) && $samba_options['expire_days'] > 0 ) {
#             $userdata["sambaKickoffTime"] = $time + ( $samba_options['expire_days'] * 86400 );
#        }
    }

[...]

    } else {
        # Else just replace with new password
#        if (!$ad_mode) {
#            $userdata["userPassword"] = $password;
#        }
        if ( $use_ppolicy_control ) {

[...]

in htdocs/change.php:

[...]
                    # Check objectClass to allow samba and shadow updates
                    $ocValues = ldap_get_values($ldap, $entry, 'objectClass');
#                    if ( !in_array( 'sambaSamAccount', $ocValues ) and !in_array( 'sambaSAMAccount', $ocValues ) ) {
#                        $samba_mode = false;
#                    }
                    if ( !in_array( 'shadowAccount', $ocValues ) ) {

[...]

[coudot]

A simple option would be to have a configuration parameter that will bypass the main password change.

But this would not work if you need both feature at the same time : one screen to change the main password, and one screen to change the application password.

I don't know if this would be really useful.

[markus-96]

well, this would have covered what I needed, but in my setup the users have to change their password through Keycloak. This is not what this project is mainly about, so I think an extra tab for application passwords is more feasible.
If you only rely on this feature, like me, you could still only activate this tab.

[markus-96]

I think I have written everything needed for this feature. Only the messages shown on the page have to be changed, and also the translations. I will try my best here. I will submit a pull request in the near future, after some additional testing.

You will be able to:

• setup as many app-passwords as you want,
• set the name of the app and the corresponding attribute,
• setup additional password policies,
• setup who changes the password,
• the hash algorithm

You can use it also for updating user information, but I do not think this would be very user friendly.