On Monday 13 August 2007 23:25:58 Scott Phelps wrote:
[...]
database bdb
# Overlay Directives overlay ppolicy ppolicy_default "cn=defaultPolicy,ou=policies,#####SECRET#######" ppolicy_use_lockout
directory "/var/lib/ldap" # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 # for more information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on
access to dn.children="ou=people,#####SECRET######" attrs=userPassword by group/groupOfNames/member="#####SECRET######" write by self write by * auth
This database has no rootdn set. AFAIK, you need a rootdn to be configured for the internal writes by ppolicy to work (I can't be sure as all my databases with ppolicy have rootdn's).
- defaultPolicy.ldif
======================== dn: cn=defaultPolicy,ou=policies,#####SECRET###### cn: defaultPolicy objectClass: organizationalRole objectClass: pwdPolicy objectClass: top pwdLockout: TRUE pwdMaxFailure: 3 pwdAttribute: userPassword pwdGraceAuthNLimit: 3 pwdLockoutDuration: 15 pwdAllowUserChange: TRUE
- ppolicytest.ldif
========================= dn: uid=ppolicytest,ou=people,#####SECRET###### uid: ppolicytest uidNumber: 1012 gidNumber: 100 homeDirectory: /home/ppolicytest loginShell: /bin/bash objectClass: inetOrgPerson objectClass: posixAccount objectClass: top structuralObjectClass: inetOrgPerson entryUUID: e4c33596-d832-102b-8c70-39998be84848 creatorsName: #####SECRET###### createTimestamp: 20070806063457Z pwdPolicySubentry: cn=defaultPolicy,ou=policies,#####SECRET###### userPassword: {MD5}Gh3JHJBzJcaScd3wyUS8cg== pwdChangedTime: 20070806070643Z cn: ppolicytest entryCSN: 20070806070815Z#000000#00#000000 modifiersName: #####SECRET###### modifyTimestamp: 20070806070815Z entryDN: uid=ppolicytest,ou=people,#####SECRET###### subschemaSubentry: cn=Subschema hasSubordinates: FALSE
So with this all in place I get no errors starting slapd (the module gets loaded.) I run the following command 4 times: ldapsearch -P 3 -x -LLL -e ppolicy -D "uid=ppolictest,ou=people,#####SECRET######" -W "(objectclass=*)" Entering an incorrect password each time, however the account never gets locked out and the operational attributes never change.
Regards, Buchan