Am Sun, 19 Jan 2014 14:18:56 -0700 schrieb Joshua Schaeffer jschaeffer0922@gmail.com:
I'm trying implement the password policy overlay into my openldap setup, I'm running a Debian 7 server and installed openldap with the package manager.
=================================================== root@baneling:~# dpkg -l | grep slapd ii slapd 2.4.31-1+nmu2 amd64 OpenLDAP server (slapd) ===================================================
I currently have my ldap server setup for authentication and authorization, I'm using libnss-ldapd and libpam-ldapd on my other machines to search the ldap directory and would like to implement the password policy provided by the overlay. I believe I've added the schema, loaded thedynamic module, and added the overlay to my databasecorrectly, however I'm not sure it's actually working. I've been mostly followingthis article and the openldap documentation:
http://www.zytrax.com/books/ldap/ch6/ppolicy.html http://www.openldap.org/doc/admin24/overlays.html#Password Policies http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
Here is my slapd.d config (shortened for brevity):
root@baneling:~# slapcat -b cn=config [...] dn: cn=module{1},cn=config objectClass: olcModuleList cn: module{1} structuralObjectClass: olcModuleList entryUUID: ad917d22-1583-1033-9e53-473d795f568b creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20140119183138Z olcModuleLoad: {0}ppolicy.so olcModulePath: /usr/lib/ldap entryCSN: 20140119183433.154615Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140119183433Z [...] dn: cn={4}ppolicy,cn=schema,cn=config objectClass: olcSchemaConfig cn: {4}ppolicy [...] dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE structuralObjectClass: olcPPolicyConfig entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20140119194003Z entryCSN: 20140119194003.774030Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140119194003Z ===================================================
And my container for the default policy:
root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b ou=Policies,dc=harmonywave,dc=com SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: ou=Policies,dc=harmonywave,dc=com ou: Policies objectClass: top objectClass: organizationalUnit
dn: cn=default,ou=Policies,dc=harmonywave,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 432000 pwdFailureCountInterval: 1800 pwdGraceAuthNLimit: 10 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxAge: 7776000 pwdMaxFailure: 6 pwdMinAge: 86400 pwdMinLength: 10 pwdMustChange: FALSE pwdSafeModify: TRUE sn: passwdpolicy ===================================================
However, I'm not sure the policy is actually being applied. I thought it might be because I originally created my user before adding the schema and overlay, so I deleted the user and recreated it. I'm able to log into a server using my uid, however if I try to change my password I get the following:
=================================================== jschaeffer@defiler:~$ passwd (current) LDAP Password: New password: Retype new password: password change failed: Constraint violation passwd: Authentication token manipulation error passwd: password unchanged ===================================================
I've been entering mycurrent password correctly when it asks and I am using a complex new password. I also don't see any of the ppolicy attributes on my user (pwdChangeTime, pwdFailureTime, pwdGraceUseTime, etc):
=================================================== root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com -W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com Enter LDAP Password: dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com objectClass: top objectClass: account objectClass: posixAccount uid: jschaeffer cn: Joshua Schaeffer uidNumber: 3000 gidNumber: 3000 homeDirectory: /home/jschaeffer loginShell: /bin/bash gecos: Joshua Schaeffer userPassword:: .... ===================================================
I've been searching around for on the web for answers to the passwd issue, but I've not been able to find anything useful. Does anyone know how to verify that the ppolicy overlay is actually working?
rootdn must change user passwords, but this depends on access rules. ppolicy attributes are operational, thus apply a '+' to the search string, according to RFC-3673. You may obtain further information on ppolicy by reading slapo-ppolicy(5).
-Dieter