Running OpenLdap 2.4.23 on Centos 6.4 and we are having truoble enabling password polices. I've read a number of FAQ's online, plus spent hours searching for a solution to this problem, although a lot of folks seem to have the same issue I haven't been able to find a solution that works for us. I run into trouble running ldapadd to import the new policy. I end up with the invalid syntax error I've included below, along with a copy of the .ldif file and my slapd.conf file. I was able to create the policies OU without issue, I also tried using the OID for pwdAttribute instead of userPassword.
[root@asu10d schema]# ldapadd -D "cn=Manager,dc=XXXX,dc=test" -W -x -f /tmp/ppolicy.ldif Enter LDAP Password: adding new entry "cn=policy,ou=policies,dc=XXXX,dc=test" ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax
Contents of policy.ldif n: cn=policy,ou=policies,dc=XXXX,dc=test cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
Contents of my slapd.conf
include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/pmi.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload ppolicy.la
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=XXXX,dc=test" read by * none
database bdb suffix "dc=XXXXX,dc=test" checkpoint 1024 15 rootdn "cn=Manager,dc=XXXX,dc=test" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw hello (Temp password used for testing)
overlay ppolicy policy_default "cn=default,ou=policies,dc=XXXX,dc=test" policy_use_lockout
directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
--On Monday, September 16, 2013 8:44 PM +0000 Philip Bubel philip@bubel.com wrote:
Running OpenLdap 2.4.23 on Centos 6.4
Bad idea for so many reasons that have been repeatedly and numerously discussed on the list...
n: cn=policy,ou=policies,dc=XXXX,dc=test
n: is not valid
I assume you meant dn:
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Yes, that should be a "dn:" at the top of the ldif file, not an "n:".
I'll review the list for issues with OpenLdap 2.4.23 on Centos 6.4.
Any thoughts on my specific issue? Its killing me, been chasing it for days. Feels like the policy/schema isn't loading at all. ________________________________________ From: Quanah Gibson-Mount [quanah@zimbra.com] Sent: Monday, September 16, 2013 5:05 PM To: Philip Bubel; openldap-technical@openldap.org Subject: Re: invalid syntax (21) error while importing password password policy
--On Monday, September 16, 2013 8:44 PM +0000 Philip Bubel philip@bubel.com wrote:
Running OpenLdap 2.4.23 on Centos 6.4
Bad idea for so many reasons that have been repeatedly and numerously discussed on the list...
n: cn=policy,ou=policies,dc=XXXX,dc=test
n: is not valid
I assume you meant dn:
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Monday, September 16, 2013 9:09 PM +0000 Philip Bubel philip@bubel.com wrote:
Yes, that should be a "dn:" at the top of the ldif file, not an "n:".
I'll review the list for issues with OpenLdap 2.4.23 on Centos 6.4.
Any thoughts on my specific issue? Its killing me, been chasing it for days. Feels like the policy/schema isn't loading at all.
Well, if the schema wasn't loaded, you would get an error about the fact that the various ppolicy attributes didn't exist, not that the value for one of the attributes was incorrect.
http://stackoverflow.com/questions/5577660/openldap-is-that-possible-to-use-userpassword-instead-of-2-5-4-35-for-pwdat would imply that you are correct about the policy module itself not being loaded.
Have you verified ppolicy.la exists in /usr/lib64/openldap?
As an aside, you may want to check out the LTB packages as an easy way to upgrade to a current release of OpenLDAP: http://ltb-project.org/wiki/download#openldap
They install into their own location separate from the system libraries etc.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Monday, September 16, 2013 2:19 PM -0700 Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Monday, September 16, 2013 9:09 PM +0000 Philip Bubel philip@bubel.com wrote:
Yes, that should be a "dn:" at the top of the ldif file, not an "n:".
I'll review the list for issues with OpenLdap 2.4.23 on Centos 6.4.
