Hi,
I'm trying to configure ppolicy but It's not working when I set pwdMaxAge and pwdWarning (I am able to login when my password is suppose to be expired) I tried with shadowAccount instead of PwdPolicy and It is working well.
This is my relevant setting in slapd.conf
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=sample,dc=com" ppolicy_use_lockout
My ldip file is:
objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,dc=sample,dc=com objectClass: pwdPolicy objectClass: person objectClass: top cn: default pwdAttribute: userPassword sn: dummy pwdAllowUserChange: TRUE pwdCheckQuality: 2 pwdExpireWarning: 50 pwdFailureCountInternal: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: FALSE pwdLockDuration:0 pwdMaxAge: 60 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLenght: 5 pwdMustChange: FALSE pwdSafeModify: FALSE
dn: cn=user1,ou=policies,dc=sample,dc=com objectClass: pwdPolicy objectClass: person objectClass: top objectClass: posixAccount objectClass: pwdPolicy objectClass: shadowAccount cn: user1 pwdAttribute: userPassword gidNumber: 501 homeDirectory: /home/user1 sn: test uid: user1 uidNumber: 501 pwdAllowUserChange: TRUE pwdAge: 20 pwdExpireWarning: 15 userPassword: XXXXX
Thanks in advance!
It looks like you have some conflicting arguments in your ldif, not sure if that matters. Is this a copy and paste ldif or did you have to type it by hand?
The ones that stand out are pwdMaxAge: 60 pwdMaxAge: 0 - means that passwords will not expire pwdMinLenght: 5 - misspelled
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of cbulist Sent: Monday, August 27, 2012 4:30 PM To: openldap-technical@openldap.org Subject: Configuring ppolicy problem
Hi,
I'm trying to configure ppolicy but It's not working when I set pwdMaxAge and pwdWarning (I am able to login when my password is suppose to be expired) I tried with shadowAccount instead of PwdPolicy and It is working well.
This is my relevant setting in slapd.conf
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=sample,dc=com" ppolicy_use_lockout
My ldip file is:
objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,dc=sample,dc=com objectClass: pwdPolicy objectClass: person objectClass: top cn: default pwdAttribute: userPassword sn: dummy pwdAllowUserChange: TRUE pwdCheckQuality: 2 pwdExpireWarning: 50 pwdFailureCountInternal: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: FALSE pwdLockDuration:0 pwdMaxAge: 60 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLenght: 5 pwdMustChange: FALSE pwdSafeModify: FALSE
dn: cn=user1,ou=policies,dc=sample,dc=com objectClass: pwdPolicy objectClass: person objectClass: top objectClass: posixAccount objectClass: pwdPolicy objectClass: shadowAccount cn: user1 pwdAttribute: userPassword gidNumber: 501 homeDirectory: /home/user1 sn: test uid: user1 uidNumber: 501 pwdAllowUserChange: TRUE pwdAge: 20 pwdExpireWarning: 15 userPassword: XXXXX
Thanks in advance!
Hi Andy,
Thanks for your reply. It's not a copy and paste It was misspelled. How I have understood it when you have an entry in a specific user this overwrites the entries in default. In this case the entry in user1 overwrites default's entry.
Thanks!
On 08/27/2012 05:19 PM, Andy Poirier wrote:
It looks like you have some conflicting arguments in your ldif, not sure if that matters. Is this a copy and paste ldif or did you have to type it by hand?
The ones that stand out are pwdMaxAge: 60 pwdMaxAge: 0 - means that passwords will not expire pwdMinLenght: 5 - misspelled
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of cbulist Sent: Monday, August 27, 2012 4:30 PM To: openldap-technical@openldap.org Subject: Configuring ppolicy problem
Hi,
I'm trying to configure ppolicy but It's not working when I set pwdMaxAge and pwdWarning (I am able to login when my password is suppose to be expired) I tried with shadowAccount instead of PwdPolicy and It is working well.
