Hello all,
I have an LDAP server, that I use for system authentication, emails,
etc, in a domain (homebox.space)
I have the password policies defined in the LDAP database, but they
don't seem to apply to the users when changing a password.
Both "olcPPolicyDefault" and "olcPPolicyHashCleartext" are set up, but
only the last is working, i.e. passwords sent in clear text by an LDAP
client are automatically encrypted.
There is an overlay entry for the domain, example:
olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
and a correct entry "pwdPolicySubentry" for each user.
However, when I try change the password with pam_ldap or using the
roundcube password plugin, even the minimal length rule is ignored.
The module configuration:
> dn: cn=module{0},cn=config
> objectClass: olcModuleList
> cn: module{0}
> olcModulePath: /usr/lib/ldap
> olcModuleLoad: {0}back_mdb
> olcModuleLoad: {1}ppolicy.la
> olcModuleLoad: {2}deref.la
> structuralObjectClass: olcModuleList
> entryUUID: acbfbc52-7c3a-1037-9cc1-d74dec6fc011
> creatorsName: cn=admin,cn=config
> createTimestamp: 20171223143824Z
> entryCSN: 20171223143828.930245Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20171223143828Z
The overlay configuration
> dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
> objectClass: olcPPolicyConfig
> objectClass: olcOverlayConfig
> olcOverlay: {0}ppolicy
> olcPPolicyDefault: cn=default,ou=pwpolicies,dc=homebox,dc=space
> olcPPolicyHashCleartext: TRUE
> olcPPolicyUseLockout: FALSE
> olcPPolicyForwardUpdates: FALSE
> structuralObjectClass: olcPPolicyConfig
> entryUUID: affa09e0-7c3a-1037-956b-0f107d4f36ac
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20171223143829Z
> entryCSN: 20171223143829.643274Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20171223143829Z
The policy:
> dn: cn=default,ou=pwpolicies,dc=homebox,dc=space
> pwdExpireWarning: 259200
> pwdMaxFailure: 5
> cn: default
> objectClass: pwdPolicy
> objectClass: person
> objectClass: top
> pwdMinLength: 8
> pwdCheckQuality: 0
> pwdAttribute: userPassword
> pwdLockoutDuration: 0
> pwdInHistory: 0
> sn: default
> pwdMaxAge: 31536000
> pwdGraceAuthNLimit: 0
> pwdFailureCountInterval: 300
> structuralObjectClass: person
> entryUUID: b083c4d2-7c3a-1037-956d-0f107d4f36ac
> creatorsName: cn=admin,dc=homebox,dc=space
> createTimestamp: 20171223143830Z
> entryCSN: 20171223143830.545905Z#000000#000#000000
> modifiersName: cn=admin,dc=homebox,dc=space
> modifyTimestamp: 20171223143830Z
Example of one user:
> dn:: Y249QW5kcsOpIFJvZGllcixvdT11c2VycyxkYz1ob21lYm94LGRjPXNwYWNl
> pwdPolicySubentry: cn=default,ou=pwpolicies,dc=homebox,dc=space
> shadowMin: 0
> uid: andre
> objectClass: top
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> loginShell: /bin/bash
> shadowFlag: 0
> uidNumber: 1001
> shadowMax: 999999
> gidNumber: 1001
> homeDirectory: /home/users/andre
> sn: Rodier
> shadowInactive: -1
> mail: andre@homebox.space
> givenName:: QW5kcsOp
> shadowWarning: 7
> structuralObjectClass: inetOrgPerson
> cn:: QW5kcsOpIFJvZGllcg==
> entryUUID: b12c4db4-7c3a-1037-9572-0f107d4f36ac
> creatorsName: cn=admin,dc=homebox,dc=space
> createTimestamp: 20171223143831Z
> userPassword:: e1NTSEF9SHllVitOazkyekNHYlIwbVRUdkZJZWFpVUo2WElSVWM=
> pwdChangedTime: 20171223150211Z
> entryCSN: 20171223150211.599058Z#000000#000#000000
> modifiersName: cn=admin,dc=homebox,dc=space
> modifyTimestamp: 20171223150211Z
>
I have the whole source code here: https://github.com/progmaticltd/homebox/
The Ansible tasks I am using to configure the LDAP server are here:
https://github.com/progmaticltd/homebox/blob/ master/install/playbooks/ roles/accounts/tasks/main.yml
Any help welcome.
Kind regards,
André Rodier.
PS: Merry Christmas / Happy new year / for those concerned.