I'm trying implement the password policy overlay into my openldap setup, I'm running a Debian 7 server and installed openldap with the package manager.
=================================================== root@baneling:~# dpkg -l | grep slapd ii slapd 2.4.31-1+nmu2 amd64 OpenLDAP server (slapd) ===================================================
I currently have my ldap server setup for authentication and authorization, I'm using libnss-ldapd and libpam-ldapd on my other machines to search the ldap directory and would like to implement the password policy provided by the overlay. I believe I've added the schema, loaded thedynamic module, and added the overlay to my databasecorrectly, however I'm not sure it's actually working. I've been mostly followingthis article and the openldap documentation:
http://www.zytrax.com/books/ldap/ch6/ppolicy.html http://www.openldap.org/doc/admin24/overlays.html#Password Policies http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
Here is my slapd.d config (shortened for brevity): =================================================== root@baneling:~# slapcat -b cn=config [...] dn: cn=module{1},cn=config objectClass: olcModuleList cn: module{1} structuralObjectClass: olcModuleList entryUUID: ad917d22-1583-1033-9e53-473d795f568b creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20140119183138Z olcModuleLoad: {0}ppolicy.so olcModulePath: /usr/lib/ldap entryCSN: 20140119183433.154615Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140119183433Z [...] dn: cn={4}ppolicy,cn=schema,cn=config objectClass: olcSchemaConfig cn: {4}ppolicy [...] dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE structuralObjectClass: olcPPolicyConfig entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20140119194003Z entryCSN: 20140119194003.774030Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140119194003Z ===================================================
And my container for the default policy: =================================================== root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b ou=Policies,dc=harmonywave,dc=com SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: ou=Policies,dc=harmonywave,dc=com ou: Policies objectClass: top objectClass: organizationalUnit
dn: cn=default,ou=Policies,dc=harmonywave,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 432000 pwdFailureCountInterval: 1800 pwdGraceAuthNLimit: 10 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxAge: 7776000 pwdMaxFailure: 6 pwdMinAge: 86400 pwdMinLength: 10 pwdMustChange: FALSE pwdSafeModify: TRUE sn: passwdpolicy ===================================================
However, I'm not sure the policy is actually being applied. I thought it might be because I originally created my user before adding the schema and overlay, so I deleted the user and recreated it. I'm able to log into a server using my uid, however if I try to change my password I get the following:
=================================================== jschaeffer@defiler:~$ passwd (current) LDAP Password: New password: Retype new password: password change failed: Constraint violation passwd: Authentication token manipulation error passwd: password unchanged ===================================================
I've been entering mycurrent password correctly when it asks and I am using a complex new password. I also don't see any of the ppolicy attributes on my user (pwdChangeTime, pwdFailureTime, pwdGraceUseTime, etc):
=================================================== root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com -W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com Enter LDAP Password: dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com objectClass: top objectClass: account objectClass: posixAccount uid: jschaeffer cn: Joshua Schaeffer uidNumber: 3000 gidNumber: 3000 homeDirectory: /home/jschaeffer loginShell: /bin/bash gecos: Joshua Schaeffer userPassword:: .... ===================================================
I've been searching around for on the web for answers to the passwd issue, but I've not been able to find anything useful. Does anyone know how to verify that the ppolicy overlay is actually working?
Am Sun, 19 Jan 2014 14:18:56 -0700 schrieb Joshua Schaeffer jschaeffer0922@gmail.com:
I'm trying implement the password policy overlay into my openldap setup, I'm running a Debian 7 server and installed openldap with the package manager.
