I've been working with OpenLDAP 2.3.30 to set up ppolicy processing. I think I have the policies set up correctly in the DLAP database using the following ppolicy.ldif file:
dn: ou=policies, dc=my-domain,dc=com ou: policies objectClass: top objectClass: organizationalUnit
dn: cn=default,ou=policies,dc=my-domain,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword # 30 day password limit (2592000 seconds) with an even longer expire warning for testing. pwdExpireWarning: 2592001 pwdMaxAge: 2592000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 6 pwdAllowUserChange: TRUE # Items not currently used. pwdMinAge: 0 pwdGraceAuthnLimit: 0 pwdLockout: FALSE pwdLockoutDuration: 0 pwdMaxFailure: 0 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdSafeModify: FALSE
and the following entries in the slapd.conf file:
# password policy overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=my-domain,dc=com"
However, I'm having trouble creating user accounts.
Looking at the OpenLDAP documentation and the ppolicy.schema file, it appears that I need to include objectClass: pwdPolicy as an auxiliary class (along with posixAccount, which is the basic user account class), and then include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory, etc. The ppolicy.schema file indicates that the format in the ldif file should actually be something like:
pwdChangedTime;pwd-userPassword: 20000103121520Z
for pwdChangedTime. The format for pwdHistory sounds really complex, and the doc indicates that if this attribute is missing, OpenLDAP will not support password history processing, so it sound like I need to get these attributes into the account struture.
Trouble is, if I try to include such values I either get an import failure without error messages, an error that says "no user modification allowed" (even when I'm adding an account), or an indication that I'm using an invalid format.
Does anyone have an example LDIF file that shows how to set up a user account to track ppolicy processing? I have the feeling I'm missing something really obvious here, but I absolutely don't see it yet.
Thanks for any help that anyone can provide.
JFE.
_________________________________________________________________ Hotmail to go? Get your Hotmail, news, sports and much more! http://mobile.msn.com
Jack,
I haven't tried setting the pwdChangedTime, but I recently implemented ppolicy and every time a user changes their password, it sets this attribute to the current time, not sure if that was part of your question. On all NEW user entries that I create, the pwdChangedTime is already set so that the password policies apply to those users.
$ ldapsearch -x -H ldaps://host.example.org cn=default
dn: cn=default,ou=Policies,dc=example,dc=org cn: default objectClass: pwdPolicy objectClass: device pwdMaxAge: 7776000 pwdAttribute: userPassword pwdMinLength: 8 pwdInHistory: 5 pwdCheckQuality: 1 pwdExpireWarning: 604800 pwdLockout: TRUE pwdMaxFailure: 3 pwdLockoutDuration: 900 pwdAllowUserChange: TRUE pwdGraceAuthNLimit: 0
An example of one of my users:
$ ldapsearch -x -H ldaps://host.example.org/ uid=<uid>
dn: cn=First Last,ou=People,dc=example,dc=org givenName: First sn: Last cn: First Last uid: uid uidNumber: <uid #> loginShell: /bin/bash objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount gidNumber: <gid #> homeDirectory: /home/<uid> shadowLastChange: 13634
$ ldapsearch -x -H ldaps://host.example.org/ uid=<uid> +
dn: cn=first last,ou=People,dc=example,dc=org creatorsName: cn=manager,dc=example,dc=org createTimestamp: 20060501144730Z structuralObjectClass: inetOrgPerson entryUUID: 2d89674c-7b0d-102b-8606-4f7ba9469bfa pwdChangedTime: 20070515203623Z entryCSN: 20070515203623Z#000001#00#000000 modifiersName: cn=First Last,ou=People,dc=example,dc=org modifyTimestamp: 20070515203623Z entryDN: cn=First Last,ou=People,dc=example,dc=org subschemaSubentry: cn=Subschema hasSubordinates: FALSE
Thanks, -- Joshua M. Miller - RHCE,VCP
Jack Emmerichs wrote:
Looking at the OpenLDAP documentation and the ppolicy.schema file, it appears that I need to include objectClass: pwdPolicy as an auxiliary class (along with posixAccount, which is the basic user account class), and then include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory, etc. The ppolicy.schema file indicates that the format in the ldif file should actually be something like:
pwdChangedTime;pwd-userPassword: 20000103121520Z
for pwdChangedTime. The format for pwdHistory sounds really complex, and the doc indicates that if this attribute is missing, OpenLDAP will not support password history processing, so it sound like I need to get these attributes into the account struture.
Trouble is, if I try to include such values I either get an import failure without error messages, an error that says "no user modification allowed" (even when I'm adding an account), or an indication that I'm using an invalid format.
