9:21 a.m.
I've got a question regarding the ppolicy overlay. I've read the docs I
can find for it on the web, but there's a couple of holes in them and in
my knowledge.
I've got the config set up (schema, module load, external check library)
and such. I've got the default policy DN in the database and such.
From slapd.conf:
overlay ppolicy
ppolicy_default \
"cn=DefaultPassword,ou=Policies,dc=billing,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
From ldapsearch -b "ou=policies...":
dn: cn=DefaultPassword,ou=Policies,dc=billing,dc=com
cn: DefaultPassword
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdMinAge: 86400
pwdMaxAge: 7776000
pwdExpireWarning: 604800
pwdGraceAuthNLimit: 3
pwdMinLength: 10
pwdCheckQuality: 2
pwdMaxFailure: 3
pwdLockoutDuration: 180
pwdFailureCountInterval: 120
pwdInHistory: 4
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdSafeModify: TRUE
When I add a user and do an ldapsearch of that user, should I see any of
the ppolicy user attributes such as "pwdReset" or "pwdChangedTime" in
the entry right off the bat or must something happen first (such as
having the user change their password)? I ask because I see nothing
and hence don't know if ppolicy is ruling the roost or not.
Does ppolicy only affect a specific objectClass of entry (e.g.
"inetOrgPerson") or will it take effect on any entry with a
"userPassword" entry? None of my user accounts have "inetOrgPerson"
object classes. Typical entry:
dn: uid=testuser,ou=People,dc=billing,dc=com
uid: testuser
cn: Test User
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 1
shadowMax: 90
shadowWarning: 7
loginShell: /bin/bash
gecos: Test User
homeDirectory: /home/testuser
uidNumber: 32004
gidNumber: 32004
userPassword:: OXgtJnhFM2VsZVls
shadowLastChange: 13978
Oh, by the way, that user was JUST added.
--
----------------------------------------------------------------------
- Rick Stevens, Unix Geek rps2(a)socal.rr.com -
- -
- I haven't lost my mind. It's backed up on tape somewhere, but -
- probably not recoverable. -
----------------------------------------------------------------------
3:35 a.m.
Rick Stevens wrote:
I've got a question regarding the ppolicy overlay. I've read
the docs I
can find for it on the web, but there's a couple of holes in them and in
my knowledge.
I've got the config set up (schema, module load, external check library)
and such. I've got the default policy DN in the database and such.
From slapd.conf:
overlay ppolicy
ppolicy_default \
"cn=DefaultPassword,ou=Policies,dc=billing,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
Are you searching for operational attributes by adding '+' onto you
ldapsearch? Most of the ppolicy attributes are operational.
Gavin.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
7:35 a.m.
Rick,
try
ldapsearch -{normal stuff here} cn=<value> '*' '+'
And then man ldapsearch and read the 'operational' section of the
manpage (near the top)
On Apr 10, 2008, at 6:35 AM, Gavin Henry wrote:
Rick Stevens wrote:
> I've got a question regarding the ppolicy overlay. I've read the
> docs I
> can find for it on the web, but there's a couple of holes in them
> and in
> my knowledge.
> I've got the config set up (schema, module load, external check
> library)
> and such. I've got the default policy DN in the database and such.
> From slapd.conf:
> overlay ppolicy
> ppolicy_default \
> "cn=DefaultPassword,ou=Policies,dc=billing,dc=com"
> ppolicy_use_lockout
> ppolicy_hash_cleartext
Are you searching for operational attributes by adding '+' onto you
ldapsearch? Most of the ppolicy attributes are operational.
Gavin.
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry(a)suretecsystems.com
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
______________________________________________
Chris G. Sellers | NITLE - Technology Team
734.661.2318 | chris.sellers(a)nitle.org
AIM: imthewherd | GoogleTalk: cgseller(a)gmail.com
10:33 a.m.
