Hello!
I have a problem with the ppolicy module. I have 2 ldaptrees dc=example,dc=com and o=external and I want to have password policies (lockout after 5 failed login attempts) and I can see that it works on dc=example,dc=com but it does not work on o=external.
Both trees save failed login attempts but only the first tree locks people out o=external just saves more and more failed attempts but never lockout the user.
I have tried a lot of things and I can not figure out what the problem is. I hope someone here can help me.
It is 2 replicated ubuntu 10.04 servers with openldap 2.4.21-0ubuntu5.7 and the ppolicy configuration looks like this:
ppolmodule.ldif :
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModuleLoad: ppolicy.la
ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppolmodule.ldif -h ldap1
ppol.ldif:
dn: ou=policies,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: 2.5.4.35 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 5 pwdMinLength: 6
ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f ~/ppol.ldif -h ldap1
ppol_external.ldif:
dn: ou=policies,o=external objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,o=external objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: 2.5.4.35 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 5 pwdMinLength: 6
ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f ~/ppol_external.ldif -h ldap1
ppoloverlay.ldif:
dn: olcOverlay=ppolicy,olcDatabase={1}bdb,cn=config olcOverlay: ppolicy objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com
ppoloverlay_external.ldif:
dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config olcOverlay: ppolicy objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyDefault: cn=default,ou=policies,o=external
ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppoloverlay.ldif -h ldap1
ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppoloverlay_external.ldif -h ldap1
I tried with only one default policy for both trees as well, it made no difference.
/Mikael