=================================================== root@baneling:~# dpkg -l | grep slapd ii slapd 2.4.31-1+nmu2 amd64 OpenLDAP server (slapd) ===================================================
I currently have my ldap server setup for authentication and authorization, I'm using libnss-ldapd and libpam-ldapd on my other machines to search the ldap directory and would like to implement the password policy provided by the overlay. I believe I've added the schema, loaded thedynamic module, and added the overlay to my databasecorrectly, however I'm not sure it's actually working. I've been mostly followingthis article and the openldap documentation:
http://www.zytrax.com/books/ldap/ch6/ppolicy.html http://www.openldap.org/doc/admin24/overlays.html#Password Policies http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
Here is my slapd.d config (shortened for brevity):
root@baneling:~# slapcat -b cn=config [...] dn: cn=module{1},cn=config objectClass: olcModuleList cn: module{1} structuralObjectClass: olcModuleList entryUUID: ad917d22-1583-1033-9e53-473d795f568b creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20140119183138Z olcModuleLoad: {0}ppolicy.so olcModulePath: /usr/lib/ldap entryCSN: 20140119183433.154615Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140119183433Z [...] dn: cn={4}ppolicy,cn=schema,cn=config objectClass: olcSchemaConfig cn: {4}ppolicy [...] dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE structuralObjectClass: olcPPolicyConfig entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20140119194003Z entryCSN: 20140119194003.774030Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140119194003Z ===================================================
And my container for the default policy:
root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b ou=Policies,dc=harmonywave,dc=com SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: ou=Policies,dc=harmonywave,dc=com ou: Policies objectClass: top objectClass: organizationalUnit
dn: cn=default,ou=Policies,dc=harmonywave,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 432000 pwdFailureCountInterval: 1800 pwdGraceAuthNLimit: 10 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxAge: 7776000 pwdMaxFailure: 6 pwdMinAge: 86400 pwdMinLength: 10 pwdMustChange: FALSE pwdSafeModify: TRUE sn: passwdpolicy ===================================================
However, I'm not sure the policy is actually being applied. I thought it might be because I originally created my user before adding the schema and overlay, so I deleted the user and recreated it. I'm able to log into a server using my uid, however if I try to change my password I get the following:
=================================================== jschaeffer@defiler:~$ passwd (current) LDAP Password: New password: Retype new password: password change failed: Constraint violation passwd: Authentication token manipulation error passwd: password unchanged ===================================================
I've been entering mycurrent password correctly when it asks and I am using a complex new password. I also don't see any of the ppolicy attributes on my user (pwdChangeTime, pwdFailureTime, pwdGraceUseTime, etc):
=================================================== root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com -W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com Enter LDAP Password: dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com objectClass: top objectClass: account objectClass: posixAccount uid: jschaeffer cn: Joshua Schaeffer uidNumber: 3000 gidNumber: 3000 homeDirectory: /home/jschaeffer loginShell: /bin/bash gecos: Joshua Schaeffer userPassword:: .... ===================================================
I've been searching around for on the web for answers to the passwd issue, but I've not been able to find anything useful. Does anyone know how to verify that the ppolicy overlay is actually working?
rootdn must change user passwords, but this depends on access rules. ppolicy attributes are operational, thus apply a '+' to the search string, according to RFC-3673. You may obtain further information on ppolicy by reading slapo-ppolicy(5).
-Dieter
Thanks for the explanation that really helped, I didn't know about the '+'and was able to see some ppolicy operational attributes on my uid. I read the slapo-ppolicy manual page and that also helped clarified a few things. You stated user's being able to change their own password depended on access rights. These are the access rights I have in my database. Are these correct to allow user's to change their password:
=================================================== root@baneling:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}hdb,cn=config olcAccess SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <olcDatabase={1}hdb,cn=config> with scope subtree # filter: (objectclass=*) # requesting: olcAccess #
# {1}hdb, config dn: olcDatabase={1}hdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=harmonywave,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=harmonywave,dc=com" write by * read
# {0}ppolicy, {1}hdb, config dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
# search result search: 2 result: 0 Success
# numResponses: 3 # numEntries: 2 ===================================================
I've been fiddling with my setup to see if I can't get it to work. I read that you need to tell PAM on the client server to do a lookup for password policies using 'pam_lookup_policy yes' in the /etc/pam_ldap.conf file. I was using libpam-ldapd instead of libpam-ldap which doesn't use the pam_ldap.conf file for its configuration (I shares its config file with libnss-ldapd which is the /etc/nslcd.conf file). I uninstalled libpam-ldapd and installed libpam-ldap instead, adjusted the config file, and I appears to be getting a little further. Now when I try to change my password on a client server I get the following:
=================================================== jschaeffer@defiler:~$ passwd Enter login(LDAP) password: New password: Re-enter new password: LDAP password information update failed: Insufficient access Must supply old password to be changed as well as new one passwd: Permission denied passwd: password unchanged ===================================================
I'm not sure why it wouldn't recognized that I did enter my previous password before I attempted to change it.
-Joshua
On 01/20/2014 12:53 AM, Dieter Klünter wrote:
Am Sun, 19 Jan 2014 14:18:56 -0700 schrieb Joshua Schaeffer jschaeffer0922@gmail.com:
I'm trying implement the password policy overlay into my openldap setup, I'm running a Debian 7 server and installed openldap with the package manager.
