Hello again, Well I tried the following.
Added the full path of the check_password.so in my slapd.conf under "moduleload". moduleload /opt/openldap/etc/openldap/modules/check_password.so
Added the full path to my check_password.so module in my ldif pwdCheckModule: /opt/openldap/etc/openldap/modules/check_password.so
Recompiled the sources again using the configure used to build the openSUSE package. CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \ LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \ ./configure --prefix=/opt/openldap --with-tls \ --enable-spasswd --enable-crypt --with-gnu-ld \ --enable-ppolicy --enable-modules --enable-dynamic --enable-aci --enable-bdb --enable-hdb \ --enable-rewrite --enable-ldap=yes --enable-meta=mod \ --enable-monitor=yes --enable-slp --enable-overlays=yes \
Still no luck. At least within my ldap logs I see the "Password fails quality checking policy" so at least it is hitting the ldap server for password checking. Any ideas????? Thanks!!!!
Jose
I am trying to get my solaris 10 openldap 2.4.21 server to use my check_password.so module using the ppolicy overlay. When I try to change a user's password from a linux client, I get the following error message.
passwd ldapuser Changing password for ldapuser. Enter login(LDAP) password: New Password: Reenter New Password: LDAP password information update failed: Constraint violation Password fails quality checking policy passwd: Permission denied
Within my logs, I do not see any error messages from my check_password.so module. I created the directory /opt/openldap/etc/openldap/modules and placed my module in that directory and I added the modulepath in my slapd.conf.
Is there something I missed? Is this a PAM thing? I know this setup works on a OpenSUSE 11.2 openldap server. Help.
I included part of my slapd.conf, openldap configure, check_password.c source, makefile and ldd of my check_password.so.
Thanks!!!!
Jose Torres
openldap configure
CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \ LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \ ./configure --prefix=/opt/openldap --with-tls \ --enable-spasswd --enable-crypt --with-gnu-ld \ --enable-ppolicy --enable-modules --enable-dynamic
slapd.conf:
include /opt/openldap/etc/openldap/schema/ppolicy.schema
# Add password policies. modulepath /opt/openldap/etc/openldap/modules overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=caci,dc=ymp,dc=com" ppolicy_use_lockout
I tried ppolicy_clear_txt I still have the same problem.
check_password.c:
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> #include "portable.h" #include "slap.h"
int init_module() { return 0; }
int check_password(char *pPasswd, char **ppErrStr, Entry *pEntry) { char error=0; char retmsg[255]; char *message,*buffer,*token; const char special[] ="!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"; const char number[] ="1234567890"; const char CAPS[] ="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
error = 0;
if (strstr( pPasswd, " ") != NULL) { error = 1; strcpy(retmsg , "******** CHECKPW: Password contains SPACES! ********"); }
buffer = strdup(pPasswd); token = strtok(buffer,special); if ( !(strcmp(token,pPasswd)) || (token == NULL) ) { error = 1; strcpy(retmsg , "******** CHECKPW: Password does not contain any special c haracters! ********"); }
buffer = strdup(pPasswd); token = strtok(buffer,number);
if ( !(strcmp(token,pPasswd)) || (token == NULL) ) { error = 1; strcpy(retmsg , "******** CHECKPW: Password does not contain any numbers! ********"); }
buffer = strdup(pPasswd); token = strtok(buffer,number);
if ( !(strcmp(token,pPasswd)) || (token == NULL) ) { error = 1; strcpy(retmsg , "******** CHECKPW: Password does not contain any CAPITAL L ETTERS! ********"); }
if (error) { /* Allocate */ message = (char *)malloc(sizeof(char) * (strlen(retmsg)+1)); /* Copy the contents of the string. */ strcpy(message, retmsg); *ppErrStr=message; } return error; }
Makefile:
check_password.so: check_password.o gcc -L/opt/openldap/lib -lldap -shared -o check_password.so check_passwo rd.o check_password.o: check_password.c gcc -fpic -I../../include -I. -c check_password.c clean: rm check_password.so check_password.o
It seems to find the right libraries.
$ ldd modules/check_password.so libldap-2.4.so.2 => /opt/openldap/lib/libldap-2.4.so.2 libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1 liblber-2.4.so.2 => /opt/openldap/lib/liblber-2.4.so.2 libresolv.so.2 => /usr/lib/libresolv.so.2 libgen.so.1 => /usr/lib/libgen.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libsocket.so.1 => /usr/lib/libsocket.so.1 libsasl.so.1 => /usr/lib/libsasl.so.1 libssl.so.0.9.7 => /usr/sfw/lib/libssl.so.0.9.7 libcrypto.so.0.9.7 => /usr/sfw/lib/libcrypto.so.0.9.7 libc.so.1 => /usr/lib/libc.so.1 libmp.so.2 => /usr/lib/libmp.so.2 libmd.so.1 => /usr/lib/libmd.so.1 libscf.so.1 => /usr/lib/libscf.so.1 libdoor.so.1 => /usr/lib/libdoor.so.1 libuutil.so.1 => /usr/lib/libuutil.so.1 libssl_extra.so.0.9.7 => /usr/sfw/lib/libssl_extra.so.0.9.7 libcrypto_extra.so.0.9.7 => /usr/sfw/lib/libcrypto_extra.so.0.9.7 libm.so.2 => /usr/lib/libm.so.2