2011/2/13 Jan Kohnert nospam001-lists@jankoh.dyndns.org:
Hi there,
I'm new to this list, so first of all welcome to everyone.
I have a problem with ppolicy and got stuck finding a solution. I configured slapd using the information from [1] trying to be able to lock users. But anyway, the lock seems to be ignored: As soon as one tries to log in, the pwdLockedTime agument es removed from the entry and I seem to be too blind or dumb to see the reason why.
Here is what happens (testing my own account): b079 /etc/openldap # grep -v "^#" ldif/locked_users.ldif dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org changetype: modify add: pwdAccountLockedTime pwdAccountLockedTime: 20110119225403Z b079 /etc/openldap # ldapmodify -x -D "cn=admin, dc=yyy, dc=zzz, dc=org" -W -f ldif/locked_users.ldif Enter LDAP Password: modifying entry "uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org"
b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan" uid: jan b079 /etc/openldap # ldapwhoami -x -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: dn:uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan"b079 /etc/openldap #
And here is the relevant configuration; b079 /etc/openldap # grep ppolicy slapd.conf include /etc/openldap/schema/ppolicy.schema moduleload ppolicy.so overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=yyy,dc=zzz,dc=org" b079 /etc/openldap #
b079 /etc/openldap # ldapsearch -x -s base -b "cn=default, ou=policies, dc=yyy, dc=zzz, dc=org" # extended LDIF # # LDAPv3 # base <cn=default, ou=policies, dc=yyy, dc=zzz, dc=org> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# default, policies, yyy.zzz.org dn: cn=default,ou=policies,dc=yyy,dc=zzz,dc=org cn: default sn: dummy value objectClass: pwdPolicy objectClass: person objectClass: top pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdInHistory: 0 pwdCheckQuality: 0 pwdLockout: TRUE pwdLockoutDuration: 900 pwdFailureCountInterval: 1800 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdSafeModify: TRUE pwdExpireWarning: 604800 pwdMaxFailure: 5 pwdGraceAuthNLimit: 0 pwdMinLength: 8
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 b079 /etc/openldap #
Thank a lot in advance!
[1] http://www.openldap.org/lists/openldap-technical/200810/msg00107.html
Hello Jan,
can you tell us the OpenLDAP version you ar running? For example, 2.4.11 on Debian is known to have bugs on the password policy overlay.
Then you should try to lock your account by failing authentication (use a bad password several times), you should see in your entry operational attributes pwdFailureTime and pwdAccountLockedTime.
Try also to use -e ppolicy in ldapsearch or ldapwhoami commands, to get messages from paswword policy control.
Clément.