I've got a question regarding the ppolicy overlay. I've read the docs I can find for it on the web, but there's a couple of holes in them and in my knowledge.
I've got the config set up (schema, module load, external check library) and such. I've got the default policy DN in the database and such.
From slapd.conf: overlay ppolicy ppolicy_default \ "cn=DefaultPassword,ou=Policies,dc=billing,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
From ldapsearch -b "ou=policies...": dn: cn=DefaultPassword,ou=Policies,dc=billing,dc=com cn: DefaultPassword objectClass: top objectClass: device objectClass: pwdPolicy pwdAttribute: userPassword pwdMinAge: 86400 pwdMaxAge: 7776000 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 3 pwdMinLength: 10 pwdCheckQuality: 2 pwdMaxFailure: 3 pwdLockoutDuration: 180 pwdFailureCountInterval: 120 pwdInHistory: 4 pwdAllowUserChange: TRUE pwdMustChange: TRUE pwdSafeModify: TRUE
When I add a user and do an ldapsearch of that user, should I see any of the ppolicy user attributes such as "pwdReset" or "pwdChangedTime" in the entry right off the bat or must something happen first (such as having the user change their password)? I ask because I see nothing and hence don't know if ppolicy is ruling the roost or not.
Does ppolicy only affect a specific objectClass of entry (e.g. "inetOrgPerson") or will it take effect on any entry with a "userPassword" entry? None of my user accounts have "inetOrgPerson" object classes. Typical entry:
dn: uid=testuser,ou=People,dc=billing,dc=com uid: testuser cn: Test User objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMin: 1 shadowMax: 90 shadowWarning: 7 loginShell: /bin/bash gecos: Test User homeDirectory: /home/testuser uidNumber: 32004 gidNumber: 32004 userPassword:: OXgtJnhFM2VsZVls shadowLastChange: 13978
Oh, by the way, that user was JUST added.
Rick Stevens wrote:
I've got a question regarding the ppolicy overlay. I've read the docs I can find for it on the web, but there's a couple of holes in them and in my knowledge.
I've got the config set up (schema, module load, external check library) and such. I've got the default policy DN in the database and such.
From slapd.conf: overlay ppolicy ppolicy_default \ "cn=DefaultPassword,ou=Policies,dc=billing,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
Are you searching for operational attributes by adding '+' onto you ldapsearch? Most of the ppolicy attributes are operational. Gavin.
Rick,
try
ldapsearch -{normal stuff here} cn=<value> '*' '+'
And then man ldapsearch and read the 'operational' section of the manpage (near the top)
On Apr 10, 2008, at 6:35 AM, Gavin Henry wrote:
Rick Stevens wrote:
I've got a question regarding the ppolicy overlay. I've read the docs I can find for it on the web, but there's a couple of holes in them and in my knowledge. I've got the config set up (schema, module load, external check library) and such. I've got the default policy DN in the database and such. From slapd.conf: overlay ppolicy ppolicy_default \ "cn=DefaultPassword,ou=Policies,dc=billing,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
Are you searching for operational attributes by adding '+' onto you ldapsearch? Most of the ppolicy attributes are operational. Gavin. -- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretecsystems.com
Open Source. Open Solutions(tm).
______________________________________________ Chris G. Sellers | NITLE - Technology Team 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GoogleTalk: cgseller@gmail.com
Chris G. Sellers wrote:
Rick,
try
ldapsearch -{normal stuff here} cn=<value> '*' '+'
And then man ldapsearch and read the 'operational' section of the manpage (near the top)
On Apr 10, 2008, at 6:35 AM, Gavin Henry wrote:
Rick Stevens wrote:
I've got a question regarding the ppolicy overlay. I've read the docs I can find for it on the web, but there's a couple of holes in them and in my knowledge. I've got the config set up (schema, module load, external check library) and such. I've got the default policy DN in the database and such. From slapd.conf: overlay ppolicy ppolicy_default \ "cn=DefaultPassword,ou=Policies,dc=billing,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
If the above extract from slapd.conf was quoted exactly, then it is wrong. Read the slapd.conf(5) manpage.