Chris G. Sellers wrote:
Rick,
try
ldapsearch -{normal stuff here} cn=<value> '*' '+'
And then man ldapsearch and read the 'operational' section of the
manpage (near the top)
On Apr 10, 2008, at 6:35 AM, Gavin Henry wrote:
> Rick Stevens wrote:
>> I've got a question regarding the ppolicy overlay. I've read the
>> docs I
>> can find for it on the web, but there's a couple of holes in them
>> and in
>> my knowledge.
>> I've got the config set up (schema, module load, external check
>> library)
>> and such. I've got the default policy DN in the database and such.
>> From slapd.conf:
>> overlay ppolicy
>> ppolicy_default \
>> "cn=DefaultPassword,ou=Policies,dc=billing,dc=com"
>> ppolicy_use_lockout
>> ppolicy_hash_cleartext
If the above extract from slapd.conf was quoted exactly, then it is wrong.
Read the slapd.conf(5) manpage.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3:32 p.m.
Howard Chu wrote:
Chris G. Sellers wrote:
> Rick,
>
> try
>
> ldapsearch -{normal stuff here} cn=<value> '*' '+'
>
> And then man ldapsearch and read the 'operational' section of the
> manpage (near the top)
>
> On Apr 10, 2008, at 6:35 AM, Gavin Henry wrote:
>> Rick Stevens wrote:
>>> I've got a question regarding the ppolicy overlay. I've read the
>>> docs I
>>> can find for it on the web, but there's a couple of holes in them
>>> and in
>>> my knowledge.
>>> I've got the config set up (schema, module load, external check
>>> library)
>>> and such. I've got the default policy DN in the database and such.
>>> From slapd.conf:
>>> overlay ppolicy
>>> ppolicy_default \
>>> "cn=DefaultPassword,ou=Policies,dc=billing,dc=com"
>>> ppolicy_use_lockout
>>> ppolicy_hash_cleartext
If the above extract from slapd.conf was quoted exactly, then it is wrong.
Read the slapd.conf(5) manpage.
The "ppolicy_default" stuff is on one line. I reformatted it for my
mail client.
----------------------------------------------------------------------
- Rick Stevens, Unix Geek rps2(a)socal.rr.com -
- -
- "OK, so you're a Ph.D. Just don't TOUCH anything!" -
----------------------------------------------------------------------
3:41 a.m.
On Freitag, 11. April 2008, Rick Stevens wrote:
Howard Chu wrote:
> Chris G. Sellers wrote:
>> Rick,
>>
>> try
>>
>> ldapsearch -{normal stuff here} cn=<value> '*' '+'
>>
>> And then man ldapsearch and read the 'operational' section of the
>> manpage (near the top)
>>
>> On Apr 10, 2008, at 6:35 AM, Gavin Henry wrote:
>>> Rick Stevens wrote:
>>>> I've got a question regarding the ppolicy overlay. I've read
>>>> the docs I
>>>> can find for it on the web, but there's a couple of holes in
>>>> them and in
>>>> my knowledge.
>>>> I've got the config set up (schema, module load, external check
>>>> library)
>>>> and such. I've got the default policy DN in the database and
>>>> such. From slapd.conf:
>>>> overlay ppolicy
>>>> ppolicy_default \
>>>> "cn=DefaultPassword,ou=Policies,dc=billing,dc=com"
>>>> ppolicy_use_lockout
>>>> ppolicy_hash_cleartext
>
> If the above extract from slapd.conf was quoted exactly, then it is
> wrong. Read the slapd.conf(5) manpage.
The "ppolicy_default" stuff is on one line. I reformatted it for my
mail client.
The indentation is the problem. The slapd.conf(5) manpage states
this:
"If a line begins with white space, it is considered a continuation
of the previous line."
All the ppolicy statements have to be on separate lines as they are
separate config options.
--
Ralf
9:07 a.m.
