Hi, I am having trouble getting password lockout to work with openldap 2.3.32-0.27 on SLES 10 Service Pack 2. I don't see any pwdFailureTime attributes ever show up for the user in question, and the password never locks after bad password attempts.
Below is what I've done so far to set this up (note: i have found no errors in any logs so far indicating that the overlay isnt working...) Any help would be greatly appreciated.
Thanks, Paul
As per the ppolicy documentation on the web, I've added the following lines to my slapd.conf:
overlay ppolicy ppolicy_default "cn=stdWebPPolicy,ou=Policies,ou=Config,dc=pjm,dc=com" ppolicy_use_lockout
Also, here is the ldif for my policy:
dn: cn=stdWebPPolicy,ou=Policies,ou=Config,dc=pjm,dc=com cn: stdWebPPolicy objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: 2.5.4.35 pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
And here is the user I am testing against:
dn: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: pwdPolicy objectClass: posixAccount uid: testuser cn: testuser givenName: Test sn: User pwdAttribute: userPassword gidNumber: 123 homeDirectory: /home/testuser uidNumber: 1234 userPassword: {SSHA}Lz+gz7+HomMnxxq1b+TZpgnxECEbfXs1
On Thu, Aug 14, 2008 at 07:58:44AM -0400, discip@pjm.com wrote:
I don't see any pwdFailureTime attributes ever show up for the user in question, and the password never locks after bad password attempts.
When reading the user entry are you requesting the operational attributes? You need to do that to see things like failure times. Add '+' to the end of the ldapsearch command and see what you get.
Andrew
Here are the results after multiple bad attempts to bind to the LDAP server. Additionally, I changed the password for the user before I started, and I don't see attributes related to that either
user@dir01alt:~> ldapsearch -D "cn=manager,dc=pjm,dc=com" -Wx -b "dc=pjm,dc=com" "(uid=testuser)" + Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=pjm,dc=com> with scope subtree # filter: (uid=testuser) # requesting: + #
# testuser, People, Test, External, pjm.com dn: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com structuralObjectClass: inetOrgPerson entryUUID: e15065de-f814-102c-85ad-6b504a287112 creatorsName: cn=manager,dc=pjm,dc=com createTimestamp: 20080806150541Z entryCSN: 20080813115547Z#000000#00#000000 modifiersName: cn=stoat,dc=pjm,dc=com modifyTimestamp: 20080813115547Z entryDN: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
-----Original Message----- From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] Sent: Thursday, August 14, 2008 2:46 PM To: DiSciascio, Paul Cc: openldap-software@openldap.org Subject: [Probable SPAM] Re: ppolicy password lockout
On Thu, Aug 14, 2008 at 07:58:44AM -0400, discip@pjm.com wrote:
I don't see any pwdFailureTime attributes ever show up for the user in question, and the password never locks after bad password attempts.
When reading the user entry are you requesting the operational attributes? You need to do that to see things like failure times. Add '+' to the end of the ldapsearch command and see what you get.
Andrew
Did you add this user _after_ putting the overlay ppolicy in your config or before? In my past experience only entries that were added after the fact were affected.
On Fri, Aug 15, 2008 at 9:12 AM, discip@pjm.com wrote:
Here are the results after multiple bad attempts to bind to the LDAP server. Additionally, I changed the password for the user before I started, and I don't see attributes related to that either
user@dir01alt:~> ldapsearch -D "cn=manager,dc=pjm,dc=com" -Wx -b "dc=pjm,dc=com" "(uid=testuser)" + Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=pjm,dc=com> with scope subtree # filter: (uid=testuser) # requesting: + #
# testuser, People, Test, External, pjm.com dn: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com structuralObjectClass: inetOrgPerson entryUUID: e15065de-f814-102c-85ad-6b504a287112 creatorsName: cn=manager,dc=pjm,dc=com createTimestamp: 20080806150541Z entryCSN: 20080813115547Z#000000#00#000000 modifiersName: cn=stoat,dc=pjm,dc=com modifyTimestamp: 20080813115547Z entryDN: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
-----Original Message----- From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] Sent: Thursday, August 14, 2008 2:46 PM To: DiSciascio, Paul Cc: openldap-software@openldap.org Subject: [Probable SPAM] Re: ppolicy password lockout
On Thu, Aug 14, 2008 at 07:58:44AM -0400, discip@pjm.com wrote:
I don't see any pwdFailureTime attributes ever show up for the user in question, and the password never locks after bad password attempts.
When reading the user entry are you requesting the operational attributes? You need to do that to see things like failure times. Add '+' to the end of the ldapsearch command and see what you get.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
Yes, i recreated the user after putting the overly in the config.