This is my relevant setting in slapd.conf
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=sample,dc=com" ppolicy_use_lockout
My ldip file is:
objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,dc=sample,dc=com objectClass: pwdPolicy objectClass: person objectClass: top cn: default pwdAttribute: userPassword sn: dummy pwdAllowUserChange: TRUE pwdCheckQuality: 2 pwdExpireWarning: 50 pwdFailureCountInternal: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: FALSE pwdLockDuration:0 pwdMaxAge: 60 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLenght: 5 pwdMustChange: FALSE pwdSafeModify: FALSE
dn: cn=user1,ou=policies,dc=sample,dc=com objectClass: pwdPolicy objectClass: person objectClass: top objectClass: posixAccount objectClass: pwdPolicy objectClass: shadowAccount cn: user1 pwdAttribute: userPassword gidNumber: 501 homeDirectory: /home/user1 sn: test uid: user1 uidNumber: 501 pwdAllowUserChange: TRUE pwdAge: 20 pwdExpireWarning: 15 userPassword: XXXXX
Thanks in advance!
Le 28/08/2012 04:14, cbulist@gmail.com a écrit :
Hi Andy,
Thanks for your reply. It's not a copy and paste It was misspelled. How I have understood it when you have an entry in a specific user this overwrites the entries in default. In this case the entry in user1 overwrites default's entry.
You can not override the settings from the default policy, but you can override the ppolicy_default directive from the configuration file to make specific users use another policy, using pwdPolicySubentry attribute.
Hi,
I got stuck with this problem. I'm able to change the user password using shadowAccount objectClass but I can't do the same using pwdPolicy objectClass. I set ppolicy attribute in order to get the password expired message:
pwdExpireWarning 10 pwdMaxAge 15 pwdMustChange TRUE pwdAllowUserChange TRUE pwdLockout TRUE
slapd.conf:
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
access to attrs=userPassword by self write by users read by anonymous auth
access to * by * read
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=sample,dc=com" ppolicy_use_lockout
I really appreciate any help with this problem.
Thanks!
On 08/27/2012 05:19 PM, Andy Poirier wrote:
It looks like you have some conflicting arguments in your ldif, not sure if that matters. Is this a copy and paste ldif or did you have to type it by hand?
The ones that stand out are pwdMaxAge: 60 pwdMaxAge: 0 - means that passwords will not expire pwdMinLenght: 5 - misspelled
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of cbulist Sent: Monday, August 27, 2012 4:30 PM To: openldap-technical@openldap.org Subject: Configuring ppolicy problem
Hi,
I'm trying to configure ppolicy but It's not working when I set pwdMaxAge and pwdWarning (I am able to login when my password is suppose to be expired) I tried with shadowAccount instead of PwdPolicy and It is working well.
This is my relevant setting in slapd.conf
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=sample,dc=com" ppolicy_use_lockout
My ldip file is:
objectClass: organizationalUnit objectClass: top ou: policies
dn: cn=default,ou=policies,dc=sample,dc=com objectClass: pwdPolicy objectClass: person objectClass: top cn: default pwdAttribute: userPassword sn: dummy pwdAllowUserChange: TRUE pwdCheckQuality: 2 pwdExpireWarning: 50 pwdFailureCountInternal: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: FALSE pwdLockDuration:0 pwdMaxAge: 60 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLenght: 5 pwdMustChange: FALSE pwdSafeModify: FALSE
dn: cn=user1,ou=policies,dc=sample,dc=com objectClass: pwdPolicy objectClass: person objectClass: top objectClass: posixAccount objectClass: pwdPolicy objectClass: shadowAccount cn: user1 pwdAttribute: userPassword gidNumber: 501 homeDirectory: /home/user1 sn: test uid: user1 uidNumber: 501 pwdAllowUserChange: TRUE pwdAge: 20 pwdExpireWarning: 15 userPassword: XXXXX
Thanks in advance!
2012/8/29 cbulist cbulist@gmail.com:
Hi,
I got stuck with this problem. I'm able to change the user password using shadowAccount objectClass but I can't do the same using pwdPolicy objectClass. I set ppolicy attribute in order to get the password expired message:
pwdExpireWarning 10 pwdMaxAge 15 pwdMustChange TRUE pwdAllowUserChange TRUE pwdLockout TRUE
slapd.conf:
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
access to attrs=userPassword by self write by users read by anonymous auth
access to * by * read
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=sample,dc=com" ppolicy_use_lockout
I really appreciate any help with this problem.
Can you show us all operational attributes from your user entry?
Clément.
Le 29/08/2012 17:39, cbulist a écrit :
Hi,
I got stuck with this problem. I'm able to change the user password using shadowAccount objectClass but I can't do the same using pwdPolicy objectClass.
It doesn't means anything: you don't change attributes using a object class. Morevoer, you seem to be confusing two different concepts:
The shadowAccount object class is just a placeholder for unix-specific attributes, that will get used client side by some specific ldap clients, such as pam_ldap for instance. It is supposed to be used for user entries, already instances of posixAccount object class.
The pwdPolicy object class is a placeholder for ldap-specifics attributes, that will get honored on server side. It is supposed to be the main class of a password policy entry, to be applied on user entries.
I set ppolicy attribute in order to get the password expired message:
pwdExpireWarning 10 pwdMaxAge 15 pwdMustChange TRUE pwdAllowUserChange TRUE pwdLockout TRUE
On which object ?
slapd.conf:
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
access to attrs=userPassword by self write by users read by anonymous auth
This is a quite dangereous setting, and defeat the whole purpose of shadow passwords: all users can read other users password hashes.
Thanks Clement and Guillaume for your reply.
This is my operational attributes for my user:
dn: cn=user1,ou=policies,dc=samle,dc=com objectClass: pwdPolicy objectClass: top objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person cn: user1 pwdAttribute: userPassword sn: user1 uid: user1 pwdAllowUserChange: TRUE pwdExpireWarning: 10 pwdLockout: TRUE pwdMaxAge: 15 pwdMustChange: TRUE
Guillaume: I know that my access configuration is dangereous but how I am testing I just want to be sure don't block anything. If I understood your concept I can't use pwdPolicy for unix account. Is there any way to control password history with shadowAccount?..
Thanks!
On 08/29/2012 01:14 PM, Guillaume Rousse wrote:
Le 29/08/2012 17:39, cbulist a écrit :
Hi,
I got stuck with this problem. I'm able to change the user password using shadowAccount objectClass but I can't do the same using pwdPolicy objectClass.
It doesn't means anything: you don't change attributes using a object class. Morevoer, you seem to be confusing two different concepts:
The shadowAccount object class is just a placeholder for unix-specific attributes, that will get used client side by some specific ldap clients, such as pam_ldap for instance. It is supposed to be used for user entries, already instances of posixAccount object class.
The pwdPolicy object class is a placeholder for ldap-specifics attributes, that will get honored on server side. It is supposed to be the main class of a password policy entry, to be applied on user entries.
I set ppolicy attribute in order to get the password expired message:
pwdExpireWarning 10 pwdMaxAge 15 pwdMustChange TRUE pwdAllowUserChange TRUE pwdLockout TRUE
On which object ?
slapd.conf:
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
access to attrs=userPassword by self write by users read by anonymous auth
This is a quite dangereous setting, and defeat the whole purpose of shadow passwords: all users can read other users password hashes.
Le 29/08/2012 20:52, cbulist a écrit :
Thanks Clement and Guillaume for your reply.
This is my operational attributes for my user:
dn: cn=user1,ou=policies,dc=samle,dc=com objectClass: pwdPolicy objectClass: top objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person cn: user1 pwdAttribute: userPassword sn: user1 uid: user1 pwdAllowUserChange: TRUE pwdExpireWarning: 10 pwdLockout: TRUE pwdMaxAge: 15 pwdMustChange: TRUE
Those are plain attributes, not *operational* attributes.
Guillaume: I know that my access configuration is dangereous but how I am testing I just want to be sure don't block anything. If I understood your concept I can't use pwdPolicy for unix account. Is there any way to control password history with shadowAccount?..
Not with shadowAccount, but with password policy. Just create a pwdPolicy object, instance of pwdPolicy class, and apply it to either all your users, through slapd.conf ppolicy_default setting, or just to some of your users, through its operational pwdPolicySubentry attribute.
Basically, you should have distinct user and policy objects, such as:
dn: cn=user1,ou=users,dc=samle,dc=com objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person cn: user1 sn: user1 uid: user1 userPassword: XXXX
dn: cn=default,ou=policies,dc=samle,dc=com objectClass: pwdPolicy objectClass: top pwdAllowUserChange: TRUE pwdExpireWarning: 10 pwdLockout: TRUE pwdMaxAge: 15 pwdMustChange: TRUE
Thanks Guillaume
I will try it and I will let you know.
On 08/29/2012 03:59 PM, Guillaume Rousse wrote:
Le 29/08/2012 20:52, cbulist a écrit :
Thanks Clement and Guillaume for your reply.
This is my operational attributes for my user:
dn: cn=user1,ou=policies,dc=samle,dc=com objectClass: pwdPolicy objectClass: top objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person cn: user1 pwdAttribute: userPassword sn: user1 uid: user1 pwdAllowUserChange: TRUE pwdExpireWarning: 10 pwdLockout: TRUE pwdMaxAge: 15 pwdMustChange: TRUE
Those are plain attributes, not *operational* attributes.