Any thoughts on my specific issue? Its killing me, been chasing it for days. Feels like the policy/schema isn't loading at all.
Hi Philip,
I ran test022 under 2.4.36, and it succeeded. I would note that by default, it uses the OID for pwdAttribute rather than "userPassword". I modified it so it would use "userPassword" instead, and it still passed. It loads the policy via ldapadd, so if there was a problem with ppolicy itself and "userPassword" that should have triggered it.
Hope that helps, Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Hi,
On Mon, 16 Sep 2013, Philip Bubel wrote:
Running OpenLdap 2.4.23 on Centos 6.4 and we are having truoble enabling password polices. I've read a number of FAQ's online, plus spent hours searching for a solution to this problem, although a lot of folks seem to have the same issue I haven't been able to find a solution that works for us. I run into trouble running ldapadd to import the new policy. I end up with the invalid syntax error I've included below, along with a copy of the .ldif file and my slapd.conf file. I was able to create the policies OU without issue, I also tried using the OID for pwdAttribute instead of userPassword.
[root@asu10d schema]# ldapadd -D "cn=Manager,dc=XXXX,dc=test" -W -x -f /tmp/ppolicy.ldif Enter LDAP Password: adding new entry "cn=policy,ou=policies,dc=XXXX,dc=test" ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax
Please check you /tmp/ppolicy.ldif that there are now illegal characters in the line with pwdAttribute:
It looks like this is perhaps borken.
Please also consider updating to the latest openldap 2.4.36 via one of the openly available rpm.
Greetings Christian
Contents of policy.ldif n: cn=policy,ou=policies,dc=XXXX,dc=test cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
Contents of my slapd.conf
include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/pmi.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload ppolicy.la
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=XXXX,dc=test" read by * none
database bdb suffix "dc=XXXXX,dc=test" checkpoint 1024 15 rootdn "cn=Manager,dc=XXXX,dc=test" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw hello (Temp password used for testing)
overlay ppolicy policy_default "cn=default,ou=policies,dc=XXXX,dc=test" policy_use_lockout
directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
Thanks. I've checked and rechecked the /tmp/ppolicy.ldif for stray/illegal characters, spaces, etc. I can't find anything. I deleted and recreated the file, the line, everything I could think of.
Agree with you on upgrading, that¹s in the plan as well.
On 9/16/13 5:09 PM, "Christian Kratzer" ck-lists@cksoft.de wrote:
Hi,
On Mon, 16 Sep 2013, Philip Bubel wrote:
Running OpenLdap 2.4.23 on Centos 6.4 and we are having truoble enabling password polices. I've read a number of FAQ's online, plus spent hours searching for a solution to this problem, although a lot of folks seem to have the same issue I haven't been able to find a solution that works for us. I run into trouble running ldapadd to import the new policy. I end up with the invalid syntax error I've included below, along with a copy of the .ldif file and my slapd.conf file. I was able to create the policies OU without issue, I also tried using the OID for pwdAttribute instead of userPassword.
[root@asu10d schema]# ldapadd -D "cn=Manager,dc=XXXX,dc=test" -W -x -f /tmp/ppolicy.ldif Enter LDAP Password: adding new entry "cn=policy,ou=policies,dc=XXXX,dc=test" ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax
Please check you /tmp/ppolicy.ldif that there are now illegal characters in the line with pwdAttribute:
It looks like this is perhaps borken.
Please also consider updating to the latest openldap 2.4.36 via one of the openly available rpm.
