Thanks for valuable information.

On Thu, Sep 2, 2010 at 1:46 PM, Buchan Milne <bgmilne@staff.telkomsa.net> wrote:
On Wednesday, 1 September 2010 08:44:33 Meghanand Acharekar wrote:
> Hello,
>
> I have configured openldap server on RHEL 5.4
> I also want to enforce strong password policies for my ldap users.

Have you enabled and configured the ppolicy overlay for OpenLDAP ? If you are
only enforcing LDAP passwords via PAM, changing passwords via another
mechanism will bypass these controls. So, you should consider using ppolicy
instead ...

I'm trying now setup using ppolicy overlay.
But still password policy setup is not working for me.

Following is my sldap.conf

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/ppolicy.schema 

allow bind_v2


pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath      /usr/lib/openldap

moduleload lastmod.la
moduleload ppolicy.la




access to attrs=userPassword
        by self write
        by anonymous auth
        by dn.base="cn=Manager,dc=example,dc=com" write
        by * none
access to attrs=shadowLastChange
        by self write
        by * read
access to *
        by self write
        by dn.base="cn=Manager,dc=example,dc=com" write
        by * read



database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          {SSHA}PFuRVNvUeozTxo/djZ2RcCNKuBCmarJb

directory       /var/lib/ldap/example.com


index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

overlay ppolicy
ppolicy_default "cn=policies,dc=example,dc=com"
ppolicy_use_lockout
 

ppolicy.ldif

dn: cn=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: policies
pwdAttribute: userPassword
pwdMaxAge: 7516800
pwdExpireWarning: 432000
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 1920
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

Have you tested password changes with the ldappasswd tool ?

> for which i configured pam module on each ldap client in following way.
>
> (/etc/pam.d/system-auth)
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_tally.so onerr=fail deny=5 unlock_time=300
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3 dcredit=-1
> ucredit=-1 ocredit=-1 lcredit=0 minlen=8 \
>                                 reject_username
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok remember=5
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_ldap.so
> session     optional      pam_mkhomedir.so skel=/etc/skel umask=0066
>
> I am having following problems with my configuration.
>
> 1. Although configured password history (pam_unix.so remember =5) is not
> working for ldap users, while other password policies
> (pam_cracklib,pam_tally) are working fine.
> 2. I also observed that I can't change/set any users password as root user
> (using passwd username).

You probably don't want this configuration ... root on an individual "generic"
server should not be able to change passwords of all users in LDAP.

Use ldappasswd (please see the man page regarding options you need to provide
to make it work) or another LDAP-based tool (smbldap-passwd etc. or a web-
based interface) to change/reset user's passwords.


Agreed.
 
> Following is my ldap client configuration file (ldap.conf).
>
> base dc=mycomp,dc=com
> bind_timelimit 120
> idle_timelimit 3600
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
> ,gdm pam_check_host_attr
> pam_password md5

If you want to implement any password quality checks on the LDAP side, you
need to use:
pam_password exop

This also changed 
 
instead. If you use 'pam_password md5', the LDAP server will only ever see the
hash, so will not be able to test password length etc. If you only want
password quality checks on the clients, your configuration will work, but users
may be able to bypass your quality checks by using ldappasswd (or any LDAP
client).

> ssl no
> timelimit 120
> tls_cacertdir /etc/openldap/cacerts
> uri ldap://10.0.119.36
>
> For further troubleshooting I observer my /var/log/secure file while
> changing ldap user's passwod.
>
> passwd: pam_unix(passwd:chauthtok): user "username" does not exist in
> /etc/passwd
>
> but #getent passwd show me the username.

Fine, but pam_unix should fail, and after that 'passwd' should be trying via
LDAP.

What do the logs on the LDAP server show? Can you show the prompts you get
from running 'passwd' ? You should be prompted for the LDAP password before
being prompted for the new password:


[bgmilne@xymon ~]$ passwd
Changing password for user bgmilne.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information changed for bgmilne
passwd: all authentication tokens updated successfully.
[bgmilne@xymon ~]$


Correct.
 
Regards,
Buchan

One more thing I would like to clarify.
I have also used shadow attributes for all user entries, should I have to disable them
while using ppolicy overlay ?

dn: uid=vasco,ou=People,dc=example,dc=com
uid: vasco
cn: vasco
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowMax: 90
shadowWarning: 7
shadowExpire: 15765
loginShell: /bin/bash
uidNumber: 1601
gidNumber: 1601
homeDirectory: /home/vasco
shadowLastChange: 14854


--
Regards,
मेघानंद नं. आचरेकर
Meghanand N. Acharekar
" A proud Linux User "
Reg Linux User  #397975
------------------------------------------
I was born free! No Gates and Windows can restrict my Freedom !!!