-----Original Message----- From: Adam Leach [mailto:adam.m.leach@gmail.com] Sent: Friday, August 15, 2008 10:46 AM To: DiSciascio, Paul Cc: andrew.findlay@skills-1st.co.uk; openldap-software@openldap.org Subject: Re: [Probable SPAM] Re: ppolicy password lockout Did you add this user _after_ putting the overlay ppolicy in your config or before? In my past experience only entries that were added after the fact were affected. On Fri, Aug 15, 2008 at 9:12 AM, discip@pjm.com wrote:
Here are the results after multiple bad attempts to bind to the LDAP server. Additionally, I changed the password for the user before I started, and I don't see attributes related to that either user@dir01alt:~> ldapsearch -D "cn=manager,dc=pjm,dc=com" -Wx -b "dc=pjm,dc=com" "(uid=testuser)" + Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=pjm,dc=com> with scope subtree # filter: (uid=testuser) # requesting: + # # testuser, People, Test, External, pjm.com dn: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com structuralObjectClass: inetOrgPerson entryUUID: e15065de-f814-102c-85ad-6b504a287112 creatorsName: cn=manager,dc=pjm,dc=com createTimestamp: 20080806150541Z entryCSN: 20080813115547Z#000000#00#000000 modifiersName: cn=stoat,dc=pjm,dc=com modifyTimestamp: 20080813115547Z entryDN: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -----Original Message----- From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] Sent: Thursday, August 14, 2008 2:46 PM To: DiSciascio, Paul Cc: openldap-software@openldap.org Subject: [Probable SPAM] Re: ppolicy password lockout On Thu, Aug 14, 2008 at 07:58:44AM -0400, discip@pjm.com wrote: > I don't see any pwdFailureTime attributes ever show up for the user > in question, and the password never locks after bad password attempts. When reading the user entry are you requesting the operational attributes? You need to do that to see things like failure times. Add '+' to the end of the ldapsearch command and see what you get. Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
-- Adam Leach BS Computer/Electrical Engineering West Virginia University System Administrator - Raytheon (304)677-4455
I'm not sure if it's worth mentioning that I am seeing the following in syslog when I start up slapd:
Aug 20 09:44:18 dir01alt slapd[14600]: WARNING: No dynamic config support for overlay ppolicy.
It says it's a warning, but I'm not sure I believe it.
~Paul -----Original Message----- From: openldap-software-bounces+discip=pjm.com@OpenLDAP.org [mailto:openldap-software-bounces+discip=pjm.com@OpenLDAP.org] On Behalf Of discip@pjm.com Sent: Monday, August 18, 2008 7:31 AM To: adam.m.leach@gmail.com Cc: openldap-software@openldap.org; andrew.findlay@skills-1st.co.uk Subject: Re: ppolicy password lockout
Yes, i recreated the user after putting the overly in the config. -----Original Message----- From: Adam Leach [mailto:adam.m.leach@gmail.com] Sent: Friday, August 15, 2008 10:46 AM To: DiSciascio, Paul Cc: andrew.findlay@skills-1st.co.uk; openldap-software@openldap.org Subject: Re: [Probable SPAM] Re: ppolicy password lockout
Did you add this user _after_ putting the overlay ppolicy in your config or before? In my past experience only entries that were added after the fact were affected.
On Fri, Aug 15, 2008 at 9:12 AM, discip@pjm.com wrote:
Here are the results after multiple bad attempts to bind to the LDAP server. Additionally, I changed the password for the user before I started, and I don't see attributes related to that either
user@dir01alt:~> ldapsearch -D "cn=manager,dc=pjm,dc=com" -Wx -b "dc=pjm,dc=com" "(uid=testuser)" + Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=pjm,dc=com> with scope subtree # filter: (uid=testuser) # requesting: + #
# testuser, People, Test, External, pjm.com dn: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com structuralObjectClass: inetOrgPerson entryUUID: e15065de-f814-102c-85ad-6b504a287112 creatorsName: cn=manager,dc=pjm,dc=com createTimestamp: 20080806150541Z entryCSN: 20080813115547Z#000000#00#000000 modifiersName: cn=stoat,dc=pjm,dc=com modifyTimestamp: 20080813115547Z entryDN: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
-----Original Message----- From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] Sent: Thursday, August 14, 2008 2:46 PM To: DiSciascio, Paul Cc: openldap-software@openldap.org Subject: [Probable SPAM] Re: ppolicy password lockout
On Thu, Aug 14, 2008 at 07:58:44AM -0400, discip@pjm.com wrote:
I don't see any pwdFailureTime attributes ever show up for the user in question, and the password never locks after bad password attempts.
When reading the user entry are you requesting the operational attributes? You need to do that to see things like failure times. Add '+' to the end of the ldapsearch command and see what you get.
Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
Does anyone know if there is at least a way to confirm that a given overlay is "loaded" or "in use" somehow?
Thanks, Paul
-----Original Message----- From: DiSciascio, Paul Sent: Wednesday, August 20, 2008 9:38 AM To: DiSciascio, Paul; adam.m.leach@gmail.com Cc: openldap-software@openldap.org; andrew.findlay@skills-1st.co.uk Subject: RE: ppolicy password lockout
I'm not sure if it's worth mentioning that I am seeing the following in syslog when I start up slapd:
Aug 20 09:44:18 dir01alt slapd[14600]: WARNING: No dynamic config support for overlay ppolicy.
