Hello!
I have a problem with the ppolicy module. I have 2 ldaptrees dc=example,dc=com and o=external and I want to have password policies (lockout after 5 failed login attempts) and I can see that it works on dc=example,dc=com but it does not work on o=external.
Both trees save failed login attempts but only the first tree locks people out o=external just saves more and more failed attempts but never lockout the user.
I have tried a lot of things and I can not figure out what the problem is. I hope someone here can help me.
It is 2 replicated ubuntu 10.04 servers with openldap 2.4.21-0ubuntu5.7 and the ppolicy configuration looks like this:
ppolmodule.ldif :
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModuleLoad: ppolicy.la
ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppolmodule.ldif -h ldap1
ppol.ldif:
dn: ou=policies,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: 2.5.4.35 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 5 pwdMinLength: 6
ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f ~/ppol.ldif -h ldap1
ppol_external.ldif:
dn: ou=policies,o=external objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,o=external objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: 2.5.4.35 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 5 pwdMinLength: 6
ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f ~/ppol_external.ldif -h ldap1
ppoloverlay.ldif:
dn: olcOverlay=ppolicy,olcDatabase={1}bdb,cn=config olcOverlay: ppolicy objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com
ppoloverlay_external.ldif:
dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config olcOverlay: ppolicy objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyDefault: cn=default,ou=policies,o=external
ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppoloverlay.ldif -h ldap1
ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppoloverlay_external.ldif -h ldap1
I tried with only one default policy for both trees as well, it made no difference.
/Mikael
I did check in the bugtracker and found these 2 bugs:
http://www.openldap.org/its/index.cgi/Incoming?id=7262;expression=ppolicy;pa...
http://www.openldap.org/its/index.cgi/Incoming?id=7788;expression=ppolicy;pa...
it feels like those can be the cause of my problem. Is there a way to ping a developer to have a look at them it looks like they are quite old and they have no responses.
/Mikael
On 2014-02-06 13:37, Mikael Nehlsen wrote:
Hello!
I have a problem with the ppolicy module. I have 2 ldaptrees dc=example,dc=com and o=external and I want to have password policies (lockout after 5 failed login attempts) and I can see that it works on dc=example,dc=com but it does not work on o=external.
Both trees save failed login attempts but only the first tree locks people out o=external just saves more and more failed attempts but never lockout the user.
I have tried a lot of things and I can not figure out what the problem is. I hope someone here can help me.
It is 2 replicated ubuntu 10.04 servers with openldap 2.4.21-0ubuntu5.7 and the ppolicy configuration looks like this:
ppolmodule.ldif :
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModuleLoad: ppolicy.la
ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppolmodule.ldif -h ldap1
ppol.ldif:
dn: ou=policies,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: 2.5.4.35 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 5 pwdMinLength: 6
ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f ~/ppol.ldif -h ldap1
ppol_external.ldif:
dn: ou=policies,o=external objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,o=external objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: 2.5.4.35 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 5 pwdMinLength: 6
ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f ~/ppol_external.ldif -h ldap1
ppoloverlay.ldif:
dn: olcOverlay=ppolicy,olcDatabase={1}bdb,cn=config olcOverlay: ppolicy objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com
ppoloverlay_external.ldif:
dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config olcOverlay: ppolicy objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyDefault: cn=default,ou=policies,o=external
ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppoloverlay.ldif -h ldap1
ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppoloverlay_external.ldif -h ldap1
I tried with only one default policy for both trees as well, it made no difference.
/Mikael
openldap-technical@openldap.org
-
Mikael Nehlsen