Hummm... had not used shadowAccount, and removing the ppolicy-specific attributes allows the LDIF file to properly set up the account.
Thanks.
JFE.
From: "Joshua M. Miller" joshua@itsecureadmin.com To: Jack Emmerichs beamrider1@hotmail.com CC: openldap-software@openldap.org Subject: Re: Setting up user accounts with ppolicy attributes Date: Tue, 26 Jun 2007 07:17:53 -0700
Jack,
I haven't tried setting the pwdChangedTime, but I recently implemented ppolicy and every time a user changes their password, it sets this attribute to the current time, not sure if that was part of your question. On all NEW user entries that I create, the pwdChangedTime is already set so that the password policies apply to those users.
$ ldapsearch -x -H ldaps://host.example.org cn=default
dn: cn=default,ou=Policies,dc=example,dc=org cn: default objectClass: pwdPolicy objectClass: device pwdMaxAge: 7776000 pwdAttribute: userPassword pwdMinLength: 8 pwdInHistory: 5 pwdCheckQuality: 1 pwdExpireWarning: 604800 pwdLockout: TRUE pwdMaxFailure: 3 pwdLockoutDuration: 900 pwdAllowUserChange: TRUE pwdGraceAuthNLimit: 0
An example of one of my users:
$ ldapsearch -x -H ldaps://host.example.org/ uid=<uid>
dn: cn=First Last,ou=People,dc=example,dc=org givenName: First sn: Last cn: First Last uid: uid uidNumber: <uid #> loginShell: /bin/bash objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount gidNumber: <gid #> homeDirectory: /home/<uid> shadowLastChange: 13634
$ ldapsearch -x -H ldaps://host.example.org/ uid=<uid> +
dn: cn=first last,ou=People,dc=example,dc=org creatorsName: cn=manager,dc=example,dc=org createTimestamp: 20060501144730Z structuralObjectClass: inetOrgPerson entryUUID: 2d89674c-7b0d-102b-8606-4f7ba9469bfa pwdChangedTime: 20070515203623Z entryCSN: 20070515203623Z#000001#00#000000 modifiersName: cn=First Last,ou=People,dc=example,dc=org modifyTimestamp: 20070515203623Z entryDN: cn=First Last,ou=People,dc=example,dc=org subschemaSubentry: cn=Subschema hasSubordinates: FALSE
Thanks,
Joshua M. Miller - RHCE,VCP
Jack Emmerichs wrote:
Looking at the OpenLDAP documentation and the ppolicy.schema file, it appears that I need to include objectClass: pwdPolicy as an auxiliary class (along with posixAccount, which is the basic user account class), and then include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory, etc. The ppolicy.schema file indicates that the format in the ldif file should actually be something like:
pwdChangedTime;pwd-userPassword: 20000103121520Z
for pwdChangedTime. The format for pwdHistory sounds really complex, and the doc indicates that if this attribute is missing, OpenLDAP will not support password history processing, so it sound like I need to get these attributes into the account struture.
Trouble is, if I try to include such values I either get an import failure without error messages, an error that says "no user modification allowed" (even when I'm adding an account), or an indication that I'm using an invalid format.
_________________________________________________________________ Get a preview of Live Earth, the hottest event this summer - only on MSN http://liveearth.msn.com?source=msntaglineliveearthhm
On Monday, 25 June 2007, Jack Emmerichs wrote:
I've been working with OpenLDAP 2.3.30 to set up ppolicy processing. I think I have the policies set up correctly in the DLAP database using the following ppolicy.ldif file:
dn: ou=policies, dc=my-domain,dc=com ou: policies objectClass: top objectClass: organizationalUnit
dn: cn=default,ou=policies,dc=my-domain,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword # 30 day password limit (2592000 seconds) with an even longer expire warning for testing. pwdExpireWarning: 2592001 pwdMaxAge: 2592000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 6 pwdAllowUserChange: TRUE # Items not currently used. pwdMinAge: 0 pwdGraceAuthnLimit: 0 pwdLockout: FALSE pwdLockoutDuration: 0 pwdMaxFailure: 0 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdSafeModify: FALSE
and the following entries in the slapd.conf file:
# password policy overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=my-domain,dc=com"
However, I'm having trouble creating user accounts.
You shouldn't be creating accounts with attributes that should be maintained by the server itself, just as you don't (can't) add them with creatorsName, createTimestamp etc.
