Hello,
Clément OUDOT schrieb:
2011/2/13 Jan Kohnert nospam001-lists@yyy.zzz.org:
I have a problem with ppolicy and got stuck finding a solution. I configured slapd using the information from [1] trying to be able to lock users. But anyway, the lock seems to be ignored: As soon as one tries to log in, the pwdLockedTime agument es removed from the entry and I seem to be too blind or dumb to see the reason why.
[config stuff]
can you tell us the OpenLDAP version you ar running? For example, 2.4.11 on Debian is known to have bugs on the password policy overlay.
Running Gentoo here: b079 /etc/openldap # eix net-nds/openldap [I] net-nds/openldap Available versions: 2.3.43-r1 2.4.19-r1 ~2.4.21 2.4.23 {(+)berkdb crypt -cxx debug experimental gdbm gnutls icu iodbc ipv6 kerberos minimal odbc overlays perl samba sasl selinux slp smbkrb5passwd ssl syslog tcpd} Installed versions: 2.4.23(06:58:54 18.11.2010)(berkdb crypt ipv6 overlays perl sasl ssl tcpd -cxx -debug -experimental -gnutls -icu -iodbc - kerberos -minimal -odbc -samba -selinux -slp -smbkrb5passwd -syslog) Homepage: http://www.OpenLDAP.org/ Description: LDAP suite of application and development tools
b079 /etc/openldap #
Then you should try to lock your account by failing authentication (use a bad password several times), you should see in your entry operational attributes pwdFailureTime and pwdAccountLockedTime.
This one works!
b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapsearch -x -e ppolicy -b "ou=xxx, dc=yyy, dc=zzz, dc=org" "(uid=jan)" pwdFailureTime # extended LDIF # # LDAPv3 # base <ou=xxx, dc=yyy, dc=zzz, dc=org> with scope subtree # filter: (uid=jan) # requesting: pwdFailureTime #
# jan, xxx, yyy.zzz.org dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org pwdFailureTime: 20110214195244Z pwdFailureTime: 20110214195246Z pwdFailureTime: 20110214195247Z pwdFailureTime: 20110214195249Z pwdFailureTime: 20110214195250Z
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 b079 /etc/openldap # ldapsearch -x -e ppolicy -b "ou=xxx, dc=yyy, dc=zzz, dc=org" "(uid=jan)" pwdAccountLockedTime # extended LDIF # # LDAPv3 # base <ou=xxx, dc=yyy, dc=zzz, dc=org> with scope subtree # filter: (uid=jan) # requesting: pwdAccountLockedTime #
# jan, xxx, yyy.zzz.org dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org pwdAccountLockedTime: 20110214195250Z
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapsearch -x -e ppolicy -b "ou=xxx, dc=yyy, dc=zzz, dc=org" "(uid=jan)" pwdFailureTime # extended LDIF # # LDAPv3 # base <ou=xxx, dc=yyy, dc=zzz, dc=org> with scope subtree # filter: (uid=jan) # requesting: pwdFailureTime #
# jan, xxx, yyy.zzz.org dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org pwdFailureTime: 20110214195244Z pwdFailureTime: 20110214195246Z pwdFailureTime: 20110214195247Z pwdFailureTime: 20110214195249Z pwdFailureTime: 20110214195250Z
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 b079 /etc/openldap #
Try also to use -e ppolicy in ldapsearch or ldapwhoami commands, to get messages from paswword policy control.
That one does not seem to generate more precise error messages:
b079 /etc/openldap # ldapsearch -x -s base -e ppolicy -b "cn=default, ou=policies, dc=yyy, dc=zzz, dc=org" # extended LDIF # # LDAPv3 # base <cn=default, ou=policies, dc=yyy, dc=zzz, dc=org> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# default, policies, yyy.zzz.org dn: cn=default,ou=policies,dc=yyy,dc=zzz,dc=org cn: default sn: dummy value objectClass: pwdPolicy objectClass: person objectClass: top pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdInHistory: 0 pwdCheckQuality: 0 pwdLockout: TRUE pwdLockoutDuration: 900 pwdFailureCountInterval: 1800 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdSafeModify: TRUE pwdExpireWarning: 604800 pwdMaxFailure: 5 pwdGraceAuthNLimit: 0 pwdMinLength: 8
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 b079 /etc/openldap # ldapmodify -x -e ppolicy -D "cn=admin, dc=yyy, dc=zzz, dc=org" -W -f ldif/locked_users.ldif Enter LDAP Password: modifying entry "uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org"
b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan"uid: jan b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: dn:uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org b079 /etc/openldap #