On Tuesday, 23 August 2011 15:12:41 rocke.robertson@pch.gc.ca wrote:
Good morning all
After quite a bit of work, I got replication working (thank you all).
So I forged ahead and deployed the server in our RHEL 5.5 environment.
RHEL5's openldap packages finally became somewhat usable at RHEL5.4, for openldap *2.3*. You may find you want newer (e.g. for ppolicy_forward_updates).
But now I just realized that none of my ppolicy rules work. Also, the Redhat clients are configured to use MD5 hash.
You don't want clients to hash passwords, you can't enforce any password quality checks on hashes. Use 'pam_password exop' if you want to enforce password quality (or otherwise be able to control password hashing on the server-side).
When I look at the accounts in webmin, it shows it being crypt????? I know openldap likes salted SHA, but I thought I'd do what Redhat wanted, which was MD5.
Why?
Password history, aging etc... A search used to show me all of my ppolicy objects.
ldapsearch -v -x -b 'dc=chin,dc=ca' cn=default
?
But now returns nothing. Users can reuse passwords, so no history or aging is working. No locking. I had to change ACL's on the provider and consumer to get the replication working. Would that cause the problem?
No.
Here is my policy LDIF file I added to the server:
# policies, chin.com dn: ou=policies,dc=chin,dc=ca objectClass: organizationalUnit objectClass: top ou: policies
# default, policies, chin.com dn: cn=default,ou=policies,dc=chin,dc=ca objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdLockoutDuration: 1920 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE pwdMaxAge: 10368000 pwdExpireWarning: 1209600 pwdMinAge: 86400
Show some example accounts, requesting the operational attributes ('+'), and show authentication attempts (see ldapwhoami(1)) and password change attempts (see ldappasswd(1)) with the ppolicy control enabled (-e ppolicy).
Regards, Buchan