Thank you for your help. I added the pwdPolicySubentry to a user to no avail. I did find this in the logfile though:
Feb 20 09:01:13 ldapserver slapd[6709]: conn=95289 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password
So it looks like it's trying to do something but cannot. While I'm concerned about password strength, I'm more concerned (at this point) with just having the machine prompt for a password change. I'm running centos 4.6 and openldap 2.3.39. I compiled it with the following:
./configure --enable-crypt --enable-ppolicy --with-tls --prefix=/opt/openldap/
Once again, thanks for any help.
Bryan Payne skrev, on 19-02-2008 22:27:
I have some issues with ppolicy. It seems it recognizes expiration dates (I know this from looking in the logs, but it does not warn the user their password is expiring soon), properly locks out accounts with too many failed logins but it cannot seem to force a password change when pwdReset is set to TRUE, nor does it prevent logins when the password has expired. Any help would be greatly appreciated. I'll post the things of importance below. Please let me know if anything else would help.
[root@ldapserver ~]# ldapsearch -x -LLL cn=default dn: cn=default,ou=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: 2.5.4.35 pwdInHistory: 6 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 4 pwdLockout: TRUE pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdSafeModify: FALSE pwdLockoutDuration: 900 pwdExpireWarning: 432000 pwdGraceAuthNLimit: 1 pwdAllowUserChange: TRUE pwdMaxAge: 7776000
From slapd.conf overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com" ppolicy_use_lockout
Most of the above looks kosher; my main site is running ppolicy on OpenLDAP 2.3.33 up to 2.3.39 Buchan rpms on Red Hat RHEL5 and all the above work. However:
1: I've found that each posixAccount has to have the operational attribute pwdPolicySubentry. Although this is an operational attribute, it is (the only?) such that is user modifiable. In this (as in many other) respects gq is indispensable as GUI. 2: I've found that extensive use has to be made of pam_ldap to get the best out of ppolicy (for example password strength). 3: It would help if you detailed OS and OL versions, so's one could know whether to contribute help or not.
Bets,
--Tonni
-- Tony Earnshaw Email: tonni at hetnet dot nl
Bryan Payne skrev, on 20-02-2008 16:10:
Thank you for your help. I added the pwdPolicySubentry to a user to no avail. I did find this in the logfile though:
Feb 20 09:01:13 ldapserver slapd[6709]: conn=95289 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password
So it looks like it's trying to do something but cannot. While I'm concerned about password strength, I'm more concerned (at this point) with just having the machine prompt for a password change. I'm running centos 4.6 and openldap 2.3.39. I compiled it with the following:
./configure --enable-crypt --enable-ppolicy --with-tls --prefix=/opt/openldap/
Once again, thanks for any help.
I'd strongly advise you to chuck out your self-built 2.3.39 and install the rpms at http://staff.telkomsa.net/packages/rhel4/openldap/$basearch. You need both libldap and openldap.
Shouldn't be difficult if you install to /opt (you an old Solaris person? Or other SYSV?) These will install to LFH locations; however, being rpms you can always chuck them off again if they don't please (which they will ;) ).
Then take it again from the beginning. These are Buchan Milne's rpms and have their own discrete, patched db4 4.2.52 which will not conflict with the db4 4.2.52 which you have from CentOS. Moreover everything including sonames is named differently from Red Hat's, so it all takes a bit of getting used to. But when you have, you'll never look back.
Best,
--Tonni
On Wednesday 20 February 2008 17:10:00 Bryan Payne wrote:
Thank you for your help. I added the pwdPolicySubentry to a user to no avail. I did find this in the logfile though:
Feb 20 09:01:13 ldapserver slapd[6709]: conn=95289 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password
So it looks like it's trying to do something but cannot. While I'm concerned about password strength, I'm more concerned (at this point) with just having the machine prompt for a password change.
Well, what do you mean by "the machine" ? It looks like the password has expired, but if you're expecting a prompt for a password change, that's a client side issue. So, what is the client in this case? Recent versions of pam_ldap support ppolicy (IIRC including the one shipped with RHEL4), but you didn't say which client this is.
Also, you said accounts get locked, but users can still log in? This sounds like you might not actually be using pam_ldap for authentication, but the pam_unix->nss_ldap (NIS replacement and nothing more) method, which won't see anything relating to ppolicy.
Regards, Buchan
If the account is locked, the user cannot login. If the password has expired, the user can login. I would like for it to prompt for the password but it fails to work for linux machines using pam or windows machines using pgina. I understand this is an openldap list so if you tell me the issue is client side (and pam related) regarding changing the password upon expiration, I'll take my question there. What about notification of expiration? As it is right now, the user is never shown if their password is expiring soon. It sends it to a log on the ldap server, but nothing pops up on the client machine. Is this pam related too?
