Hi,
I'm currently implementing a password policy on my openldap directory.
Most of it is working (password length, password history). I just can't make the account lockout work.
The attribute pwdAccountLockedTime is never created in my directory.
Entries used for the test:
dn: cn=lcaron_99,ou=ppolicy,dc=local sn: lcaron_99 pwdCheckQuality: 0 pwdMaxFailure: 3 pwdAllowUserChange: TRUE pwdInHistory: 10 pwdLockout: TRUE pwdMinLength: 8 structuralObjectClass: person pwdExpireWarning: 720000 pwdGraceAuthNLimit: 5 cn: lcaron_99 pwdAttribute: userPassword objectClass: pwdPolicy objectClass: person objectClass: top pwdMaxAge: 10 pwdFailureCountInterval: 1200 pwdLockoutDuration: 3600 modifyTimestamp: 20120106194803Z
dn: uid=lcaron_99,ou=People,dc=local objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount cn: lcaron_99 sn: lcaron_99 uid: lcaron_99 uidNumber: 4082 gidNumber: 513 homeDirectory: /home/lcaron_99 loginShell: /bin/bash ...samba attributes snipped ... userPassword:: ...snipped... pwdPolicySubentry: cn=lcaron_99,ou=ppolicy,dc=local pwdChangedTime: 20120106193917Z structuralObjectClass: inetOrgPerson creatorsName: cn=admin,dc=local createTimestamp: 20120106193917Z pwdFailureTime: 20120106193928Z pwdFailureTime: 20120106194040Z entryCSN: 20120106194040.970726Z#000000#000#000000 modifiersName: modifyTimestamp: 20120106194040Z
in slapd.conf:
# Password Policy overlay ppolicy
Did I miss something obvious ?
Thanks
Your example shows only 2 pwdFailureTime entries and your policy indicates "pwdMaxFailure: 3".
- chris
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Laurent CARON Sent: Friday, January 06, 2012 11:57 AM To: openldap-technical@openldap.org Subject: Implementing password policy
Hi,
I'm currently implementing a password policy on my openldap directory.
Most of it is working (password length, password history). I just can't make the account lockout work.
The attribute pwdAccountLockedTime is never created in my directory.
Entries used for the test:
dn: cn=lcaron_99,ou=ppolicy,dc=local sn: lcaron_99 pwdCheckQuality: 0 pwdMaxFailure: 3 pwdAllowUserChange: TRUE pwdInHistory: 10 pwdLockout: TRUE pwdMinLength: 8 structuralObjectClass: person pwdExpireWarning: 720000 pwdGraceAuthNLimit: 5 cn: lcaron_99 pwdAttribute: userPassword objectClass: pwdPolicy objectClass: person objectClass: top pwdMaxAge: 10 pwdFailureCountInterval: 1200 pwdLockoutDuration: 3600 modifyTimestamp: 20120106194803Z
dn: uid=lcaron_99,ou=People,dc=local objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount cn: lcaron_99 sn: lcaron_99 uid: lcaron_99 uidNumber: 4082 gidNumber: 513 homeDirectory: /home/lcaron_99 loginShell: /bin/bash ...samba attributes snipped ... userPassword:: ...snipped... pwdPolicySubentry: cn=lcaron_99,ou=ppolicy,dc=local pwdChangedTime: 20120106193917Z structuralObjectClass: inetOrgPerson creatorsName: cn=admin,dc=local createTimestamp: 20120106193917Z pwdFailureTime: 20120106193928Z pwdFailureTime: 20120106194040Z entryCSN: 20120106194040.970726Z#000000#000#000000 modifiersName: modifyTimestamp: 20120106194040Z
in slapd.conf:
# Password Policy overlay ppolicy
Did I miss something obvious ?
Thanks
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
On 06/01/2012 21:29, Chris Jacobs wrote:
Your example shows only 2 pwdFailureTime entries and your policy indicates "pwdMaxFailure: 3".
Hi Chris,
No matter how many failed attempts I make, it never appears as locked:
I now have: pwdFailureTime: 20120106193928Z pwdFailureTime: 20120106194040Z pwdFailureTime: 20120107112658Z pwdFailureTime: 20120107112705Z
and still no pwdAccountLockedTime.
Is anybody observing the same behavior ?
On 06/01/2012 21:29, Chris Jacobs wrote:
Your example shows only 2 pwdFailureTime entries and your policy indicates "pwdMaxFailure: 3".
Hi Chris,
No matter how many failed attempts I make, it never appears as locked:
I now have: pwdFailureTime: 20120106193928Z pwdFailureTime: 20120106194040Z pwdFailureTime: 20120107112658Z pwdFailureTime: 20120107112705Z
and still no pwdAccountLockedTime.
Is anybody observing the same behavior ?
Your initial mail does not show a 'ppolicy_default' in slapd.conf. I believe you need to create a default ppolicy entry in LDAP, and specify it in slapd.conf:
# Password Policy
overlay ppolicy
ppolicy_default "cn=default,ou=ppolicy,dc=local"
Without the default, or if you want a user to use something other than default, you'll need to manually set the pwdPolicySubentry for the user. In you case:
dn: uid=lcaron_99,ou=People,dc=local
changetype: modify
replace: pwdPolicySubentry
pwdPolicySubentry: cn=lcaron_99,ou=ppolicy,dc=local
~/joe
On 07/01/2012 14:16, Joe Friedeggs wrote:
Your initial mail does not show a 'ppolicy_default' in slapd.conf. I believe you need to create a default ppolicy entry in LDAP, and specify it in slapd.conf:
# Password Policy overlay ppolicy ppolicy_default "cn=default,ou=ppolicy,dc=local"
For testing purpose I want only to apply it to this particular user, that's why I didn't put a default policy in slapd.conf
Without the default, or if you want a user to use something other than default, you'll need to manually set the pwdPolicySubentry for the user. In you case:
dn: uid=lcaron_99,ou=People,dc=local changetype: modify replace: pwdPolicySubentry pwdPolicySubentry: cn=lcaron_99,ou=ppolicy,dc=local
From my 1st mail, I have the following:
" dn: cn=lcaron_99,ou=ppolicy,dc=local ... snip ... pwdMaxFailure: 3
dn: uid=lcaron_99,ou=People,dc=local ... snip ... pwdPolicySubentry: cn=lcaron_99,ou=ppolicy,dc=local "
Hi,
Is anybody having a clue about this issue ?
Thanks
On 07/01/2012 14:25, Laurent CARON wrote:
On 07/01/2012 14:16, Joe Friedeggs wrote:
Your initial mail does not show a 'ppolicy_default' in slapd.conf. I believe you need to create a default ppolicy entry in LDAP, and specify it in slapd.conf:
# Password Policy overlay ppolicy ppolicy_default "cn=default,ou=ppolicy,dc=local"
For testing purpose I want only to apply it to this particular user, that's why I didn't put a default policy in slapd.conf
Without the default, or if you want a user to use something other than default, you'll need to manually set the pwdPolicySubentry for the user. In you case:
dn: uid=lcaron_99,ou=People,dc=local changetype: modify replace: pwdPolicySubentry pwdPolicySubentry: cn=lcaron_99,ou=ppolicy,dc=local
From my 1st mail, I have the following:
" dn: cn=lcaron_99,ou=ppolicy,dc=local ... snip ... pwdMaxFailure: 3
dn: uid=lcaron_99,ou=People,dc=local ... snip ... pwdPolicySubentry: cn=lcaron_99,ou=ppolicy,dc=local "
openldap-technical@openldap.org
-
Chris Jacobs -
Joe Friedeggs -
Laurent CARON