Hi,
I am very new to open ldap. I can run slap an add edit new entry. Now I want to implement pwdpolicy. I tried it several times. I like to describe what I said.
1. run slapd without modifying anything. 2. create an ou=policies. Script as following
dn: ou=policies,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: policies
3. write policy.schema. 4. include policy.schema; but overlay is not added. run slapd again. In the core.schema attributetype userpassword was comment out 5. Now I want to create policy.ldif. Script
dn: cn=default,ou=policies,dc=my-domain,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
#sn: 'dummy value' objectClass: organizationalUnit
It gives an error "Invalid syntax (21) pwdAttribute: value #0 invalid per syntax. Why it gives such error? My assumption is ppolicy.schema attribute is not created successfully. Another point in core.schema attributeType; userPassword is comment out. If I uncomment it. slapd -d 1 gives an duplicate attribute type. Give a solution please.
Now my question is
a. how I am sure that my PPolicy.schema is created? I don't have any ppolicy.la
b. what does do policy.la.
Rahima Shaheen a écrit : [..]
You don't need this attribute, its value is implicit.
You don't create schemas, you just load them. You create entries, instanciating your schema. Try ldapsearch to check your current LDAP content. But if ldapadd returns and error, that's not even worth checking.
b. what does do policy.la.
.la file are libtool library files, wrapping the corresponding .so file for dynamic loading. You can either use ppolicy.la or ppolicy.so file in your slapd configuration file.
BTW, please use plain text, and not HTML, when posting here.
Buchan Milne wrote:
When the overlay is configured, it registers a syntax handler that accepts attribute names. If the overlay is not configured, then only numeric OIDs are accepted. So in general, when you see this error message, it means your configuration is wrong.
Rahima Shaheen wrote:
Other people have answered these questions (ppolicy.schema is simply included in your slapd.conf file and ppolicy.la is a wrappered library).
You include the ppolicy.schema file by using a directive such as:
include /etc/openldap/schema/ppolicy.schema
in your slapd.conf file. You also bring in the actual executable bit of ppolicy code via:
moduleload ppolicy.la
in your slapd.conf file. Finally, you have to add something like:
# Password policy enforcement... # Set up password policies via the "ppolicy" overlay. # Unless otherwise specified by a "pwdPolicySubentry" # attribute in a user's entry, they will use the policy # defined in the "ppolicy_default" entry here. # We force "Invalid Credentials" errors on locked accounts # and we store the passwords in LDAP in cleartext to satisfy # SASL. overlay ppolicy ppolicy_default "cn=DefaultPassword,ou=Policies,dc=mycompany,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
in slapd.conf to set up how ppolicy works.
Now, as to how to set up the database itself, here is an LDIF file I use to seed my database by feeding it to slapcat:
-------------------------- CUT HERE ---------------------------------- # ROOT OF LDAP TREE # Set up the root of the tree... dn: dc=mycompany,dc=com dc: mycompany objectClass: top objectClass: domain
# ORGANIZATIONAL UNITS # This ou is used for the actual user IDs... dn: ou=People,dc=mycompany,dc=com ou: People objectClass: top objectClass: organizationalUnit
# This ou is for the user group IDs... dn: ou=Group,dc=mycompany,dc=com ou: Group objectClass: top objectClass: organizationalUnit
# This ou is for password policies and the like... dn: ou=Policies,dc=mycompany,dc=com ou: Policies objectClass: top objectClass: organizationalUnit
# PASSWORD POLICIES # This one is the default policy that all users get EXCEPT for the # "special" folk (such as "sysman")... dn: cn=DefaultPassword,ou=Policies,dc=mycompany,dc=com cn: DefaultPassword objectClass: top objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAttribute: userPassword pwdMinAge: 86400 pwdMaxAge: 7776000 pwdExpireWarning: 604800 pwdGraceAuthnLimit: 