2013/9/10 Jacques Foucry jacques.foucry@novasparks.com
Hello experts,
I tried to enable ppolicy on a test openldap server.
As I read I first create an OU policies with the default cn
# LDIF Export for cn=default,ou=policies,dc=**example,dc=com # Server: My Slave LDAP Server (ldap://localhost) # Search Scope: base # Search Filter: (objectClass=*) # Total Entries: 1 # # Generated by phpLDAPadmin (http://phpldapadmin.**sourceforge.nethttp://phpldapadmin.sourceforge.net) on September 10, 2013 2:10 pm # Version: 1.2.0.5
version: 1
# Entry 1: cn=default,ou=policies,dc=**example,dc=com dn: cn=default,ou=policies,dc=**example,dc=com cn: default objectclass: top objectclass: device objectclass: pwdPolicy objectclass: pwdPolicyChecker pwdallowuserchange: TRUE pwdattribute: userPassword pwdcheckmodule: mmc-check-password.so pwdcheckquality: 0 pwdexpirewarning: 600 pwdfailurecountinterval: 0 pwdgraceauthnlimit: 5 pwdinhistory: 5 pwdlockout: TRUE pwdlockoutduration: 0 pwdmaxage: 90 pwdmaxfailure: 5 pwdminlength: 8 pwdmustchange: TRUE pwdsafemodify: FALSE
and add it to my base.
I also added the ppolicy schema, the module load and the overlay
include /etc/ldap/schema/ppolicy.**schema
moduleload ppolicy.la
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=**example,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout
In /etc/ldap/ldap.conf I change pam_lookup_policy yes
I restarted slapd and change my own client to use my test open ldap server. And it seems working.
But suddenly I was not able to do a sudo, change my passwd or login in another session.
I checked the log of my server and found
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 ENTRY dn="cn=jacques foucry,ou=people,dc=example,**dc=com" Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND dn="cn=Jacques Foucry,ou=People,dc=example,**dc=com" method=128 Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND dn="cn=Jacques Foucry,ou=People,dc=example,**dc=com" mech=SIMPLE ssf=0 Sep 10 16:17:22 ldap-slave slapd[1672]: ppolicy_bind: Entry cn=Jacques Foucry,ou=People,dc=example,**dc=com has an expired password: 0 grace logins Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 RESULT tag=97 err=49 text= Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND anonymous mech=implicit ssf=0 Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND dn="" method=128 Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 RESULT tag=97 err=0 text=
So I added to my user some attributes. First the OU pwdPolicy (with userPassord as attribute) then pwdAllowUserChange, pwdGraceAuthNLimit (and put 7 on it) PwdLockout (false) pwdLockoutDuration (0) pwdMustChange (true) pwdSafeModify(true).
I still have the same error.
So there is something I misunderstood.
Can some on explain what's wrognand how can I correct it?
You configured :
pwdmaxage: 90
Means after 90 seconds, your password is expired. Change this to a better value.
Clément.