Thanks. I've checked and rechecked the /tmp/ppolicy.ldif for stray/illegal characters, spaces, etc. I can't find anything. I deleted and recreated the file, the line, everything I could think of.
Agree with you on upgrading, that¹s in the plan as well.
On 9/16/13 5:09 PM, "Christian Kratzer" ck-lists@cksoft.de wrote:
Hi,
On Mon, 16 Sep 2013, Philip Bubel wrote:
Running OpenLdap 2.4.23 on Centos 6.4 and we are having truoble enabling password polices. I've read a number of FAQ's online, plus spent hours searching for a solution to this problem, although a lot of folks seem to have the same issue I haven't been able to find a solution that works for us. I run into trouble running ldapadd to import the new policy. I end up with the invalid syntax error I've included below, along with a copy of the .ldif file and my slapd.conf file. I was able to create the policies OU without issue, I also tried using the OID for pwdAttribute instead of userPassword.
[root@asu10d schema]# ldapadd -D "cn=Manager,dc=XXXX,dc=test" -W -x -f /tmp/ppolicy.ldif Enter LDAP Password: adding new entry "cn=policy,ou=policies,dc=XXXX,dc=test" ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax
Please check you /tmp/ppolicy.ldif that there are now illegal characters in the line with pwdAttribute:
It looks like this is perhaps borken.
Please also consider updating to the latest openldap 2.4.36 via one of the openly available rpm.
Greetings Christian
Contents of policy.ldif n: cn=policy,ou=policies,dc=XXXX,dc=test cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
Contents of my slapd.conf
include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/pmi.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload ppolicy.la
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=XXXX,dc=test" read by * none
database bdb suffix "dc=XXXXX,dc=test" checkpoint 1024 15 rootdn "cn=Manager,dc=XXXX,dc=test" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw hello (Temp password used for testing)
overlay ppolicy policy_default "cn=default,ou=policies,dc=XXXX,dc=test" policy_use_lockout
directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
-- Christian Kratzer CK Software GmbH Email: ck@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer