Thanks for valuable information.
On Thu, Sep 2, 2010 at 1:46 PM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Wednesday, 1 September 2010 08:44:33 Meghanand Acharekar wrote:
Hello,
I have configured openldap server on RHEL 5.4 I also want to enforce strong password policies for my ldap users.
Have you enabled and configured the ppolicy overlay for OpenLDAP ? If you are only enforcing LDAP passwords via PAM, changing passwords via another mechanism will bypass these controls. So, you should consider using ppolicy instead ...
I'm trying now setup using ppolicy overlay. But still password policy setup is not working for me.
Following is my sldap.conf
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/ppolicy.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap
moduleload lastmod.la moduleload ppolicy.la
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=example,dc=com" write by * none access to attrs=shadowLastChange by self write by * read access to * by self write by dn.base="cn=Manager,dc=example,dc=com" write by * read
database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw {SSHA}PFuRVNvUeozTxo/djZ2RcCNKuBCmarJb
directory /var/lib/ldap/example.com
index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
overlay ppolicy ppolicy_default "cn=policies,dc=example,dc=com" ppolicy_use_lockout
ppolicy.ldif
dn: cn=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: policies pwdAttribute: userPassword pwdMaxAge: 7516800 pwdExpireWarning: 432000 pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdLockoutDuration: 1920 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE
Have you tested password changes with the ldappasswd tool ?
for which i configured pam module on each ldap client in following way.
(/etc/pam.d/system-auth) #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_tally.so onerr=fail deny=5 unlock_time=300 auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
dcredit=-1
ucredit=-1 ocredit=-1 lcredit=0 minlen=8 \ reject_username password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5 password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=0066
I am having following problems with my configuration.
- Although configured password history (pam_unix.so remember =5) is not
working for ldap users, while other password policies (pam_cracklib,pam_tally) are working fine. 2. I also observed that I can't change/set any users password as root
user
(using passwd username).
You probably don't want this configuration ... root on an individual "generic" server should not be able to change passwords of all users in LDAP.
Use ldappasswd (please see the man page regarding options you need to provide to make it work) or another LDAP-based tool (smbldap-passwd etc. or a web- based interface) to change/reset user's passwords.
Agreed.
Following is my ldap client configuration file (ldap.conf).
base dc=mycomp,dc=com bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
,gdm pam_check_host_attr pam_password md5
If you want to implement any password quality checks on the LDAP side, you need to use: pam_password exop
This also changed
instead. If you use 'pam_password md5', the LDAP server will only ever see the hash, so will not be able to test password length etc. If you only want password quality checks on the clients, your configuration will work, but users may be able to bypass your quality checks by using ldappasswd (or any LDAP client).
ssl no timelimit 120 tls_cacertdir /etc/openldap/cacerts uri ldap://10.0.119.36
For further troubleshooting I observer my /var/log/secure file while changing ldap user's passwod.
passwd: pam_unix(passwd:chauthtok): user "username" does not exist in /etc/passwd
but #getent passwd show me the username.
Fine, but pam_unix should fail, and after that 'passwd' should be trying via LDAP.
What do the logs on the LDAP server show? Can you show the prompts you get from running 'passwd' ? You should be prompted for the LDAP password before being prompted for the new password:
[bgmilne@xymon ~]$ passwd Changing password for user bgmilne. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information changed for bgmilne passwd: all authentication tokens updated successfully. [bgmilne@xymon ~]$
Correct.
Regards, Buchan
One more thing I would like to clarify. I have also used shadow attributes for all user entries, should I have to disable them while using ppolicy overlay ?
dn: uid=vasco,ou=People,dc=example,dc=com uid: vasco cn: vasco objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMin: 0 shadowMax: 90 shadowWarning: 7 shadowExpire: 15765 loginShell: /bin/bash uidNumber: 1601 gidNumber: 1601 homeDirectory: /home/vasco shadowLastChange: 14854