Ralf Haferkamp wrote:
On Freitag, 11. April 2008, Rick Stevens wrote:
> Howard Chu wrote:
>> Chris G. Sellers wrote:
>>> Rick,
>>>
>>> try
>>>
>>> ldapsearch -{normal stuff here} cn=<value> '*' '+'
>>>
>>> And then man ldapsearch and read the 'operational' section of the
>>> manpage (near the top)
>>>
>>> On Apr 10, 2008, at 6:35 AM, Gavin Henry wrote:
>>>> Rick Stevens wrote:
>>>>> I've got a question regarding the ppolicy overlay. I've
read
>>>>> the docs I
>>>>> can find for it on the web, but there's a couple of holes in
>>>>> them and in
>>>>> my knowledge.
>>>>> I've got the config set up (schema, module load, external check
>>>>> library)
>>>>> and such. I've got the default policy DN in the database and
>>>>> such. From slapd.conf:
>>>>> overlay ppolicy
>>>>> ppolicy_default \
>>>>> "cn=DefaultPassword,ou=Policies,dc=billing,dc=com"
>>>>> ppolicy_use_lockout
>>>>> ppolicy_hash_cleartext
>> If the above extract from slapd.conf was quoted exactly, then it is
>> wrong. Read the slapd.conf(5) manpage.
> The "ppolicy_default" stuff is on one line. I reformatted it for my
> mail client.
The indentation is the problem. The slapd.conf(5) manpage states this:
"If a line begins with white space, it is considered a continuation
of the previous line."
All the ppolicy statements have to be on separate lines as they are
separate config options.
Oh. The example code showed indentations, I believe. I'll reformat
and give it a whirl.
I really do appreciate the help. I'll keep the list posted.
----------------------------------------------------------------------
- Rick Stevens, Unix Geek rps2(a)socal.rr.com -
- -
- Working with Linux is like wrestling with a worthy opponent. -
- Working with Windows is like picking on an annoyed child with a -
- loaded handgun. -
----------------------------------------------------------------------
11:56 a.m.
Rick Stevens wrote:
Ralf Haferkamp wrote:
> On Freitag, 11. April 2008, Rick Stevens wrote:
>> Howard Chu wrote:
>>> Chris G. Sellers wrote:
>>>> Rick,
>>>>
>>>> try
>>>>
>>>> ldapsearch -{normal stuff here} cn=<value> '*'
'+'
>>>>
>>>> And then man ldapsearch and read the 'operational' section of
the
>>>> manpage (near the top)
>>>>
>>>> On Apr 10, 2008, at 6:35 AM, Gavin Henry wrote:
>>>>> Rick Stevens wrote:
>>>>>> I've got a question regarding the ppolicy overlay. I've
read
>>>>>> the docs I
>>>>>> can find for it on the web, but there's a couple of holes in
>>>>>> them and in
>>>>>> my knowledge.
>>>>>> I've got the config set up (schema, module load, external
check
>>>>>> library)
>>>>>> and such. I've got the default policy DN in the database
and
>>>>>> such. From slapd.conf:
>>>>>> overlay ppolicy
>>>>>> ppolicy_default \
>>>>>> "cn=DefaultPassword,ou=Policies,dc=billing,dc=com"
>>>>>> ppolicy_use_lockout
>>>>>> ppolicy_hash_cleartext
>>> If the above extract from slapd.conf was quoted exactly, then it is
>>> wrong. Read the slapd.conf(5) manpage.
>> The "ppolicy_default" stuff is on one line. I reformatted it for my
>> mail client.
> The indentation is the problem. The slapd.conf(5) manpage states this:
>
> "If a line begins with white space, it is considered a continuation
> of the previous line."
>
> All the ppolicy statements have to be on separate lines as they are
> separate config options.
Oh. The example code showed indentations, I believe. I'll reformat
and give it a whirl.
I really do appreciate the help. I'll keep the list posted.
As I promised, here's an update:
It was indeed the syntax of the slapd.conf. The indentations were the
culprit. I'm a bit surprised that neither the slapd parser nor slaptest
caught it. Ah, well.
