Michael,
Thank you for your reply.
I made several attempts to configure slapo-policy but I’m not able to get it to work.
I gathered online documentation and did the following on my openldap 2.4.39 RHEL7 server to enable slapo-ppolicy:
* Loaded the ppolicy schema:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=ppolicy,cn=schema,cn=config”
* Created ldif with the module and overlay: ppolicy1.ldif
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib64/openldap olcModuleload: ppolicy.la
dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config objectClass: olcPPolicyConfig olcPPolicyDefault: ou=policies,dc=cluster,dc=sec312
* Added the module and overlay:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy1.ldif
* * Created the module ldif: /etc/openldap/slapd.d/cn=config/cn=module{0}.ldif * Created the overlay ldif: /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={0}ppolicy.ldif
* Created a new ou called policies: ou=policies,dc=*****,dc=***** * Created a password policy: passwordPolicy.ldif * Loaded the password policy and I get this error:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "ou=policies,dc=*****,dc=*****" ldap_add: Object class violation (65) additional info: attribute 'ou' not allowed
* Restarted slapd as well but I get the same error.
Any advice will be greatly appreciated.
Thank you, Liz
From: Michael Ströder <michael@stroeder.commailto:michael@stroeder.com> Date: Friday, September 18, 2015 at 9:27 AM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: Re: Allow users to change ldap password with passwd
Real, Elizabeth (392K) wrote: This is my setup: I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent users with expired accounts to login: ldap_pwd_policy = shadow. This works as expected.
Use OpenLDAP's slapo-ppolicy instead! Using shadow account attributes is deprecated since years.
pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd pam_sss(passwd:chauthtok): Password change failed for user real: 28 (Module is unknown) Gkr-pam: couldn’t update the login keyring password: no old password was Entered
This sounds more like PAM and sssd related. So you should sort this out first - maybe by asking for specific issues on sssd-users mailing list.
In an attempt to allow users to change their ldap password, i edited my ACL on the ldap server and added 'shadowLastChange': [..] olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
Think twice! You should not do that because of security issues!
If you really insist on using shadow account attributes you have to use slapo-smbk5pwd to let slapd set them internally when receiving a Password Modify extended operation.
Ciao, Michael.