Buchan Milne wrote:
On Wednesday 20 February 2008 17:10:00 Bryan Payne wrote:
Thank you for your help. I added the pwdPolicySubentry to a user to no avail. I did find this in the logfile though:
Feb 20 09:01:13 ldapserver slapd[6709]: conn=95289 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password
So it looks like it's trying to do something but cannot. While I'm concerned about password strength, I'm more concerned (at this point) with just having the machine prompt for a password change.
Well, what do you mean by "the machine" ? It looks like the password has expired, but if you're expecting a prompt for a password change, that's a client side issue. So, what is the client in this case? Recent versions of pam_ldap support ppolicy (IIRC including the one shipped with RHEL4), but you didn't say which client this is.
Also, you said accounts get locked, but users can still log in? This sounds like you might not actually be using pam_ldap for authentication, but the pam_unix->nss_ldap (NIS replacement and nothing more) method, which won't see anything relating to ppolicy.
Regards, Buchan
On Thu, Feb 21, 2008 at 11:52 AM, Bryan Payne bpayne@speedfc.com wrote:
If the account is locked, the user cannot login. If the password has expired, the user can login. I would like for it to prompt for the password but it fails to work for linux machines using pam or windows machines using pgina. I understand this is an openldap list so if you tell me the issue is client side (and pam related) regarding changing the password upon expiration, I'll take my question there. What about
Yes, this is pam_ldap related. You probably just need to configure it to use password policy in /etc/ldap.conf: pam_lookup_policy yes
Just note you need a recent version of pam_ldap for this to work properly.
If the client is not ppolicy aware, he will just get back a login failure. If, however, he *is* aware, meaning he sends the right control and interprets the answer correctly, he will be able to show the user the reason for the failure and, in the case of an expired password, or forced password change, even act accordingly.
Unfortunately, I have that option enabled in my ldap.conf and I'm using pam_ldap 184. Not quite sure what the problem is. I suppose I'll write a script to handle this for now. Thanks for everyone's help. And if you have any other suggestions, they are much appreciated.
Andreas Hasenack wrote:
On Thu, Feb 21, 2008 at 11:52 AM, Bryan Payne bpayne@speedfc.com wrote:
If the account is locked, the user cannot login. If the password has expired, the user can login. I would like for it to prompt for the password but it fails to work for linux machines using pam or windows machines using pgina. I understand this is an openldap list so if you tell me the issue is client side (and pam related) regarding changing the password upon expiration, I'll take my question there. What about
Yes, this is pam_ldap related. You probably just need to configure it to use password policy in /etc/ldap.conf: pam_lookup_policy yes
Just note you need a recent version of pam_ldap for this to work properly.
If the client is not ppolicy aware, he will just get back a login failure. If, however, he *is* aware, meaning he sends the right control and interprets the answer correctly, he will be able to show the user the reason for the failure and, in the case of an expired password, or forced password change, even act accordingly.
Bryan Payne skrev, on 21-02-2008 15:52:
If the account is locked, the user cannot login. If the password has expired, the user can login.
Not at my site.
I would like for it to prompt for the password but it fails to work for linux machines using pam or windows machines using pgina.
How are your users logging in - at a CLI login, gdm, su, ssh? On all of these at my site the user gets prompted for his password. This *is* a pam matter.
I understand this is an openldap list so if you tell me the issue is client side (and pam related) regarding changing the password upon expiration, I'll take my question there.
Have a look at (haven't forgotten you're using CentOS4) /etc/pam.d/system-auth, if in doubt about what the different libraries do, read the html docs. Pam login and password change sub-*mechanism*s can also defined in /etc/ldap.conf. Bits of what you're finding are pam related, bits are OL ppolicy.
What happens if you comment out all the ppolicy-related stuff in slapd.conf? Are your users still not getting prompted for a password?
What about notification of expiration? As it is right now, the user is never shown if their password is expiring soon. It sends it to a log on the ldap server, but nothing pops up on the client machine. Is this pam related too?
No, purely OL ppolicy, works well at my site.
Best,
--Tonni
--
Buchan Milne wrote:
On Wednesday 20 February 2008 17:10:00 Bryan Payne wrote:
Thank you for your help. I added the pwdPolicySubentry to a user to no avail. I did find this in the logfile though:
Feb 20 09:01:13 ldapserver slapd[6709]: conn=95289 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password
So it looks like it's trying to do something but cannot. While I'm concerned about password strength, I'm more concerned (at this point) with just having the machine prompt for a password change.
Well, what do you mean by "the machine" ? It looks like the password has expired, but if you're expecting a prompt for a password change, that's a client side issue. So, what is the client in this case? Recent versions of pam_ldap support ppolicy (IIRC including the one shipped with RHEL4), but you didn't say which client this is.
Also, you said accounts get locked, but users can still log in? This sounds like you might not actually be using pam_ldap for authentication, but the pam_unix->nss_ldap (NIS replacement and nothing more) method, which won't see anything relating to ppolicy.
Regards, Buchan
openldap-technical@openldap.org
-
Andreas Hasenack -
Bryan Payne -
Buchan Milne -
Tony Earnshaw