I have ppolicy partially working, pieced together from examples on the web from Howard and others. Please find my sanitized slapd.conf attached.
Here is my ppolicy DIT entry:
# default, Policies, example.com dn: cn=default,ou=Policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: device pwdAttribute: userPassword pwdMaxAge: 2592000
This is merely to expire user logins after the specified number of seconds (password aging)...
The problems that I'm having though: 1. getting the provider to replicate changes to the password policy to the consumer. 2. the password policies dont take effect until people change their passwords! (good and bad to this...)
Thanks, -- Joshua M. Miller - RHCE,VCP
Greg Ryan wrote:
Has anyone ever gotten ppolicy to work? I have been trying for weeks and just cant get it to work at all. Does anyone have any config examples from a working ppolicy config?
# slapd.conf include /usr/share/openldap/schema/core.schema include /usr/share/openldap/schema/cosine.schema include /usr/share/openldap/schema/inetcomperson.schema include /usr/share/openldap/schema/nis.schema include /usr/share/openldap/schema/corba.schema include /usr/share/openldap/schema/java.schema include /usr/share/openldap/schema/krb5-kdc.schema include /usr/share/openldap/schema/kerberosobject.schema include /usr/share/openldap/schema/misc.schema include /usr/share/openldap/schema/openldap.schema include /usr/share/openldap/schema/autofs.schema include /usr/share/openldap/schema/samba.schema include /usr/share/openldap/schema/kolab.schema include /usr/share/openldap/schema/evolutionperson.schema include /usr/share/openldap/schema/calendar.schema include /usr/share/openldap/schema/sudo.schema include /usr/share/openldap/schema/dnszone.schema include /usr/share/openldap/schema/dhcp.schema include /usr/share/openldap/schema/ppolicy.schema # pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args loglevel 256
# Setup TLS/SSL stuff TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA TLSCertificateFile /etc/openldap/ssl/host.example.com.crt TLSCertificateKeyFile /etc/openldap/ssl/host.pem TLSCACertificateFile /usr/share/ssl/certs/cacert.crt TLSVerifyClient never
# Require TLS even on port 389 security ssf=168 tls=168 update_ssf=168 update_tls=168 simple_bind=128
# Setup password hash requirement password-hash {crypt}
# Setup ACLs access to attrs=userPassword by dn.exact="uid=replicator,ou=People,dc=example,dc=com" read by self write by * auth access to * by dn.exact="uid=replicator,ou=People,dc=example,dc=com" read by * write by self auth access to * by * read by anonymous auth
# Load appropriate modules moduleload /usr/lib/openldap/syncprov.la moduleload /usr/lib/openldap/ppolicy.la moduleload /usr/lib/openldap/unique.la moduleload /usr/lib/openldap/back_ldap.la moduleload /usr/lib/openldap/lastmod.la # database bdb suffix "dc=example,dc=com" rootdn "cn=manager,dc=example,dc=com" rootpw "secret" directory /var/lib/ldap checkpoint 256 5
# # Setup syncrep replication # overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # index objectClass,uid,dc,o,ou eq index cn eq,subinitial index uidNumber eq index gidNumber eq index entryCSN eq index entryUUID eq index nisNetgroupTriple eq index memberUid,uniqueMember eq
# Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=replicators,ou=Group,dc=example,dc=com" size=unlimited time=unlimited
# password policy overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"