2013/9/10 Jacques Foucry <jacques.foucry@novasparks.com>
Hello experts,

I tried to enable ppolicy on a test openldap server.

As I read I first create an OU policies with the default cn

# LDIF Export for cn=default,ou=policies,dc=example,dc=com
# Server: My Slave LDAP Server (ldap://localhost)
# Search Scope: base
# Search Filter: (objectClass=*)
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on September 10, 2013 2:10 pm
# Version: 1.2.0.5

version: 1

# Entry 1: cn=default,ou=policies,dc=example,dc=com
dn: cn=default,ou=policies,dc=example,dc=com
cn: default
objectclass: top
objectclass: device
objectclass: pwdPolicy
objectclass: pwdPolicyChecker
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckmodule: mmc-check-password.so
pwdcheckquality: 0
pwdexpirewarning: 600
pwdfailurecountinterval: 0
pwdgraceauthnlimit: 5
pwdinhistory: 5
pwdlockout: TRUE
pwdlockoutduration: 0
pwdmaxage: 90
pwdmaxfailure: 5
pwdminlength: 8
pwdmustchange: TRUE
pwdsafemodify: FALSE

and add it to my base.

I also added the ppolicy schema, the module load and the overlay

include         /etc/ldap/schema/ppolicy.schema

moduleload      ppolicy.la

overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout

In /etc/ldap/ldap.conf I change
pam_lookup_policy yes

I restarted slapd and change my own client to use my test open ldap server. And it seems working.

But suddenly I was not able to do a sudo, change my passwd or login in another session.

I checked the log of my server and found

Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 ENTRY dn="cn=jacques foucry,ou=people,dc=example,dc=com"
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND dn="cn=Jacques Foucry,ou=People,dc=example,dc=com" method=128
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND dn="cn=Jacques Foucry,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 10 16:17:22 ldap-slave slapd[1672]: ppolicy_bind: Entry cn=Jacques Foucry,ou=People,dc=example,dc=com has an expired password: 0 grace logins
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 RESULT tag=97 err=49 text=
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND anonymous mech=implicit ssf=0
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND dn="" method=128
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 RESULT tag=97 err=0 text=

So I added to my user some attributes. First the OU pwdPolicy (with userPassord as attribute) then pwdAllowUserChange, pwdGraceAuthNLimit (and put 7 on it) PwdLockout (false) pwdLockoutDuration (0) pwdMustChange (true) pwdSafeModify(true).

I still have the same error.

So there is something I misunderstood.

Can some on explain what's wrognand how can I correct it?



You configured :

pwdmaxage: 90

Means after 90 seconds, your password is expired. Change this to a better value.



Clément.