Howard Chu wrote:
Chris G. Sellers wrote:
Rick,
try
ldapsearch -{normal stuff here} cn=<value> '*' '+'
And then man ldapsearch and read the 'operational' section of the manpage (near the top)
On Apr 10, 2008, at 6:35 AM, Gavin Henry wrote:
Rick Stevens wrote:
I've got a question regarding the ppolicy overlay. I've read the docs I can find for it on the web, but there's a couple of holes in them and in my knowledge. I've got the config set up (schema, module load, external check library) and such. I've got the default policy DN in the database and such. From slapd.conf: overlay ppolicy ppolicy_default \ "cn=DefaultPassword,ou=Policies,dc=billing,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
If the above extract from slapd.conf was quoted exactly, then it is wrong. Read the slapd.conf(5) manpage.
The "ppolicy_default" stuff is on one line. I reformatted it for my mail client. ---------------------------------------------------------------------- - Rick Stevens, Unix Geek rps2@socal.rr.com - - - - "OK, so you're a Ph.D. Just don't TOUCH anything!" - ----------------------------------------------------------------------
On Freitag, 11. April 2008, Rick Stevens wrote:
Howard Chu wrote:
Chris G. Sellers wrote:
Rick,
try
ldapsearch -{normal stuff here} cn=<value> '*' '+'
And then man ldapsearch and read the 'operational' section of the manpage (near the top)
On Apr 10, 2008, at 6:35 AM, Gavin Henry wrote:
Rick Stevens wrote:
I've got a question regarding the ppolicy overlay. I've read the docs I can find for it on the web, but there's a couple of holes in them and in my knowledge. I've got the config set up (schema, module load, external check library) and such. I've got the default policy DN in the database and such. From slapd.conf: overlay ppolicy ppolicy_default \ "cn=DefaultPassword,ou=Policies,dc=billing,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
If the above extract from slapd.conf was quoted exactly, then it is wrong. Read the slapd.conf(5) manpage.
The "ppolicy_default" stuff is on one line. I reformatted it for my mail client.
The indentation is the problem. The slapd.conf(5) manpage states this:
"If a line begins with white space, it is considered a continuation of the previous line."
All the ppolicy statements have to be on separate lines as they are separate config options.
Ralf Haferkamp wrote:
On Freitag, 11. April 2008, Rick Stevens wrote:
Howard Chu wrote:
Chris G. Sellers wrote:
Rick,
try
ldapsearch -{normal stuff here} cn=<value> '*' '+'
And then man ldapsearch and read the 'operational' section of the manpage (near the top)
On Apr 10, 2008, at 6:35 AM, Gavin Henry wrote:
Rick Stevens wrote:
I've got a question regarding the ppolicy overlay. I've read the docs I can find for it on the web, but there's a couple of holes in them and in my knowledge. I've got the config set up (schema, module load, external check library) and such. I've got the default policy DN in the database and such. From slapd.conf: overlay ppolicy ppolicy_default \ "cn=DefaultPassword,ou=Policies,dc=billing,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
If the above extract from slapd.conf was quoted exactly, then it is wrong. Read the slapd.conf(5) manpage.
The "ppolicy_default" stuff is on one line. I reformatted it for my mail client.
The indentation is the problem. The slapd.conf(5) manpage states this:
"If a line begins with white space, it is considered a continuation of the previous line."
All the ppolicy statements have to be on separate lines as they are separate config options.
Oh. The example code showed indentations, I believe. I'll reformat and give it a whirl.
I really do appreciate the help. I'll keep the list posted. ---------------------------------------------------------------------- - Rick Stevens, Unix Geek rps2@socal.rr.com - - - - Working with Linux is like wrestling with a worthy opponent. - - Working with Windows is like picking on an annoyed child with a - - loaded handgun. - ----------------------------------------------------------------------
Rick Stevens wrote:
Ralf Haferkamp wrote:
On Freitag, 11. April 2008, Rick Stevens wrote:
Howard Chu wrote:
Chris G. Sellers wrote:
Rick,
try
ldapsearch -{normal stuff here} cn=<value> '*' '+'
And then man ldapsearch and read the 'operational' section of the manpage (near the top)
On Apr 10, 2008, at 6:35 AM, Gavin Henry wrote:
Rick Stevens wrote: > I've got a question regarding the ppolicy overlay. I've read > the docs I > can find for it on the web, but there's a couple of holes in > them and in > my knowledge. > I've got the config set up (schema, module load, external check > library) > and such. I've got the default policy DN in the database and > such. From slapd.conf: > overlay ppolicy > ppolicy_default \ > "cn=DefaultPassword,ou=Policies,dc=billing,dc=com" > ppolicy_use_lockout > ppolicy_hash_cleartext
If the above extract from slapd.conf was quoted exactly, then it is wrong. Read the slapd.conf(5) manpage.