The inability to specify the pwdCheckModule attribute for the policy
also caused me grief until I realized that I had to include
"objectClass: pwdPolicyChecker" to my policies. I don't recall seeing
that in my google searches, but I'm a bit punch drunk from this whole
thing.
Just wanted to extend my immense gratitude to all the help I've received
on the list. As they'd say in 1920's Chicago, "Youse mugs is great!"
----------------------------------------------------------------------
- Rick Stevens, Unix Geek rps2(a)socal.rr.com -
- -
- I'm afraid my karma just ran over your dogma -
----------------------------------------------------------------------
3:55 a.m.
Rick Stevens wrote:
I'm a bit surprised that neither the slapd parser nor slaptest
caught it. Ah, well.
If you used -d config with slap* from OpenLDAP 2.3, you would have gotten
slapd.conf: line 11: <overlay> extra cruft after <overlay> ignored.
If you used OpenLDAP 2.4, you would have gotten an error
slapd.conf: line 11: <overlay> extra cruft after <overlay>.
slaptest: bad configuration file!
since 2.4 is much less forgiving about unrecognized statements in
slapd.conf. Strengthening those checks was deferred to 2.4 to avoid
changing the traditionally forgiving behavior many people seem to
appreciate at mid-life of 2.3.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
10:13 a.m.
Pierangelo Masarati wrote:
Rick Stevens wrote:
> I'm a bit surprised that neither the slapd parser nor slaptest
> caught it. Ah, well.
If you used -d config with slap* from OpenLDAP 2.3, you would have gotten
slapd.conf: line 11: <overlay> extra cruft after <overlay> ignored.
If you used OpenLDAP 2.4, you would have gotten an error
slapd.conf: line 11: <overlay> extra cruft after <overlay>.
slaptest: bad configuration file!
since 2.4 is much less forgiving about unrecognized statements in
slapd.conf. Strengthening those checks was deferred to 2.4 to avoid
changing the traditionally forgiving behavior many people seem to
appreciate at mid-life of 2.3.
Ah. My test box is 2.3.39 (F8). The two live servers are 2.2.13 (RHEL
4.4) and 2.3.27 (CentOS 5.1). Soon, all servers will be CentOS 5.1 and
I may install OpenLDAP 2.4.8 on them to replace the 2.3.37 stuff.
----------------------------------------------------------------------
- Rick Stevens, Unix Geek rps2(a)socal.rr.com -
- -
- "Very funny, Scotty. Now beam down my clothes." -
----------------------------------------------------------------------
3:30 p.m.
Gavin Henry wrote:
Rick Stevens wrote:
> I've got a question regarding the ppolicy overlay. I've read the docs I
> can find for it on the web, but there's a couple of holes in them and in
> my knowledge.
>
> I've got the config set up (schema, module load, external check library)
> and such. I've got the default policy DN in the database and such.
>
> From slapd.conf:
> overlay ppolicy
> ppolicy_default \
> "cn=DefaultPassword,ou=Policies,dc=billing,dc=com"
> ppolicy_use_lockout
> ppolicy_hash_cleartext
>
Are you searching for operational attributes by adding '+' onto you
ldapsearch? Most of the ppolicy attributes are operational.
Whoops! Meant to send this to the list, but Thunderbird defaults to the
original sender. Grrr!
Ah! No, I hadn't added the '+' bit. D'oh! Yes, I see at least the
"pwdChanged" attribute on the new entry, but I don't see the
"pwdHistory" stuff that I'd expect.
----------------------------------------------------------------------
- Rick Stevens, Unix Geek rps2(a)socal.rr.com -
- -
- If you can't beat your computer at chess...try kickboxing! -
----------------------------------------------------------------------
5194
days inactive
5199
days old
openldap-software@openldap.org
10 comments
6 participants
participants (6)
-
Chris G. Sellers -
Gavin Henry -
Howard Chu -
Pierangelo Masarati -
Ralf Haferkamp -
Rick Stevens