Hello.
I'm looking for a solution allowing to lock user accounts stored in LDAP, whatever kind of client using LDAP for autenticating (the same as shadowAccount class allows, but only for PAM. Buchan suggested me to try to use ppolicy overlay.
I'm not really interested in what seems to be the main goal of password policy: as I'm importing passwords automatically from another LDAP system, that's not the right place to impose constraints on them. So my main interest is in operational attribute pwdAccountLockedTime, described in slapo-ppolicy: if set to 0, the user should not be able to bind.
So, I set up a very minimal default password policy object, as it seems to be quite mandatory: dn: cn=default,ou=policies,dc=futurs,dc=inria,dc=fr cn: default objectClass: pwdPolicy objectClass: organizationalRole pwdAttribute: userPassword pwdMaxAge: 0 pwdInHistory: 0 pwdCheckQuality: 0
Then I tried to add a pwdAccountLockedTime attribute to a user: dn: uid=rousse,ou=saclay,ou=futurs,ou=users,dc=futurs,dc=inria,dc=fr changetype: modify add: pwdAccountLockedTime pwdAccountLockedTime: 0
Error: pwdAccountLockedTime: value #0 invalid per syntax
Then I read the schema, additionaly to the man page, and I found additional (and potentially contradictory information), such as using something described a subtype to declaring which password attribute is really affected, and I tried: dn: uid=rousse,ou=saclay,ou=futurs,ou=users,dc=futurs,dc=inria,dc=fr changetype: modify add: pwdAccountLockedTime;pwd-userPassword pwdAccountLockedTime;pwd-userPassword: 0
Error: additional info: pwdAccountLockedTime;pwd-userPassword: operational attribute with options undefined
Additionaly, I found the definition of those operational attributes were commented in the schema file...
So, here is a list of questions I can't find a valid answer for: 1) do you need a policy entry if you're only interested in user entries operational attributes ? According to the man page, yes: If there is no specific policy for an entry and no default is given, then no policies will be enforced
2) do you need to add a new class to users account to be able to use those additional operational attributes, or just loading the overlay is enough ? According to examples found in thread http://www.openldap.org/lists/openldap-software/200706/msg00285.html, no
3) does the definition of those attributes need to exist in the schema (thus uncommented) or are they defined in the overlay ?
4) which is right between the man page or the schema comment for the attribute name (pwdAccountLockedTime vs pwdAccountLockedTime;pwd-userPassword) and the value to lock an account (0 vs 000001010000Z) As the comments seems to comes from the RFC directly, I'd rather trust the man page, but i've been unsucessful with both...
If it matters, i'm using openldap-servers-2.3.27 on mandriva linux 2007.0.
Em Qua, 2007-09-26 às 17:12 +0200, Guillaume Rousse escreveu:
So, I set up a very minimal default password policy object, as it seems to be quite mandatory: dn: cn=default,ou=policies,dc=futurs,dc=inria,dc=fr cn: default objectClass: pwdPolicy objectClass: organizationalRole pwdAttribute: userPassword pwdMaxAge: 0 pwdInHistory: 0 pwdCheckQuality: 0
Then I tried to add a pwdAccountLockedTime attribute to a user: dn: uid=rousse,ou=saclay,ou=futurs,ou=users,dc=futurs,dc=inria,dc=fr changetype: modify add: pwdAccountLockedTime pwdAccountLockedTime: 0
Error: pwdAccountLockedTime: value #0 invalid per syntax
The syntax is wrong. Try this value: pwdAccountLockedTime: 000001010000Z
From the slapo-ppolicy manpage:
"If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator."
Andreas Hasenack a écrit :
Em Qua, 2007-09-26 às 17:12 +0200, Guillaume Rousse escreveu:
So, I set up a very minimal default password policy object, as it seems to be quite mandatory: dn: cn=default,ou=policies,dc=futurs,dc=inria,dc=fr cn: default objectClass: pwdPolicy objectClass: organizationalRole pwdAttribute: userPassword pwdMaxAge: 0 pwdInHistory: 0 pwdCheckQuality: 0
Then I tried to add a pwdAccountLockedTime attribute to a user: dn: uid=rousse,ou=saclay,ou=futurs,ou=users,dc=futurs,dc=inria,dc=fr changetype: modify add: pwdAccountLockedTime pwdAccountLockedTime: 0
Error: pwdAccountLockedTime: value #0 invalid per syntax
The syntax is wrong. Try this value: pwdAccountLockedTime: 000001010000Z
From the slapo-ppolicy manpage:
"If pwdAccountLockedTime is set to 000001010000Z, the user's account has been permanently locked and may only be unlocked by an administrator."
Arghhhhh... The man pages from 2.3.27, and the one I found on google (http://linux.die.net/man/5/slapo-ppolicy) were wrong :( Current version is OK, tough.
Anyway, thanks a lot :)
openldap-software@openldap.org
-
Andreas Hasenack -
Guillaume Rousse