Looking at the OpenLDAP documentation and the ppolicy.schema file, it appears that I need to include objectClass: pwdPolicy as an auxiliary class (along with posixAccount, which is the basic user account class), and then include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory, etc. The ppolicy.schema file indicates that the format in the ldif file should actually be something like:
pwdChangedTime;pwd-userPassword: 20000103121520Z
for pwdChangedTime. The format for pwdHistory sounds really complex, and the doc indicates that if this attribute is missing, OpenLDAP will not support password history processing, so it sound like I need to get these attributes into the account struture.
The exact text is:
"If pwdChangedTime does not exist, the user's password will not expire."
That doesn't mean you must add it manually. However, it means that if you created accounts before you implemented ppolicy, you need to have those passwords changed, so that OpenLDAP adds the attribute.
Trouble is, if I try to include such values I either get an import failure without error messages, an error that says "no user modification allowed" (even when I'm adding an account), or an indication that I'm using an invalid format.
Note that the description for this attribute (and a few others) appears in the section of slapo-ppolicy(5) called "OPERATIONAL ATTRIBUTES". At the top of that section you will see:
"Most of these attributes are not intended to be changed directly by users; they are there to track user activity. They have been detailed here so that administrators and users can both understand the workings of the ppolicy module."
Regards, Buchan
Ah, thanks. I had seen the comments about these fields not being user changable, I just didn't think that setting up a new user was the same as the user (or even an admin) trying to "change" these values. Thanks for the clarification. It's also good to know that you have to change the password before things become effective on existing accounts.
JFE.
From: Buchan Milne bgmilne@staff.telkomsa.net To: openldap-software@openldap.org CC: "Jack Emmerichs" beamrider1@hotmail.com Subject: Re: Setting up user accounts with ppolicy attributes Date: Wed, 27 Jun 2007 10:53:44 +0200
On Monday, 25 June 2007, Jack Emmerichs wrote:
I've been working with OpenLDAP 2.3.30 to set up ppolicy processing. I think I have the policies set up correctly in the DLAP database using
the
following ppolicy.ldif file:
dn: ou=policies, dc=my-domain,dc=com ou: policies objectClass: top objectClass: organizationalUnit
dn: cn=default,ou=policies,dc=my-domain,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword # 30 day password limit (2592000 seconds) with an even longer expire warning for testing. pwdExpireWarning: 2592001 pwdMaxAge: 2592000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 6 pwdAllowUserChange: TRUE # Items not currently used. pwdMinAge: 0 pwdGraceAuthnLimit: 0 pwdLockout: FALSE pwdLockoutDuration: 0 pwdMaxFailure: 0 pwdFailureCountInterval: 0 pwdMustChange: FALSE pwdSafeModify: FALSE
and the following entries in the slapd.conf file:
# password policy overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=my-domain,dc=com"
However, I'm having trouble creating user accounts.
You shouldn't be creating accounts with attributes that should be maintained by the server itself, just as you don't (can't) add them with creatorsName, createTimestamp etc.
Looking at the OpenLDAP documentation and the ppolicy.schema file, it appears that I need to include objectClass: pwdPolicy as an auxiliary
class
(along with posixAccount, which is the basic user account class), and
then
include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory, etc. The ppolicy.schema file indicates that the format in the ldif file should actually be something like:
pwdChangedTime;pwd-userPassword: 20000103121520Z
for pwdChangedTime. The format for pwdHistory sounds really complex,
and
the doc indicates that if this attribute is missing, OpenLDAP will not support password history processing, so it sound like I need to get
these
attributes into the account struture.
The exact text is:
"If pwdChangedTime does not exist, the user's password will not expire."
That doesn't mean you must add it manually. However, it means that if you created accounts before you implemented ppolicy, you need to have those passwords changed, so that OpenLDAP adds the attribute.
Trouble is, if I try to include such values I either get an import
failure
without error messages, an error that says "no user modification
allowed"
(even when I'm adding an account), or an indication that I'm using an invalid format.
Note that the description for this attribute (and a few others) appears in the section of slapo-ppolicy(5) called "OPERATIONAL ATTRIBUTES". At the top of that section you will see:
"Most of these attributes are not intended to be changed directly by users; they are there to track user activity. They have been detailed here so that administrators and users can both understand the workings of the ppolicy module."
Regards, Buchan
-- Buchan Milne ISP Systems Specialist - Monitoring/Authentication Team Leader B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592) http://en.wikipedia.org/wiki/List_of_Internet_slang_phrases
<< attach3 >>
_________________________________________________________________ Need a break? Find your escape route with Live Search Maps. http://maps.live.com/default.aspx?ss=Restaurants~Hotels~Amusement%20Park&...
openldap-software@openldap.org
-
Buchan Milne -
Jack Emmerichs -
Joshua M. Miller