Rahima Shaheen wrote:
Hi,
I am very new to open ldap. I can run slap an add edit new entry. Now I want to implement pwdpolicy. I tried it several times. I like to describe what I said.
- run slapd without modifying anything.
- create an ou=policies. Script as following
dn: ou=policies,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: policies
- write policy.schema.
- include policy.schema; but overlay is not added. run slapd
again. In the core.schema attributetype userpassword was comment out 5. Now I want to create policy.ldif. Script
dn: cn=default,ou=policies,dc=my-domain,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
#sn: 'dummy value' objectClass: organizationalUnit
It gives an error "Invalid syntax (21) pwdAttribute: value #0 invalid per syntax. Why it gives such error? My assumption is ppolicy.schema attribute is not created successfully. Another point in core.schema attributeType; userPassword is comment out. If I uncomment it. slapd -d 1 gives an duplicate attribute type. Give a solution please.
Now my question is
a. how I am sure that my PPolicy.schema is created? I don't have any ppolicy.la
b. what does do policy.la.
Other people have answered these questions (ppolicy.schema is simply included in your slapd.conf file and ppolicy.la is a wrappered library).
You include the ppolicy.schema file by using a directive such as:
include /etc/openldap/schema/ppolicy.schema
in your slapd.conf file. You also bring in the actual executable bit of ppolicy code via:
moduleload ppolicy.la
in your slapd.conf file. Finally, you have to add something like:
# Password policy enforcement... # Set up password policies via the "ppolicy" overlay. # Unless otherwise specified by a "pwdPolicySubentry" # attribute in a user's entry, they will use the policy # defined in the "ppolicy_default" entry here. # We force "Invalid Credentials" errors on locked accounts # and we store the passwords in LDAP in cleartext to satisfy # SASL. overlay ppolicy ppolicy_default "cn=DefaultPassword,ou=Policies,dc=mycompany,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
in slapd.conf to set up how ppolicy works.
Now, as to how to set up the database itself, here is an LDIF file I use to seed my database by feeding it to slapcat:
-------------------------- CUT HERE ---------------------------------- # ROOT OF LDAP TREE # Set up the root of the tree... dn: dc=mycompany,dc=com dc: mycompany objectClass: top objectClass: domain
# ORGANIZATIONAL UNITS # This ou is used for the actual user IDs... dn: ou=People,dc=mycompany,dc=com ou: People objectClass: top objectClass: organizationalUnit
# This ou is for the user group IDs... dn: ou=Group,dc=mycompany,dc=com ou: Group objectClass: top objectClass: organizationalUnit
# This ou is for password policies and the like... dn: ou=Policies,dc=mycompany,dc=com ou: Policies objectClass: top objectClass: organizationalUnit
# PASSWORD POLICIES # This one is the default policy that all users get EXCEPT for the # "special" folk (such as "sysman")... dn: cn=DefaultPassword,ou=Policies,dc=mycompany,dc=com cn: DefaultPassword objectClass: top objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAttribute: userPassword pwdMinAge: 86400 pwdMaxAge: 7776000 pwdExpireWarning: 604800 pwdGraceAuthnLimit: 3 pwdMinLength: 10 pwdCheckQuality: 2 pwdCheckModule: check_password.so pwdMaxFailure: 6 pwdLockout: TRUE pwdLockoutDuration: 180 pwdFailureCountInterval: 120 pwdInHistory: 4 pwdAllowUserChange: TRUE pwdMustChange: TRUE pwdSafeModify: FALSE
# This one is the special policy that users whose passwords should # NOT expire get (such as "sysman")... dn: cn=NoExpirePassword,ou=Policies,dc=mycompany,dc=com cn: NoExpirePassword objectClass: top objectClass: device objectClass: pwdPolicy pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdExpireWarning: 0 pwdGraceAuthnLimit: 3 pwdMinLength: 10 pwdCheckQuality: 2 pwdMaxFailure: 3 pwdLockoutDuration: 180 pwdFailureCountInterval: 120 pwdInHistory: 4 pwdAllowUserChange: TRUE pwdMustChange: TRUE pwdSafeModify: TRUE
# LDAP MAIN AUTHORITY # This group is for "sysman", the absolute authority for the LDAP # database... dn: cn=sysman,ou=Group,dc=mycompany,dc=com objectClass: posixGroup objectClass: top cn: sysman userPassword: Y0uR3@llyD0n+w@n++0kn0w! gidNumber: 500
# This is sysman's user ID... dn: uid=sysman,ou=People,dc=mycompany,dc=com uid: sysman cn: LDAP System Manager objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMin: 1 shadowMax: 90 shadowWarning: 7 shadowLastChange: 13945 loginShell: /bin/bash gecos: LDAP System Manager homeDirectory: /home/sysman uidNumber: 500 gidNumber: 500 userPassword: Y0uR3@llyD0n+w@n++0kn0w! pwdPolicySubentry: cn=NoExpirePassword,ou=Policies,dc=mycompany,dc=com -------------------------- CUT HERE ----------------------------------
Note that the "pwdCheckModule: check_password.so" bits are specifying a password checking module I wrote. If you want your own, you'll have to write it, compile it as a sharable library and put the binary in the libexec directory where slapd can get at it (typically /usr/local/libexec/openldap).
Note also that we were using cleartext passwords to satisfy some old SASL stuff inherent in our architecture. I don't like that, but I'm stuck with it. You'll need to change the "userPassword:" entries to reflect your encryption scheme (something along the lines of "userPassword: {sha1} encryptedstring" if you use SHA1 encryption).
---------------------------------------------------------------------- - Rick Stevens, Unix Geek rps2@socal.rr.com - - - - Lottery: A tax on people who are bad at math. - ----------------------------------------------------------------------