cpw ignoring password policies

Wed Aug 12 05:39:50 EDT 2020

Hi there,

I'm afraid we need some help from you.

We are trying to integrate a Kerberized OpenLDAP environment with a LDAP user friendly management interface web application (LAM). This web application allows to use some custom scripts since the modules included by default are not suitable for how our environment works due to the saslauthd passthrough implementation we used.

One of the custom script is dedicated for changing principals' password. This custom script calls kadmin to do a cpw using a service principal and a dedicated keytab with the permissions correctly granted. We need for this task a totally non-interactive command since the custom script receives the variables from the php application form.

kadmin -k -t $KEYTABLOCATION -p $SERVICEPRINCIPAL -q "cpw $PRINCIPAL -pw $PASSWORD"

What we found is that this command ignores the password policy assigned to the principal, including all the complexity rules and history options. No matter if the command is launched in a kadmin console interactive mode, policies are totally ignored.

If we use:

kpasswd $PRINCIPAL

Then all the password policy rules are respected. This would be ideal if we could use it in a non-interactive mode receiving the environments from the php form, but I'm afraid is not possible (or we couldn't find or figure out how to do it) since it asks you for the old and new password and it's confirmation.

Any idea about how could we proceed? Is there a way to force the cpw command to apply an already existing policy?

Thank you so much for your time.

Kind Regards.

[cid:image001.gif at 01D6709D.48FE73A0]

Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division

GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com <http://www.gmv.com/>
[cid:image002.png at 01D6709D.48FE73A0]<http://www.facebook.com/infoGMV>

[cid:image003.png at 01D6709D.48FE73A0]<http://www.twitter.com/infoGMV_es>

[cid:image004.png at 01D6709D.48FE73A0]<http://www.youtube.com/infoGMV>

[cid:image005.png at 01D6709D.48FE73A0]<https://www.linkedin.com/company/gmv>

[cid:image006.png at 01D6709D.48FE73A0]<http://www.gmv.com/en/RSS>

[cid:image007.png at 01D6709D.48FE73A0]<http://www.gmv.com/blog_gmv/language/en/>

P Please consider the environment before printing this e-mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 5711 bytes
Desc: image001.gif
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20200812/b55a11aa/attachment-0001.gif
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 2914 bytes
Desc: image002.png
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20200812/b55a11aa/attachment-0006.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 2946 bytes
Desc: image003.png
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20200812/b55a11aa/attachment-0007.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 3026 bytes
Desc: image004.png
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20200812/b55a11aa/attachment-0008.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 2913 bytes
Desc: image005.png
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20200812/b55a11aa/attachment-0009.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image006.png
Type: image/png
Size: 3042 bytes
Desc: image006.png
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20200812/b55a11aa/attachment-0010.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007.png
Type: image/png
Size: 4932 bytes
Desc: image007.png
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20200812/b55a11aa/attachment-0011.png