1:18 p.m.
I'm trying implement the password policy overlay into my openldap setup,
I'm running a Debian 7 server and installed openldap with the package
manager.
===================================================
root@baneling:~# dpkg -l | grep slapd
ii slapd 2.4.31-1+nmu2 amd64 OpenLDAP
server (slapd)
===================================================
I currently have my ldap server setup for authentication and
authorization, I'm using libnss-ldapd and libpam-ldapd on my other
machines to search the ldap directory and would like to implement the
password policy provided by the overlay. I believe I've added the
schema, loaded thedynamic module, and added the overlay to my
databasecorrectly, however I'm not sure it's actually working. I've been
mostly followingthis article and the openldap documentation:
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
http://www.openldap.org/doc/admin24/overlays.html#Password Policies
<http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies>
Here is my slapd.d config (shortened for brevity):
===================================================
root@baneling:~# slapcat -b cn=config
[...]
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
structuralObjectClass: olcModuleList
entryUUID: ad917d22-1583-1033-9e53-473d795f568b
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140119183138Z
olcModuleLoad: {0}ppolicy.so
olcModulePath: /usr/lib/ldap
entryCSN: 20140119183433.154615Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140119183433Z
[...]
dn: cn={4}ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}ppolicy
[...]
dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
structuralObjectClass: olcPPolicyConfig
entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140119194003Z
entryCSN: 20140119194003.774030Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140119194003Z
===================================================
And my container for the default policy:
===================================================
root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b
ou=Policies,dc=harmonywave,dc=com
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: ou=Policies,dc=harmonywave,dc=com
ou: Policies
objectClass: top
objectClass: organizationalUnit
dn: cn=default,ou=Policies,dc=harmonywave,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdExpireWarning: 432000
pwdFailureCountInterval: 1800
pwdGraceAuthNLimit: 10
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxAge: 7776000
pwdMaxFailure: 6
pwdMinAge: 86400
pwdMinLength: 10
pwdMustChange: FALSE
pwdSafeModify: TRUE
sn: passwdpolicy
===================================================
However, I'm not sure the policy is actually being applied. I thought it
might be because I originally created my user before adding the schema
and overlay, so I deleted the user and recreated it. I'm able to log
into a server using my uid, however if I try to change my password I get
the following:
===================================================
jschaeffer@defiler:~$ passwd
(current) LDAP Password:
New password:
Retype new password:
password change failed: Constraint violation
passwd: Authentication token manipulation error
passwd: password unchanged
===================================================
I've been entering mycurrent password correctly when it asks and I am
using a complex new password. I also don't see any of the ppolicy
attributes on my user (pwdChangeTime, pwdFailureTime, pwdGraceUseTime, etc):
===================================================
root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com -W
-H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com
Enter LDAP Password:
dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
uid: jschaeffer
cn: Joshua Schaeffer
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/jschaeffer
loginShell: /bin/bash
gecos: Joshua Schaeffer
userPassword:: ....
===================================================
I've been searching around for on the web for answers to the passwd
issue, but I've not been able to find anything useful. Does anyone know
how to verify that the ppolicy overlay is actually working?
11:53 p.m.
Am Sun, 19 Jan 2014 14:18:56 -0700
schrieb Joshua Schaeffer <jschaeffer0922(a)gmail.com>:
I'm trying implement the password policy overlay into my
openldap
setup, I'm running a Debian 7 server and installed openldap with the
package manager.
===================================================
root@baneling:~# dpkg -l | grep slapd
ii slapd 2.4.31-1+nmu2 amd64
OpenLDAP server (slapd)
===================================================
I currently have my ldap server setup for authentication and
authorization, I'm using libnss-ldapd and libpam-ldapd on my other
machines to search the ldap directory and would like to implement the
password policy provided by the overlay. I believe I've added the
schema, loaded thedynamic module, and added the overlay to my
databasecorrectly, however I'm not sure it's actually working. I've
been mostly followingthis article and the openldap documentation:
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
http://www.openldap.org/doc/admin24/overlays.html#Password Policies
<http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies>
Here is my slapd.d config (shortened for brevity):
===================================================
root@baneling:~# slapcat -b cn=config
[...]
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
structuralObjectClass: olcModuleList
entryUUID: ad917d22-1583-1033-9e53-473d795f568b
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140119183138Z
olcModuleLoad: {0}ppolicy.so
olcModulePath: /usr/lib/ldap
entryCSN: 20140119183433.154615Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140119183433Z
[...]
dn: cn={4}ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}ppolicy
[...]
dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
structuralObjectClass: olcPPolicyConfig
entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140119194003Z
entryCSN: 20140119194003.774030Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140119194003Z
===================================================
And my container for the default policy:
===================================================
root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b
ou=Policies,dc=harmonywave,dc=com
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: ou=Policies,dc=harmonywave,dc=com
ou: Policies
objectClass: top
objectClass: organizationalUnit
dn: cn=default,ou=Policies,dc=harmonywave,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdExpireWarning: 432000
pwdFailureCountInterval: 1800
pwdGraceAuthNLimit: 10
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxAge: 7776000
pwdMaxFailure: 6
pwdMinAge: 86400
pwdMinLength: 10
pwdMustChange: FALSE
pwdSafeModify: TRUE
sn: passwdpolicy
===================================================
However, I'm not sure the policy is actually being applied. I thought
it might be because I originally created my user before adding the
schema and overlay, so I deleted the user and recreated it. I'm able
to log into a server using my uid, however if I try to change my
password I get the following:
===================================================
jschaeffer@defiler:~$ passwd
(current) LDAP Password:
New password:
Retype new password:
password change failed: Constraint violation
passwd: Authentication token manipulation error
passwd: password unchanged
===================================================
I've been entering mycurrent password correctly when it asks and I am
using a complex new password. I also don't see any of the ppolicy
attributes on my user (pwdChangeTime, pwdFailureTime,
pwdGraceUseTime, etc):
===================================================
root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com
-W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com
Enter LDAP Password:
dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
uid: jschaeffer
cn: Joshua Schaeffer
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/jschaeffer
loginShell: /bin/bash
gecos: Joshua Schaeffer
userPassword:: ....
===================================================
I've been searching around for on the web for answers to the passwd
issue, but I've not been able to find anything useful. Does anyone
know how to verify that the ppolicy overlay is actually working?
rootdn must change user passwords, but this depends on access rules.
ppolicy attributes are operational, thus apply a '+' to the search
string, according to RFC-3673. You may obtain further information on
ppolicy by reading slapo-ppolicy(5).
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
6:48 p.m.
Thanks for the explanation that really helped, I didn't know about the
'+'and was able to see some ppolicy operational attributes on my uid. I
read the slapo-ppolicy manual page and that also helped clarified a few
things. You stated user's being able to change their own password
depended on access rights. These are the access rights I have in my
database. Are these correct to allow user's to change their password:
===================================================
root@baneling:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b
olcDatabase={1}hdb,cn=config olcAccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <olcDatabase={1}hdb,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcAccess
#
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymou
s auth by dn="cn=admin,dc=harmonywave,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=harmonywave,dc=com"
write
by * read
# {0}ppolicy, {1}hdb, config
dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
===================================================
I've been fiddling with my setup to see if I can't get it to work. I
read that you need to tell PAM on the client server to do a lookup for
password policies using 'pam_lookup_policy yes' in the
/etc/pam_ldap.conf file. I was using libpam-ldapd instead of
libpam-ldap which doesn't use the pam_ldap.conf file for its
configuration (I shares its config file with libnss-ldapd which is the
/etc/nslcd.conf file). I uninstalled libpam-ldapd and installed
libpam-ldap instead, adjusted the config file, and I appears to be
getting a little further. Now when I try to change my password on a
client server I get the following:
===================================================
jschaeffer@defiler:~$ passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Insufficient access
Must supply old password to be changed as well as new one
passwd: Permission denied
passwd: password unchanged
===================================================
I'm not sure why it wouldn't recognized that I did enter my previous
password before I attempted to change it.
-Joshua
On 01/20/2014 12:53 AM, Dieter Klünter wrote:
Am Sun, 19 Jan 2014 14:18:56 -0700
schrieb Joshua Schaeffer <jschaeffer0922(a)gmail.com>:
> I'm trying implement the password policy overlay into my openldap
> setup, I'm running a Debian 7 server and installed openldap with the
> package manager.
>
> ===================================================
> root@baneling:~# dpkg -l | grep slapd
> ii slapd 2.4.31-1+nmu2 amd64
> OpenLDAP server (slapd)
> ===================================================
>
> I currently have my ldap server setup for authentication and
> authorization, I'm using libnss-ldapd and libpam-ldapd on my other
> machines to search the ldap directory and would like to implement the
> password policy provided by the overlay. I believe I've added the
> schema, loaded thedynamic module, and added the overlay to my
> databasecorrectly, however I'm not sure it's actually working. I've
> been mostly followingthis article and the openldap documentation:
>
> http://www.zytrax.com/books/ldap/ch6/ppolicy.html
> http://www.openldap.org/doc/admin24/overlays.html#Password Policies
> <http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies>
>
> Here is my slapd.d config (shortened for brevity):
> ===================================================
> root@baneling:~# slapcat -b cn=config
> [...]
> dn: cn=module{1},cn=config
> objectClass: olcModuleList
> cn: module{1}
> structuralObjectClass: olcModuleList
> entryUUID: ad917d22-1583-1033-9e53-473d795f568b
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20140119183138Z
> olcModuleLoad: {0}ppolicy.so
> olcModulePath: /usr/lib/ldap
> entryCSN: 20140119183433.154615Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20140119183433Z
> [...]
