Hello all,

I'm currently seeing an issue with slapo-ppolicy and individual account overrides not being respected.

CentOS 6.4 with system-provided openldap-2.4.23-32.el6_4.1.x86_64

slapd.conf:
include         /etc/openldap/schema/ppolicy.schema
...
moduleload ppolicy.la
...
database        bdb
suffix          "dc=domain"
...
overlay ppolicy
ppolicy_default "cn=PasswordPolicy,ou=Policies,dc=domain"
ppolicy_hash_cleartext
ppolicy_use_lockout


# PasswordPolicy, Policies, domain
dn: cn=PasswordPolicy,ou=Policies,dc=domain
sn: PasswordPolicy
cn: PasswordPolicy
objectClass: person
objectClass: top
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdLockout: TRUE
pwdAllowUserChange: TRUE
pwdInHistory: 4
pwdMinLength: 8
pwdFailureCountInterval: 600
pwdMaxFailure: 6
pwdLockoutDuration: 600
pwdCheckQuality: 1
pwdGraceAuthNLimit: 0
pwdMaxAge: 7776000
pwdMustChange: TRUE
pwdExpireWarning: 1209600

This works for all user accounts (passwords expire, history is stored, lockouts work).

Now I use a bind account for all LDAP-authenticated systems named cn=system,dc=domain that I don't want aligned with the above policy (namely I don't want its password to expire, no password history, no lockout, etc... as it is managed by my admins), so I set the following on that account:

# system, domain
dn: cn=system,dc=domain
sn: system
cn: system
objectClass: inetOrgPerson
objectClass: top
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdLockout: FALSE
pwdMaxAge: 0
pwdInHistory: 0
pwdCheckQuality: 0
pwdExpireWarning: 0
pwdLockoutDuration: 0
pwdMaxFailure: 0
pwdMustChange: FALSE
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
userPassword:: xxxxxx


Earlier today it appears the password for this account expired, which is precisely what I don't want. What I saw in my slapd.log when all systems started failing authentication across the board:

Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" method=128
Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" mech=SIMPLE ssf=0
Jun 19 18:03:26 master slapd[22980]: ppolicy_bind: Entry cn=system,dc=domain has an expired password: 0 grace logins
Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 RESULT tag=97 err=49 text=
Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" method=128
Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" mech=SIMPLE ssf=0
Jun 19 18:03:26 master slapd[22980]: ppolicy_bind: Entry cn=system,dc=domain has an expired password: 0 grace logins


My immediate fix was to use ldappasswd as cn=Manager and change the password 4 times and then change it back to its original, which then allowed systems to authenticate to the directory once again. Obviously this has me concerned as I have a replication user and a chain user to chain modifications from my slaves back to my master, and if their passwords expire I expect to be in for a fair amount of work to fix.

What I've done in the interim is create a new ppolicy container with no expiration and assigned my system account's pwdPolicySubentry attribute to that:

# NoPasswordPolicy, Policies, domain
dn: cn=NoPasswordPolicy,ou=Policies,dc=domain
sn: NoPasswordPolicy
cn: NoPasswordPolicy
objectClass: person
objectClass: top
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdCheckQuality: 0
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 0
pwdLockout: FALSE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 0
pwdMinLength: 0
pwdMustChange: FALSE
pwdAllowUserChange: FALSE


# system, domain
dn: cn=system,dc=domain
pwdPolicySubentry: cn=NoPasswordPolicy,ou=Policies,dc=domain

(I'm hoping this works like I want/expect it to, if not all ideas are welcome...)

From the slapo-ppolicy man page:

       pwdMaxAge

       This  attribute  contains  the number of seconds after which a modified
       password will expire.  If this attribute is  not  present,  or  if  its
       value is zero (0), then passwords will not expire.


With cn=system,dc=domain having a MaxAge attribute set to 0, why would that account's password expire? I'm somewhat stumped here.


Thanks,
Michael Proto