Guillaume: I know that my access configuration is dangereous but how I am testing I just want to be sure don't block anything. If I understood your concept I can't use pwdPolicy for unix account. Is there any way to control password history with shadowAccount?..
Not with shadowAccount, but with password policy. Just create a pwdPolicy object, instance of pwdPolicy class, and apply it to either all your users, through slapd.conf ppolicy_default setting, or just to some of your users, through its operational pwdPolicySubentry attribute.
Basically, you should have distinct user and policy objects, such as:
dn: cn=user1,ou=users,dc=samle,dc=com objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person cn: user1 sn: user1 uid: user1 userPassword: XXXX
dn: cn=default,ou=policies,dc=samle,dc=com objectClass: pwdPolicy objectClass: top pwdAllowUserChange: TRUE pwdExpireWarning: 10 pwdLockout: TRUE pwdMaxAge: 15 pwdMustChange: TRUE
Guillaume,
I did a test with your suggestion and now It is working when I change the pwdMaxAge to some short time as 15 seconds but I don't receive any message invite me to change the password or any warning message for expiration time. I see the follow message in debug mode:
uid=user1,ou=People,dc=sample,dc=com has an expired password
I set the attributes in default Policies:
pwsGraceAuthNLimit: 2 pwdAllowUserChange: TRUE pwdExpireWarning: 10 pwdLockout: TRUE pwdMaxAge: 15 pwdMustChange: TRUE
In my ldap client I have set: pam_lookup_policy yes
Do I have to change something in PAM?
Thanks in advance!
On 08/29/2012 03:59 PM, Guillaume Rousse wrote:
Le 29/08/2012 20:52, cbulist a écrit :
Thanks Clement and Guillaume for your reply.
This is my operational attributes for my user:
dn: cn=user1,ou=policies,dc=samle,dc=com objectClass: pwdPolicy objectClass: top objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person cn: user1 pwdAttribute: userPassword sn: user1 uid: user1 pwdAllowUserChange: TRUE pwdExpireWarning: 10 pwdLockout: TRUE pwdMaxAge: 15 pwdMustChange: TRUE
Those are plain attributes, not *operational* attributes.
Guillaume: I know that my access configuration is dangereous but how I am testing I just want to be sure don't block anything. If I understood your concept I can't use pwdPolicy for unix account. Is there any way to control password history with shadowAccount?..
Not with shadowAccount, but with password policy. Just create a pwdPolicy object, instance of pwdPolicy class, and apply it to either all your users, through slapd.conf ppolicy_default setting, or just to some of your users, through its operational pwdPolicySubentry attribute.
Basically, you should have distinct user and policy objects, such as:
dn: cn=user1,ou=users,dc=samle,dc=com objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person cn: user1 sn: user1 uid: user1 userPassword: XXXX
dn: cn=default,ou=policies,dc=samle,dc=com objectClass: pwdPolicy objectClass: top pwdAllowUserChange: TRUE pwdExpireWarning: 10 pwdLockout: TRUE pwdMaxAge: 15 pwdMustChange: TRUE
Le 31/08/2012 21:39, cbulist a écrit :
Guillaume,
I did a test with your suggestion and now It is working when I change the pwdMaxAge to some short time as 15 seconds but I don't receive any message invite me to change the password or any warning message for expiration time. I see the follow message in debug mode:
uid=user1,ou=People,dc=sample,dc=com has an expired password
I set the attributes in default Policies:
pwsGraceAuthNLimit: 2 pwdAllowUserChange: TRUE pwdExpireWarning: 10 pwdLockout: TRUE pwdMaxAge: 15 pwdMustChange: TRUE
In my ldap client I have set: pam_lookup_policy yes
Do I have to change something in PAM?
No idea exactly.
You'd better test directly with basic ldap clients, such as ldapsearch/ldappasswd to understand how password policy works. And debug your pam issues in a second step. BTW, pam_ldap has dedicated mailing list that may give better answer than this one.
Also, if you're only interested in password expiration for your unix user account, you don't need server-side support (ppolicy), the historical shadow system should be enough (and probably simpler).
openldap-technical@openldap.org
-
Andy Poirier -
cbulist -
cbulist@gmail.com
-
Clément OUDOT -
Guillaume Rousse