It says it's a warning, but I'm not sure I believe it.
~Paul -----Original Message----- From: openldap-software-bounces+discip=pjm.com@OpenLDAP.org [mailto:openldap-software-bounces+discip=pjm.com@OpenLDAP.org] On Behalf Of discip@pjm.com Sent: Monday, August 18, 2008 7:31 AM To: adam.m.leach@gmail.com Cc: openldap-software@openldap.org; andrew.findlay@skills-1st.co.uk Subject: Re: ppolicy password lockout
Yes, i recreated the user after putting the overly in the config. -----Original Message----- From: Adam Leach [mailto:adam.m.leach@gmail.com] Sent: Friday, August 15, 2008 10:46 AM To: DiSciascio, Paul Cc: andrew.findlay@skills-1st.co.uk; openldap-software@openldap.org Subject: Re: [Probable SPAM] Re: ppolicy password lockout
Did you add this user _after_ putting the overlay ppolicy in your config or before? In my past experience only entries that were added after the fact were affected.
On Fri, Aug 15, 2008 at 9:12 AM, discip@pjm.com wrote:
Here are the results after multiple bad attempts to bind to the LDAP server. Additionally, I changed the password for the user before I started, and I don't see attributes related to that either
user@dir01alt:~> ldapsearch -D "cn=manager,dc=pjm,dc=com" -Wx -b "dc=pjm,dc=com" "(uid=testuser)" + Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=pjm,dc=com> with scope subtree # filter: (uid=testuser) # requesting: + #
# testuser, People, Test, External, pjm.com dn: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com structuralObjectClass: inetOrgPerson entryUUID: e15065de-f814-102c-85ad-6b504a287112 creatorsName: cn=manager,dc=pjm,dc=com createTimestamp: 20080806150541Z entryCSN: 20080813115547Z#000000#00#000000 modifiersName: cn=stoat,dc=pjm,dc=com modifyTimestamp: 20080813115547Z entryDN: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
-----Original Message----- From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] Sent: Thursday, August 14, 2008 2:46 PM To: DiSciascio, Paul Cc: openldap-software@openldap.org Subject: [Probable SPAM] Re: ppolicy password lockout
On Thu, Aug 14, 2008 at 07:58:44AM -0400, discip@pjm.com wrote:
I don't see any pwdFailureTime attributes ever show up for the user in question, and the password never locks after bad password attempts.
When reading the user entry are you requesting the operational attributes? You need to do that to see things like failure times. Add '+' to the end of the ldapsearch command and see what you get.
Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
discip@pjm.com wrote:
Does anyone know if there is at least a way to confirm that a given overlay is "loaded" or "in use" somehow?
Thanks, Paul
Paul,
I recall someone posted something on the FAQ about ppolicy not so long ago, which included how to tell if it was active.
I'd check that.
Regards,
Andy
discip@pjm.com writes:
Does anyone know if there is at least a way to confirm that a given overlay is "loaded" or "in use" somehow?
ldapsearch -b cn=overlays,cn=monitor +
-Dieter
Here are the results after multiple bad attempts to bind to the LDAP server. Additionally, I changed the password for the user before I started, and I don't see attributes related to that either
user@dir01alt:~> ldapsearch -D "cn=manager,dc=pjm,dc=com" -Wx -b "dc=pjm,dc=com" "(uid=testuser)" + Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=pjm,dc=com> with scope subtree # filter: (uid=testuser) # requesting: + #
# testuser, People, Test, External, pjm.com dn: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com structuralObjectClass: inetOrgPerson entryUUID: e15065de-f814-102c-85ad-6b504a287112 creatorsName: cn=manager,dc=pjm,dc=com createTimestamp: 20080806150541Z entryCSN: 20080813115547Z#000000#00#000000 modifiersName: cn=stoat,dc=pjm,dc=com modifyTimestamp: 20080813115547Z entryDN: uid=testuser,ou=People,ou=Test,ou=External,dc=pjm,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
-----Original Message----- From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] Sent: Thursday, August 14, 2008 2:46 PM To: DiSciascio, Paul Cc: openldap-software@openldap.org Subject: [Probable SPAM] Re: ppolicy password lockout
On Thu, Aug 14, 2008 at 07:58:44AM -0400, discip@pjm.com wrote:
I don't see any pwdFailureTime attributes ever show up for the user in question, and the password never locks after bad password attempts.
When reading the user entry are you requesting the operational attributes? You need to do that to see things like failure times. Add '+' to the end of the ldapsearch command and see what you get.
Andrew
openldap-software@openldap.org
-
Adam Leach -
Andrew Findlay -
andylockran -
Dieter Kluenter -
discip@pjm.com