Environment: =============== * OS: Ubuntu Feisty 7.04 * Slapd Version: slapd 2.3.30 * Apt-Package Compile Options (per launchpadlibrarian.net): --prefix=/usr --libexecdir='${prefix}/lib' --sysconfdir=/etc --localstatedir=/var --mandir='${prefix}/share/man' --enable-debug --enable-dynamic --enable-syslog --enable-proctitle --enable-ipv6 --enable-local --enable-slapd --enable-aci --enable-cleartext --enable-crypt --enable-spasswd --enable-modules --enable-rewrite --enable-rlookups --enable-slp --enable-wrappers --enable-backends=mod --enable-ldbm=no --enable-overlays=mod --enable-slurpd --with-subdir=ldap --with-cyrus-sasl --with-threads --with-tls
* slapd.conf (abbridged) ============= # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/sudo.schema include /etc/ldap/schema/autofs.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/authldap.schema include /etc/ldap/schema/solaris.schema include /etc/ldap/schema/solaris-nis.schema include /etc/ldap/schema/solarisdua.schema
modulepath /usr/lib/ldap moduleload back_bdb moduleload ppolicy
schemacheck on
TLSCipherSuite #####SECRET###### TLSCertificateFile #####SECRET###### TLSCertificateKeyFile #####SECRET###### TLSCACertificateFile #####SECRET######
database bdb
# Overlay Directives overlay ppolicy ppolicy_default "cn=defaultPolicy,ou=policies,#####SECRET#######" ppolicy_use_lockout
directory "/var/lib/ldap" # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 # for more information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on
access to dn.children="ou=people,#####SECRET######" attrs=userPassword by group/groupOfNames/member="#####SECRET######" write by self write by * auth
* defaultPolicy.ldif ======================== dn: cn=defaultPolicy,ou=policies,#####SECRET###### cn: defaultPolicy objectClass: organizationalRole objectClass: pwdPolicy objectClass: top pwdLockout: TRUE pwdMaxFailure: 3 pwdAttribute: userPassword pwdGraceAuthNLimit: 3 pwdLockoutDuration: 15 pwdAllowUserChange: TRUE
* ppolicytest.ldif ========================= dn: uid=ppolicytest,ou=people,#####SECRET###### uid: ppolicytest uidNumber: 1012 gidNumber: 100 homeDirectory: /home/ppolicytest loginShell: /bin/bash objectClass: inetOrgPerson objectClass: posixAccount objectClass: top structuralObjectClass: inetOrgPerson entryUUID: e4c33596-d832-102b-8c70-39998be84848 creatorsName: #####SECRET###### createTimestamp: 20070806063457Z pwdPolicySubentry: cn=defaultPolicy,ou=policies,#####SECRET###### userPassword: {MD5}Gh3JHJBzJcaScd3wyUS8cg== pwdChangedTime: 20070806070643Z cn: ppolicytest entryCSN: 20070806070815Z#000000#00#000000 modifiersName: #####SECRET###### modifyTimestamp: 20070806070815Z entryDN: uid=ppolicytest,ou=people,#####SECRET###### subschemaSubentry: cn=Subschema hasSubordinates: FALSE
So with this all in place I get no errors starting slapd (the module gets loaded.) I run the following command 4 times: ldapsearch -P 3 -x -LLL -e ppolicy -D "uid=ppolictest,ou=people,#####SECRET######" -W "(objectclass=*)" Entering an incorrect password each time, however the account never gets locked out and the operational attributes never change.
TIA, for any advice!
On Monday 13 August 2007 23:25:58 Scott Phelps wrote:
[...]
database bdb
# Overlay Directives overlay ppolicy ppolicy_default "cn=defaultPolicy,ou=policies,#####SECRET#######" ppolicy_use_lockout
directory "/var/lib/ldap" # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 # for more information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on
access to dn.children="ou=people,#####SECRET######" attrs=userPassword by group/groupOfNames/member="#####SECRET######" write by self write by * auth
This database has no rootdn set. AFAIK, you need a rootdn to be configured for the internal writes by ppolicy to work (I can't be sure as all my databases with ppolicy have rootdn's).
- defaultPolicy.ldif
======================== dn: cn=defaultPolicy,ou=policies,#####SECRET###### cn: defaultPolicy objectClass: organizationalRole objectClass: pwdPolicy objectClass: top pwdLockout: TRUE pwdMaxFailure: 3 pwdAttribute: userPassword pwdGraceAuthNLimit: 3 pwdLockoutDuration: 15 pwdAllowUserChange: TRUE
- ppolicytest.ldif
========================= dn: uid=ppolicytest,ou=people,#####SECRET###### uid: ppolicytest uidNumber: 1012 gidNumber: 100 homeDirectory: /home/ppolicytest loginShell: /bin/bash objectClass: inetOrgPerson objectClass: posixAccount objectClass: top structuralObjectClass: inetOrgPerson entryUUID: e4c33596-d832-102b-8c70-39998be84848 creatorsName: #####SECRET###### createTimestamp: 20070806063457Z pwdPolicySubentry: cn=defaultPolicy,ou=policies,#####SECRET###### userPassword: {MD5}Gh3JHJBzJcaScd3wyUS8cg== pwdChangedTime: 20070806070643Z cn: ppolicytest entryCSN: 20070806070815Z#000000#00#000000 modifiersName: #####SECRET###### modifyTimestamp: 20070806070815Z entryDN: uid=ppolicytest,ou=people,#####SECRET###### subschemaSubentry: cn=Subschema hasSubordinates: FALSE
So with this all in place I get no errors starting slapd (the module gets loaded.) I run the following command 4 times: ldapsearch -P 3 -x -LLL -e ppolicy -D "uid=ppolictest,ou=people,#####SECRET######" -W "(objectclass=*)" Entering an incorrect password each time, however the account never gets locked out and the operational attributes never change.
Regards, Buchan
Please note that the pwdLockoutDuration is in seconds...so if you get locked out, it's only for 15 seconds in your case. You may want to increase this value to something like 15 minutes (900 seconds) for testing.
HTH, -- Joshua M. Miller - RHCE,VCP
Scott Phelps wrote:
- defaultPolicy.ldif
======================== dn: cn=defaultPolicy,ou=policies,#####SECRET###### cn: defaultPolicy objectClass: organizationalRole objectClass: pwdPolicy objectClass: top pwdLockout: TRUE pwdMaxFailure: 3 pwdAttribute: userPassword pwdGraceAuthNLimit: 3 pwdLockoutDuration: 15 pwdAllowUserChange: TRUE
So with this all in place I get no errors starting slapd (the module gets loaded.) I run the following command 4 times: ldapsearch -P 3 -x -LLL -e ppolicy -D "uid=ppolictest,ou=people,#####SECRET######" -W "(objectclass=*)" Entering an incorrect password each time, however the account never gets locked out and the operational attributes never change.
openldap-software@openldap.org
-
Buchan Milne -
Joshua M. Miller -
Scott Phelps