=================================================== root@baneling:~# dpkg -l | grep slapd ii slapd 2.4.31-1+nmu2 amd64 OpenLDAP server (slapd) ===================================================
I currently have my ldap server setup for authentication and authorization, I'm using libnss-ldapd and libpam-ldapd on my other machines to search the ldap directory and would like to implement the password policy provided by the overlay. I believe I've added the schema, loaded thedynamic module, and added the overlay to my databasecorrectly, however I'm not sure it's actually working. I've been mostly followingthis article and the openldap documentation:
http://www.zytrax.com/books/ldap/ch6/ppolicy.html http://www.openldap.org/doc/admin24/overlays.html#Password Policies http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
Here is my slapd.d config (shortened for brevity):
root@baneling:~# slapcat -b cn=config [...] dn: cn=module{1},cn=config objectClass: olcModuleList cn: module{1} structuralObjectClass: olcModuleList entryUUID: ad917d22-1583-1033-9e53-473d795f568b creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20140119183138Z olcModuleLoad: {0}ppolicy.so olcModulePath: /usr/lib/ldap entryCSN: 20140119183433.154615Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140119183433Z [...] dn: cn={4}ppolicy,cn=schema,cn=config objectClass: olcSchemaConfig cn: {4}ppolicy [...] dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: TRUE structuralObjectClass: olcPPolicyConfig entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20140119194003Z entryCSN: 20140119194003.774030Z#000000#00'+' . I read0#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20140119194003Z ===================================================
And my container for the default policy:
root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b ou=Policies,dc=harmonywave,dc=com SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: ou=Policies,dc=harmonywave,dc=com ou: Policies objectClass: top objectClass: organizationalUnit
dn: cn=default,ou=Policies,dc=harmonywave,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 432000 pwdFailureCountInterval: 1800 pwdGraceAuthNLimit: 10 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxAge: 7776000 pwdMaxFailure: 6 pwdMinAge: 86400 pwdMinLength: 10 pwdMustChange: FALSE pwdSafeModify: TRUE sn: passwdpolicy ===================================================
However, I'm not sure the policy is actually being applied. I thought it might be because I originally created my user before adding the schema and overlay, so I deleted the user and recreated it. I'm able to log into a server using my uid, however if I try to change my password I get the following:
=================================================== jschaeffer@defiler:~$ passwd (current) LDAP Password: New password: Retype new password: password change failed: Constraint violation passwd: Authentication token manipulation error passwd: password unchanged ===================================================
I've been entering mycurrent password correctly when it asks and I am using a complex new password. I also don't see any of the ppolicy attributes on my user (pwdChangeTime, pwdFailureTime, pwdGraceUseTime, etc):
=================================================== root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com -W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com Enter LDAP Password: dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com objectClass: top objectClass: account objectClass: posixAccount uid: jschaeffer cn: Joshua Schaeffer uidNumber: 3000 gidNumber: 3000 homeDirectory: /home/jschaeffer loginShell: /bin/bash gecos: Joshua Schaeffer userPassword:: .... ===================================================
I've been searching around for on the web for answers to the passwd issue, but I've not been able to find anything useful. Does anyone know how to verify that the ppolicy overlay is actually working?
rootdn must change user passwords, but this depends on access rules. ppolicy attributes are operational, thus apply a '+' to the search string, according to RFC-3673. You may obtain further information on ppolicy by reading slapo-ppolicy(5).
-Dieter
Am Mon, 20 Jan 2014 19:48:40 -0700 schrieb Joshua Schaeffer jschaeffer0922@gmail.com:
Thanks for the explanation that really helped, I didn't know about the '+'and was able to see some ppolicy operational attributes on my uid. I read the slapo-ppolicy manual page and that also helped clarified a few things. You stated user's being able to change their own password depended on access rights. These are the access rights I have in my database. Are these correct to allow user's to change their password:
=================================================== root@baneling:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}hdb,cn=config olcAccess SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <olcDatabase={1}hdb,cn=config> with scope subtree # filter: (objectclass=*) # requesting: olcAccess #
# {1}hdb, config dn: olcDatabase={1}hdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=harmonywave,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=harmonywave,dc=com" write by * read
# {0}ppolicy, {1}hdb, config dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
# search result search: 2 result: 0 Success
# numResponses: 3
# numEntries: 2
I've been fiddling with my setup to see if I can't get it to work. I read that you need to tell PAM on the client server to do a lookup for password policies using 'pam_lookup_policy yes' in the /etc/pam_ldap.conf file. I was using libpam-ldapd instead of libpam-ldap which doesn't use the pam_ldap.conf file for its configuration (I shares its config file with libnss-ldapd which is the /etc/nslcd.conf file). I uninstalled libpam-ldapd and installed libpam-ldap instead, adjusted the config file, and I appears to be getting a little further. Now when I try to change my password on a client server I get the following:
=================================================== jschaeffer@defiler:~$ passwd Enter login(LDAP) password: New password: Re-enter new password: LDAP password information update failed: Insufficient access Must supply old password to be changed as well as new one passwd: Permission denied passwd: password unchanged ===================================================
I'm not sure why it wouldn't recognized that I did enter my previous password before I attempted to change it.
[...]
Run slapd(8) in debuging mode with -d acl
-Dieter
openldap-technical@openldap.org
-
Dieter Klünter -
Joshua Schaeffer