3 pwdMinLength: 10 pwdCheckQuality: 2 pwdCheckModule: check_password.so pwdMaxFailure: 6 pwdLockout: TRUE pwdLockoutDuration: 180 pwdFailureCountInterval: 120 pwdInHistory: 4 pwdAllowUserChange: TRUE pwdMustChange: TRUE pwdSafeModify: FALSE
# This one is the special policy that users whose passwords should # NOT expire get (such as "sysman")... dn: cn=NoExpirePassword,ou=Policies,dc=mycompany,dc=com cn: NoExpirePassword objectClass: top objectClass: device objectClass: pwdPolicy pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdExpireWarning: 0 pwdGraceAuthnLimit: 3 pwdMinLength: 10 pwdCheckQuality: 2 pwdMaxFailure: 3 pwdLockoutDuration: 180 pwdFailureCountInterval: 120 pwdInHistory: 4 pwdAllowUserChange: TRUE pwdMustChange: TRUE pwdSafeModify: TRUE
# LDAP MAIN AUTHORITY # This group is for "sysman", the absolute authority for the LDAP # database... dn: cn=sysman,ou=Group,dc=mycompany,dc=com objectClass: posixGroup objectClass: top cn: sysman userPassword: Y0uR3@llyD0n+w@n++0kn0w! gidNumber: 500
# This is sysman's user ID... dn: uid=sysman,ou=People,dc=mycompany,dc=com uid: sysman cn: LDAP System Manager objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMin: 1 shadowMax: 90 shadowWarning: 7 shadowLastChange: 13945 loginShell: /bin/bash gecos: LDAP System Manager homeDirectory: /home/sysman uidNumber: 500 gidNumber: 500 userPassword: Y0uR3@llyD0n+w@n++0kn0w! pwdPolicySubentry: cn=NoExpirePassword,ou=Policies,dc=mycompany,dc=com -------------------------- CUT HERE ----------------------------------
Note that the "pwdCheckModule: check_password.so" bits are specifying a password checking module I wrote. If you want your own, you'll have to write it, compile it as a sharable library and put the binary in the libexec directory where slapd can get at it (typically /usr/local/libexec/openldap).
Note also that we were using cleartext passwords to satisfy some old SASL stuff inherent in our architecture. I don't like that, but I'm stuck with it. You'll need to change the "userPassword:" entries to reflect your encryption scheme (something along the lines of "userPassword: {sha1} encryptedstring" if you use SHA1 encryption).
---------------------------------------------------------------------- - Rick Stevens, Unix Geek rps2@socal.rr.com - - - - Lottery: A tax on people who are bad at math. - ----------------------------------------------------------------------
Hi all,
I already solved it myself. Thanks you all for help. I just simply write OID instead of userPassword in the ldif file.
--
Shaheen
________________________________
From: openldap-software-bounces+rs=pyxisnet.com@OpenLDAP.org [mailto:openldap-software-bounces+rs=pyxisnet.com@OpenLDAP.org] On Behalf Of Rahima Shaheen Sent: Tuesday, April 28, 2009 12:45 PM To: openldap-software@openldap.org Subject: how implement pwdpolicy
Hi,
I am very new to open ldap. I can run slap an add edit new entry. Now I want to implement pwdpolicy. I tried it several times. I like to describe what I said.
1. run slapd without modifying anything. 2. create an ou=policies. Script as following
dn: ou=policies,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: policies
3. write policy.schema. 4. include policy.schema; but overlay is not added. run slapd again. In the core.schema attributetype userpassword was comment out 5. Now I want to create policy.ldif. Script
dn: cn=default,ou=policies,dc=my-domain,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
#sn: 'dummy value' objectClass: organizationalUnit
It gives an error "Invalid syntax (21) pwdAttribute: value #0 invalid per syntax. Why it gives such error? My assumption is ppolicy.schema attribute is not created successfully. Another point in core.schema attributeType; userPassword is comment out. If I uncomment it. slapd -d 1 gives an duplicate attribute type. Give a solution please.
Now my question is
a. how I am sure that my PPolicy.schema is created? I don't have any ppolicy.la
b. what does do policy.la.
openldap-software@openldap.org
-
Buchan Milne -
Guillaume Rousse -
Howard Chu -
Rahima Shaheen -
Rick Stevens