Hello all,
I'm currently seeing an issue with slapo-ppolicy and individual account overrides not being respected.
CentOS 6.4 with system-provided openldap-2.4.23-32.el6_4.1.x86_64
slapd.conf:
include /etc/openldap/schema/ppolicy.schema
...
moduleload
ppolicy.la...
database bdb
suffix "dc=domain"
...
overlay ppolicy
ppolicy_default "cn=PasswordPolicy,ou=Policies,dc=domain"
ppolicy_hash_cleartext
ppolicy_use_lockout
# PasswordPolicy, Policies, domain
dn: cn=PasswordPolicy,ou=Policies,dc=domain
sn: PasswordPolicy
cn: PasswordPolicy
objectClass: person
objectClass: top
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdLockout: TRUE
pwdAllowUserChange: TRUE
pwdInHistory: 4
pwdMinLength: 8
pwdFailureCountInterval: 600
pwdMaxFailure: 6
pwdLockoutDuration: 600
pwdCheckQuality: 1
pwdGraceAuthNLimit: 0
pwdMaxAge: 7776000
pwdMustChange: TRUE
pwdExpireWarning: 1209600
This works for all user accounts (passwords expire, history is stored, lockouts work).
Now I use a bind account for all LDAP-authenticated systems named cn=system,dc=domain that I don't want aligned with the above policy (namely I don't want its password to expire, no password history, no lockout, etc... as it is managed by my admins), so I set the following on that account:
# system, domain
dn: cn=system,dc=domain
sn: system
cn: system
objectClass: inetOrgPerson
objectClass: top
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdLockout: FALSE
pwdMaxAge: 0
pwdInHistory: 0
pwdCheckQuality: 0
pwdExpireWarning: 0
pwdLockoutDuration: 0
pwdMaxFailure: 0
pwdMustChange: FALSE
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
userPassword:: xxxxxx
Earlier today it appears the password for this account expired, which is precisely what I don't want. What I saw in my slapd.log when all systems started failing authentication across the board:
Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" method=128
Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" mech=SIMPLE ssf=0
Jun 19 18:03:26 master slapd[22980]: ppolicy_bind: Entry cn=system,dc=domain has an expired password: 0 grace logins
Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 RESULT tag=97 err=49 text=
Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" method=128
Jun 19 18:03:26 master slapd[22980]: conn=1001 op=1 BIND dn="cn=system,dc=domain" mech=SIMPLE ssf=0
Jun 19 18:03:26 master slapd[22980]: ppolicy_bind: Entry cn=system,dc=domain has an expired password: 0 grace logins
My immediate fix was to use ldappasswd as cn=Manager and change the password 4 times and then change it back to its original, which then allowed systems to authenticate to the directory once again. Obviously this has me concerned as I have a replication user and a chain user to chain modifications from my slaves back to my master, and if their passwords expire I expect to be in for a fair amount of work to fix.
What I've done in the interim is create a new ppolicy container with no expiration and assigned my system account's pwdPolicySubentry attribute to that:
# NoPasswordPolicy, Policies, domain
dn: cn=NoPasswordPolicy,ou=Policies,dc=domain
sn: NoPasswordPolicy
cn: NoPasswordPolicy
objectClass: person
objectClass: top
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdCheckQuality: 0
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 0
pwdLockout: FALSE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 0
pwdMinLength: 0
pwdMustChange: FALSE
pwdAllowUserChange: FALSE
# system, domain
dn: cn=system,dc=domain
pwdPolicySubentry: cn=NoPasswordPolicy,ou=Policies,dc=domain
(I'm hoping this works like I want/expect it to, if not all ideas are welcome...)
From the slapo-ppolicy man page:
pwdMaxAge
This attribute contains the number of seconds after which a modified
password will expire. If this attribute is not present, or if its
value is zero (0), then passwords will not expire.
With cn=system,dc=domain having a MaxAge attribute set to 0, why would that account's password expire? I'm somewhat stumped here.
Thanks,
Michael Proto