The "ppolicy_default" stuff is on one line. I reformatted it for my mail client.
The indentation is the problem. The slapd.conf(5) manpage states this:
"If a line begins with white space, it is considered a continuation of the previous line."
All the ppolicy statements have to be on separate lines as they are separate config options.
Oh. The example code showed indentations, I believe. I'll reformat and give it a whirl.
I really do appreciate the help. I'll keep the list posted.
As I promised, here's an update:
It was indeed the syntax of the slapd.conf. The indentations were the culprit. I'm a bit surprised that neither the slapd parser nor slaptest caught it. Ah, well.
The inability to specify the pwdCheckModule attribute for the policy also caused me grief until I realized that I had to include "objectClass: pwdPolicyChecker" to my policies. I don't recall seeing that in my google searches, but I'm a bit punch drunk from this whole thing.
Just wanted to extend my immense gratitude to all the help I've received on the list. As they'd say in 1920's Chicago, "Youse mugs is great!" ---------------------------------------------------------------------- - Rick Stevens, Unix Geek rps2@socal.rr.com - - - - I'm afraid my karma just ran over your dogma - ----------------------------------------------------------------------
Rick Stevens wrote:
I'm a bit surprised that neither the slapd parser nor slaptest caught it. Ah, well.
If you used -d config with slap* from OpenLDAP 2.3, you would have gotten
slapd.conf: line 11: <overlay> extra cruft after <overlay> ignored.
If you used OpenLDAP 2.4, you would have gotten an error
slapd.conf: line 11: <overlay> extra cruft after <overlay>. slaptest: bad configuration file!
since 2.4 is much less forgiving about unrecognized statements in slapd.conf. Strengthening those checks was deferred to 2.4 to avoid changing the traditionally forgiving behavior many people seem to appreciate at mid-life of 2.3.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
Rick Stevens wrote:
I'm a bit surprised that neither the slapd parser nor slaptest caught it. Ah, well.
If you used -d config with slap* from OpenLDAP 2.3, you would have gotten
slapd.conf: line 11: <overlay> extra cruft after <overlay> ignored.
If you used OpenLDAP 2.4, you would have gotten an error
slapd.conf: line 11: <overlay> extra cruft after <overlay>. slaptest: bad configuration file!
since 2.4 is much less forgiving about unrecognized statements in slapd.conf. Strengthening those checks was deferred to 2.4 to avoid changing the traditionally forgiving behavior many people seem to appreciate at mid-life of 2.3.
Ah. My test box is 2.3.39 (F8). The two live servers are 2.2.13 (RHEL 4.4) and 2.3.27 (CentOS 5.1). Soon, all servers will be CentOS 5.1 and I may install OpenLDAP 2.4.8 on them to replace the 2.3.37 stuff. ---------------------------------------------------------------------- - Rick Stevens, Unix Geek rps2@socal.rr.com - - - - "Very funny, Scotty. Now beam down my clothes." - ----------------------------------------------------------------------
Gavin Henry wrote:
Rick Stevens wrote:
I've got a question regarding the ppolicy overlay. I've read the docs I can find for it on the web, but there's a couple of holes in them and in my knowledge.
I've got the config set up (schema, module load, external check library) and such. I've got the default policy DN in the database and such.
From slapd.conf: overlay ppolicy ppolicy_default \ "cn=DefaultPassword,ou=Policies,dc=billing,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
Are you searching for operational attributes by adding '+' onto you ldapsearch? Most of the ppolicy attributes are operational.
Whoops! Meant to send this to the list, but Thunderbird defaults to the original sender. Grrr!
Ah! No, I hadn't added the '+' bit. D'oh! Yes, I see at least the "pwdChanged" attribute on the new entry, but I don't see the "pwdHistory" stuff that I'd expect. ---------------------------------------------------------------------- - Rick Stevens, Unix Geek rps2@socal.rr.com - - - - If you can't beat your computer at chess...try kickboxing! - ----------------------------------------------------------------------
openldap-software@openldap.org
-
Chris G. Sellers -
Gavin Henry -
Howard Chu -
Pierangelo Masarati -
Ralf Haferkamp -
Rick Stevens