> dn: cn={4}ppolicy,cn=schema,cn=config
> objectClass: olcSchemaConfig
> cn: {4}ppolicy
> [...]
> dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
> objectClass: olcPPolicyConfig
> olcOverlay: {0}ppolicy
> olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com
> olcPPolicyHashCleartext: TRUE
> olcPPolicyUseLockout: TRUE
> structuralObjectClass: olcPPolicyConfig
> entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20140119194003Z
> entryCSN: 20140119194003.774030Z#000000#00'+' . I read0#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20140119194003Z
> ===================================================
>
> And my container for the default policy:
> ===================================================
> root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b
> ou=Policies,dc=harmonywave,dc=com
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn: ou=Policies,dc=harmonywave,dc=com
> ou: Policies
> objectClass: top
> objectClass: organizationalUnit
>
> dn: cn=default,ou=Policies,dc=harmonywave,dc=com
> cn: default
> objectClass: pwdPolicy
> objectClass: person
> objectClass: top
> pwdAttribute: userPassword
> pwdAllowUserChange: TRUE
> pwdExpireWarning: 432000
> pwdFailureCountInterval: 1800
> pwdGraceAuthNLimit: 10
> pwdInHistory: 10
> pwdLockout: TRUE
> pwdLockoutDuration: 1800
> pwdMaxAge: 7776000
> pwdMaxFailure: 6
> pwdMinAge: 86400
> pwdMinLength: 10
> pwdMustChange: FALSE
> pwdSafeModify: TRUE
> sn: passwdpolicy
> ===================================================
>
> However, I'm not sure the policy is actually being applied. I thought
> it might be because I originally created my user before adding the
> schema and overlay, so I deleted the user and recreated it. I'm able
> to log into a server using my uid, however if I try to change my
> password I get the following:
>
> ===================================================
> jschaeffer@defiler:~$ passwd
> (current) LDAP Password:
> New password:
> Retype new password:
> password change failed: Constraint violation
> passwd: Authentication token manipulation error
> passwd: password unchanged
> ===================================================
>
> I've been entering mycurrent password correctly when it asks and I am
> using a complex new password. I also don't see any of the ppolicy
> attributes on my user (pwdChangeTime, pwdFailureTime,
> pwdGraceUseTime, etc):
>
> ===================================================
> root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com
> -W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com
> Enter LDAP Password:
> dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> uid: jschaeffer
> cn: Joshua Schaeffer
> uidNumber: 3000
> gidNumber: 3000
> homeDirectory: /home/jschaeffer
> loginShell: /bin/bash
> gecos: Joshua Schaeffer
> userPassword:: ....
> ===================================================
>
> I've been searching around for on the web for answers to the passwd
> issue, but I've not been able to find anything useful. Does anyone
> know how to verify that the ppolicy overlay is actually working?
rootdn must change user passwords, but this depends on access rules.
ppolicy attributes are operational, thus apply a '+' to the search
string, according to RFC-3673. You may obtain further information on
ppolicy by reading slapo-ppolicy(5).
-Dieter
5:54 a.m.
Am Mon, 20 Jan 2014 19:48:40 -0700
schrieb Joshua Schaeffer <jschaeffer0922(a)gmail.com>:
Thanks for the explanation that really helped, I didn't know
about
the '+'and was able to see some ppolicy operational attributes on my
uid. I read the slapo-ppolicy manual page and that also helped
clarified a few things. You stated user's being able to change their
own password depended on access rights. These are the access rights
I have in my database. Are these correct to allow user's to change
their password:
===================================================
root@baneling:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b
olcDatabase={1}hdb,cn=config olcAccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <olcDatabase={1}hdb,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcAccess
#
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymou
s auth by dn="cn=admin,dc=harmonywave,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by
dn="cn=admin,dc=harmonywave,dc=com" write
by * read
# {0}ppolicy, {1}hdb, config
dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
===================================================
I've been fiddling with my setup to see if I can't get it to work. I
read that you need to tell PAM on the client server to do a lookup
for password policies using 'pam_lookup_policy yes' in the
/etc/pam_ldap.conf file. I was using libpam-ldapd instead of
libpam-ldap which doesn't use the pam_ldap.conf file for its
configuration (I shares its config file with libnss-ldapd which is
the /etc/nslcd.conf file). I uninstalled libpam-ldapd and installed
libpam-ldap instead, adjusted the config file, and I appears to be
getting a little further. Now when I try to change my password on a
client server I get the following:
===================================================
jschaeffer@defiler:~$ passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Insufficient access
Must supply old password to be changed as well as new one
passwd: Permission denied
passwd: password unchanged
===================================================
I'm not sure why it wouldn't recognized that I did enter my previous
password before I attempted to change it.
[...]
Run slapd(8) in debuging mode with -d acl
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
3424
days inactive
3426
days old
openldap-technical@openldap.org
3 comments
2 participants
participants (2)
-
Dieter Klünter -
Joshua Schaeffer