Hello all,
I'm currently seeing an issue with slapo-ppolicy and individual account overrides not being respected.
CentOS 6.4 with system-provided openldap-2.4.23-32.el6_4.1.x86_64
slapd.conf: include /etc/openldap/schema/ppolicy.schema ... moduleload ppolicy.la ... database bdb suffix "dc=domain" ... overlay ppolicy ppolicy_default "cn=PasswordPolicy,ou=Policies,dc=domain" ppolicy_hash_cleartext ppolicy_use_lockout
# PasswordPolicy, Policies, domain dn: cn=PasswordPolicy,ou=Policies,dc=domain sn: PasswordPolicy cn: PasswordPolicy objectClass: person objectClass: top objectClass: pwdPolicy pwdAttribute: userPassword pwdLockout: TRUE pwdAllowUserChange: TRUE pwdInHistory: 4 pwdMinLength: 8 pwdFailureCountInterval: 600 pwdMaxFailure: 6 pwdLockoutDuration: 600 pwdCheckQuality: 1 pwdGraceAuthNLimit: 0 pwdMaxAge: 7776000 pwdMustChange: TRUE pwdExpireWarning: 1209600
This works for all user accounts (passwords expire, history is stored, lockouts work).
Now I use a bind account for all LDAP-authenticated systems named cn=system,dc=domain that I don't want aligned with the above policy (namely I don't want its password to expire, no password history, no lockout, etc... as it is managed by my admins), so I set the following on that account:
# system, domain dn: cn=system,dc=domain sn: system cn: system objectClass: inetOrgPerson objectClass: top objectClass: pwdPolicy pwdAttribute: userPassword pwdLockout: FALSE pwdMaxAge: 0 pwdInHistory: 0 pwdCheckQuality: 0 pwdExpireWarning: 0 pwdLockoutDuration: 0 pwdMaxFailure: 0 pwdMustChange: FALSE pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 userPassword:: xxxxxx
Earlier today it appears the password for this account expired, which is precisely what I don't want. What I saw in my slapd.log when all systems started failing authentication across the board:
Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" method=128 Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" mech=SIMPLE ssf=0 Jun 19 18:03:26 master slapd[22980]: ppolicy_bind: Entry cn=system,dc=domain has an expired password: 0 grace logins Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 RESULT tag=97 err=49 text= Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" method=128 Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" mech=SIMPLE ssf=0 Jun 19 18:03:26 master slapd[22980]: ppolicy_bind: Entry cn=system,dc=domain has an expired password: 0 grace logins
My immediate fix was to use ldappasswd as cn=Manager and change the password 4 times and then change it back to its original, which then allowed systems to authenticate to the directory once again. Obviously this has me concerned as I have a replication user and a chain user to chain modifications from my slaves back to my master, and if their passwords expire I expect to be in for a fair amount of work to fix.
What I've done in the interim is create a new ppolicy container with no expiration and assigned my system account's pwdPolicySubentry attribute to that:
# NoPasswordPolicy, Policies, domain dn: cn=NoPasswordPolicy,ou=Policies,dc=domain sn: NoPasswordPolicy cn: NoPasswordPolicy objectClass: person objectClass: top objectClass: pwdPolicy pwdAttribute: userPassword pwdCheckQuality: 0 pwdExpireWarning: 0 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 0 pwdLockout: FALSE pwdLockoutDuration: 0 pwdMaxAge: 0 pwdMaxFailure: 0 pwdMinLength: 0 pwdMustChange: FALSE pwdAllowUserChange: FALSE
# system, domain dn: cn=system,dc=domain pwdPolicySubentry: cn=NoPasswordPolicy,ou=Policies,dc=domain
(I'm hoping this works like I want/expect it to, if not all ideas are welcome...)
From the slapo-ppolicy man page:
pwdMaxAge
This attribute contains the number of seconds after which a modified password will expire. If this attribute is not present, or if its value is zero (0), then passwords will not expire.
With cn=system,dc=domain having a MaxAge attribute set to 0, why would that account's password expire? I'm somewhat stumped here.
Thanks, Michael Proto