Thanks for the explanation that really helped, I didn't know about the
'+'and was able to see some ppolicy operational attributes on my uid. I
read the slapo-ppolicy manual page and that also helped clarified a few
things. You stated user's being able to change their own password
depended on access rights. These are the access rights I have in my
database. Are these correct to allow user's to change their password:
===================================================
root@baneling:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b
olcDatabase={1}hdb,cn=config olcAccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <olcDatabase={1}hdb,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: olcAccess
#
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymou
s auth by dn="cn=admin,dc=harmonywave,dc=com" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=harmonywave,dc=com"
write
by * read
# {0}ppolicy, {1}hdb, config
dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
===================================================
I've been fiddling with my setup to see if I can't get it to work. I
read that you need to tell PAM on the client server to do a lookup for
password policies using 'pam_lookup_policy yes' in the
/etc/pam_ldap.conf file. I was using libpam-ldapd instead of
libpam-ldap which doesn't use the pam_ldap.conf file for its
configuration (I shares its config file with libnss-ldapd which is the
/etc/nslcd.conf file). I uninstalled libpam-ldapd and installed
libpam-ldap instead, adjusted the config file, and I appears to be
getting a little further. Now when I try to change my password on a
client server I get the following:
===================================================
jschaeffer@defiler:~$ passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Insufficient access
Must supply old password to be changed as well as new one
passwd: Permission denied
passwd: password unchanged
===================================================
I'm not sure why it wouldn't recognized that I did enter my previous
password before I attempted to change it.
-Joshua
On 01/20/2014 12:53 AM, Dieter Klünter wrote:
Am Sun, 19 Jan 2014 14:18:56 -0700
schrieb Joshua Schaeffer <jschaeffer0922(a)gmail.com>:
> I'm trying implement the password policy overlay into my openldap
> setup, I'm running a Debian 7 server and installed openldap with the
> package manager.
>
> ===================================================
> root@baneling:~# dpkg -l | grep slapd
> ii slapd 2.4.31-1+nmu2 amd64
> OpenLDAP server (slapd)
> ===================================================
>
> I currently have my ldap server setup for authentication and
> authorization, I'm using libnss-ldapd and libpam-ldapd on my other
> machines to search the ldap directory and would like to implement the
> password policy provided by the overlay. I believe I've added the
> schema, loaded thedynamic module, and added the overlay to my
> databasecorrectly, however I'm not sure it's actually working. I've
> been mostly followingthis article and the openldap documentation:
>
>
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
>
http://www.openldap.org/doc/admin24/overlays.html#Password Policies
> <
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies>
>
> Here is my slapd.d config (shortened for brevity):
> ===================================================
> root@baneling:~# slapcat -b cn=config
> [...]
> dn: cn=module{1},cn=config
> objectClass: olcModuleList
> cn: module{1}
> structuralObjectClass: olcModuleList
> entryUUID: ad917d22-1583-1033-9e53-473d795f568b
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20140119183138Z
> olcModuleLoad: {0}ppolicy.so
> olcModulePath: /usr/lib/ldap
> entryCSN: 20140119183433.154615Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20140119183433Z
> [...]
> dn: cn={4}ppolicy,cn=schema,cn=config
> objectClass: olcSchemaConfig
> cn: {4}ppolicy
> [...]
> dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
> objectClass: olcPPolicyConfig
> olcOverlay: {0}ppolicy
> olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com
> olcPPolicyHashCleartext: TRUE
> olcPPolicyUseLockout: TRUE
> structuralObjectClass: olcPPolicyConfig
> entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20140119194003Z
> entryCSN: 20140119194003.774030Z#000000#00'+' . I read0#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20140119194003Z
> ===================================================
>
> And my container for the default policy:
> ===================================================
> root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b
> ou=Policies,dc=harmonywave,dc=com
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn: ou=Policies,dc=harmonywave,dc=com
> ou: Policies
> objectClass: top
> objectClass: organizationalUnit
>
> dn: cn=default,ou=Policies,dc=harmonywave,dc=com
> cn: default
> objectClass: pwdPolicy
> objectClass: person
> objectClass: top
> pwdAttribute: userPassword
> pwdAllowUserChange: TRUE
> pwdExpireWarning: 432000
> pwdFailureCountInterval: 1800
> pwdGraceAuthNLimit: 10
> pwdInHistory: 10
> pwdLockout: TRUE
> pwdLockoutDuration: 1800
> pwdMaxAge: 7776000
> pwdMaxFailure: 6
> pwdMinAge: 86400
> pwdMinLength: 10
> pwdMustChange: FALSE
> pwdSafeModify: TRUE
> sn: passwdpolicy
> ===================================================
>
> However, I'm not sure the policy is actually being applied. I thought
> it might be because I originally created my user before adding the
> schema and overlay, so I deleted the user and recreated it. I'm able
> to log into a server using my uid, however if I try to change my
> password I get the following:
>
> ===================================================
> jschaeffer@defiler:~$ passwd
> (current) LDAP Password:
> New password:
> Retype new password:
> password change failed: Constraint violation
> passwd: Authentication token manipulation error
> passwd: password unchanged
> ===================================================
>
> I've been entering mycurrent password correctly when it asks and I am
> using a complex new password. I also don't see any of the ppolicy
> attributes on my user (pwdChangeTime, pwdFailureTime,
> pwdGraceUseTime, etc):
>
> ===================================================
> root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com
> -W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com
> Enter LDAP Password:
> dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> uid: jschaeffer
> cn: Joshua Schaeffer
> uidNumber: 3000
> gidNumber: 3000
> homeDirectory: /home/jschaeffer
> loginShell: /bin/bash
> gecos: Joshua Schaeffer
> userPassword:: ....
> ===================================================
>
> I've been searching around for on the web for answers to the passwd
> issue, but I've not been able to find anything useful. Does anyone
> know how to verify that the ppolicy overlay is actually working?
rootdn must change user passwords, but this depends on access rules.
ppolicy attributes are operational, thus apply a '+' to the search
string, according to RFC-3673. You may obtain further information on
ppolicy by reading slapo-ppolicy(5).
-Dieter