Hi Dennis/All,

I figured out that why password policies are not working. Th reason is that it did not got loaded successfully in ldap db. I am getting below error..

adding new entry "ou=Policies,dc=j,dc=example=,dc=com"
ldap_add: Server is unwilling to perform (53)
        additional info: no global superior knowledge

What i read is that The error no global superior knowledge means that slapd doesn't know where to put your new entry. Not getting what it means and how to fix it. Please help!!


On Thursday, 27 February 2014 10:22 AM, saurabh ohri <sam_ohri@yahoo.co.in> wrote:
Hi Denis,

I did following steps in order to get the password policy work, still nothing is working.

1) In my slapd.conf file added below lines:
# Password Policy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=j,dc=example,dc=com"

# ACL Entry for Password Policies
access to attrs=userPassword
        by self write
        by anonymous auth
        by * none
access to *
        by self write
        by * read
2) Loaded the password policy .ldif file into ldap by ldapadd. O/t of password policy .ldif files is:
# Creates a Policies OU (Organizational Unit)
dn: ou=Policies,dc=j,dc=cinglevue=,dc=com
objectClass: organizationalUnit
ou: Policies

# Creates a Policy object in Policies OU (Organizational Unit)
dn: cn=default,ou=Policies,dc=j,dc=cinglevue,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdExpireWarning: 604800
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE


On Wednesday, 26 February 2014 8:02 PM, Dennis Leeuw <D.Leeuw@umcutrecht.nl> wrote:
Hash: SHA1

Have a look at the shadow* attributes from the shadowAccount class.
Those should help you enforcing password related stuff. For self
changes of passwords use an ACL like:
access to attrs=userPassword
        by self write
        by anonymous auth
        by * none



On 02/26/2014 11:50 AM, Saurabh Ohri wrote:
> Thanks Dennis. You ate right the problem is not related to ldap
> but was looking for help against it.
> I am able to have successful authentication from ldap on both mac
> and windows after trying 50 combinations of configuration 😄
> But finally it worked and it our effort paid.
> Thanks again and will share the information/ document soon.
> Also it would be of great help if you could share some details on
> enforcing password policies like self user password change, force
> passed change after first login etc. I did some config but it is
> not working even for Linux.
> Thanks Sam
> Sent from my iPhone
>> On 26 Feb 2014, at 4:40 pm, Dennis Leeuw <D.Leeuw@umcutrecht.nl>
>> wrote:
>>>> On 02/26/2014 05:26 AM, saurabh ohri wrote: Hi all,
>>>> I am new to openldap and i manage dto install and configure
>>>> the same. My linux client is working well but not able to
>>>> authenticate windows and mac clients.
>>>> Have been trying since past 2 days by google and other posts
>>>> but still facing issue. Any help would be highly
>>>> appreciated.
>>>> Details: using openldap-2.4.23-34 on RHEL6.5 *Client
>>>> details:* Mac 10.8.5 -- tried configuring the network account
>>>> server but it is showing RED. Error This server is not
>>>> responding. Windows 7 – tried installing GINA but it is
>>>> giving me invalid credentials error.
>>>> Configuration file on server: Password: # extended LDIF # #
>>>> LDAPv3 # base <dc=j,dc=example,dc=com> (default) with scope
>>>> subtree # filter: (objectclass=*) # requesting: ALL #
>>>> # j.example.com dn: dc=j,dc=example,dc=com objectClass: top
>>>> objectClass: dcObject objectClass: organization o: example
>>>> Organization description: example Inc DIT dc: j
>>>> # Users, j.example.com dn: ou=Users,dc=j,dc=example,dc=com
>>>> objectClass: organizationalUnit ou: Users
>>>> # Groups, j.example.com dn: ou=Groups,dc=j,dc=example,dc=com
>>>>  objectClass: organizationalUnit ou: Groups
>>>> # Admins, j.example.com dn: ou=Admins,dc=j,dc=example,dc=com
>>>>  objectClass: organizationalUnit ou: Admins
>>>> # sohri, Users, j.example.com dn:
>>>> uid=sohri,ou=Users,dc=j,dc=example,dc=com uid: sohri cn:
>>>> sohri sn: 1 objectClass: top objectClass: posixAccount
>>>> objectClass: inetOrgPerson loginShell: /bin/bash
>>>> homeDirectory: /home/sohri uidNumber: 15000 gidNumber: 10000
>>>> userPassword::
>>>> e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkcg mail:
>>>> sam.ohri@example.com gecos: Local User
>>>> # tpearce, Users, j.example.com dn:
>>>> uid=tpearce,ou=Users,dc=j,dc=example,dc=com uid: tpearce cn:
>>>>  tpearce sn: 2 objectClass: top objectClass: posixAccount
>>>> objectClass: inetOrgPerson loginShell: /bin/bash
>>>> homeDirectory: /home/tpearce uidNumber: 15001 gidNumber:
>>>> 10000 userPassword::
>>>> e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkc= mail:
>>>> tony.pearce@example.com gecos: local User
>>>> # ldapusers, Groups, j.example.com dn:
>>>> cn=ldapusers,ou=Groups,dc=j,dc=example,dc=com objectClass:
>>>> posixGroup objectClass: top cn: ldapusers userPassword::
>>>> e2NyeXB0fXg= gidNumber: 10000 memberUid: uid=sohri memberUid:
>>>>  uid=tpearce
>>>> # search result search: 2 result: 0 Success
>>>> # numResponses: 8 # numEntries: 7
>>>> Regards Sam
> Windows is created to work against an Active Directory system,
> meaning you have an LDAP authorization and Kerberos
> authentication. Connecting Windows to a LDAP for both is
> problematic to say the least. The easiest solution is using SAMBA
> against LDAP and make the Windows systems login against the SAMBA
> server. If you like to make it work with GINA, contact them, and to
> understand what is going on you might want to read:
> http://pig.made-it.com/win-boot-test.html No guarantees, I did my
> best to document what is happening. Hope I did it right.
> Mac OS X did once work against LDAP, I have no idea what the
> current state is. On 10.6.5 go to Preferences, Accounts. Click
> Login Options go to Account Server and click Join. Select
> OpenDirectory utility. Click LDAPv3 and click the edit button.
> Click show options, click New, type the address of your ldap
> server. Give your account credentias, pick template RFC 2307, set
> search base. And your done...
> And finaly: None of your problems is OpenLDAP related since it
> works on your Linux machine.
> Greetings,
> Dennis
>> ------------------------------------------------------------------------------
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
>> uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
>> onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken
>> en de afzender direct te informeren door het bericht te
>> retourneren. Het Universitair Medisch Centrum Utrecht is een
>> publiekrechtelijke rechtspersoon in de zin van de W.H.W. (Wet
>> Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat
>> geregistreerd bij de Kamer van Koophandel voor Midden-Nederland
>> onder nr. 30244197.
>> Denk s.v.p aan het milieu voor u deze e-mail afdrukt.
>> ------------------------------------------------------------------------------
This message may contain confidential information and is intended
>> for the addressee. If you receive this message unintentionally,
>> please do not use the contents but notify the sender immediately
>> by return e-mail. University Medical Center Utrecht is a legal
>> person by public law and is registered at the Chamber of Commerce
>> for Midden-Nederland under no. 30244197.
>> Please consider the environment before printing this e-mail.

- --
ICT Medewerker
Divisie Biomedische Genetica
UMC Utrecht
Heidelberglaan 100 STR2.126
3584 CX  Utrecht
The Netherlands
06 27744048
intern: 64048
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/