Greetings Christian
Contents of policy.ldif n: cn=policy,ou=policies,dc=XXXX,dc=test cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
Contents of my slapd.conf
include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/pmi.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload ppolicy.la
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=XXXX,dc=test" read by * none
database bdb suffix "dc=XXXXX,dc=test" checkpoint 1024 15 rootdn "cn=Manager,dc=XXXX,dc=test" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw hello (Temp password used for testing)
overlay ppolicy policy_default "cn=default,ou=policies,dc=XXXX,dc=test" policy_use_lockout
directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
-- Christian Kratzer CK Software GmbH Email: ck@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
Hi,
On Mon, 16 Sep 2013, Philip Bubel wrote:
Thanks. I've checked and rechecked the /tmp/ppolicy.ldif for stray/illegal characters, spaces, etc. I can't find anything. I deleted and recreated the file, the line, everything I could think of.
just a wild guess. Try removing
policy_default "cn=default,ou=policies,dc=XXXX,dc=test"
from your slapd.conf before you have inserted the policy.
Agree with you on upgrading, that¹s in the plan as well.
Yes 2.4.23 is several years old currently. Once you start using advanced features you are better of with the latest build.
Greetings Christian
On 9/16/13 5:09 PM, "Christian Kratzer" ck-lists@cksoft.de wrote:
Hi,
On Mon, 16 Sep 2013, Philip Bubel wrote:
Running OpenLdap 2.4.23 on Centos 6.4 and we are having truoble enabling password polices. I've read a number of FAQ's online, plus spent hours searching for a solution to this problem, although a lot of folks seem to have the same issue I haven't been able to find a solution that works for us. I run into trouble running ldapadd to import the new policy. I end up with the invalid syntax error I've included below, along with a copy of the .ldif file and my slapd.conf file. I was able to create the policies OU without issue, I also tried using the OID for pwdAttribute instead of userPassword.
[root@asu10d schema]# ldapadd -D "cn=Manager,dc=XXXX,dc=test" -W -x -f /tmp/ppolicy.ldif Enter LDAP Password: adding new entry "cn=policy,ou=policies,dc=XXXX,dc=test" ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax
Please check you /tmp/ppolicy.ldif that there are now illegal characters in the line with pwdAttribute:
It looks like this is perhaps borken.
Please also consider updating to the latest openldap 2.4.36 via one of the openly available rpm.
Greetings Christian
Contents of policy.ldif n: cn=policy,ou=policies,dc=XXXX,dc=test cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
Contents of my slapd.conf
include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/pmi.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload ppolicy.la
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt TLSCertificateFile /etc/pki/tls/certs/slapd.pem TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=XXXX,dc=test" read by * none
database bdb suffix "dc=XXXXX,dc=test" checkpoint 1024 15 rootdn "cn=Manager,dc=XXXX,dc=test" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw hello (Temp password used for testing)
overlay ppolicy policy_default "cn=default,ou=policies,dc=XXXX,dc=test" policy_use_lockout
directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
-- Christian Kratzer CK Software GmbH Email: ck@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
On Mon, 16 Sep 2013 20:44:24 +0000 Philip Bubel philip@bubel.com wrote
ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax [..] pwdAttribute: userPassword
Should be this:
pwdAttribute: 2.5.4.35
I know you've tried OID but was it the right one?
Ciao, Michael.
--On Tuesday, September 17, 2013 12:33 AM +0200 Michael Ströder michael@stroeder.com wrote:
On Mon, 16 Sep 2013 20:44:24 +0000 Philip Bubel philip@bubel.com wrote
ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax [..] pwdAttribute: userPassword
Should be this:
pwdAttribute: 2.5.4.35
Support for using "userPassword" as well as the OID was added back in OpenLDAP 2.3. It *should* work with either one. As my test run with test022 did.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
Just tired it use " pwdAttribute: 2.5.4.35". I must have tired it with a different OID.
Thanks everybody, will test more in the morning.
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Monday, September 16, 2013 7:23 PM To: Michael Ströder; openldap-technical@openldap.org; Philip Bubel Subject: Re: invalid syntax (21) error while importing password password policy
--On Tuesday, September 17, 2013 12:33 AM +0200 Michael Ströder michael@stroeder.com wrote:
On Mon, 16 Sep 2013 20:44:24 +0000 Philip Bubel philip@bubel.com wrote
ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax [..] pwdAttribute: userPassword
Should be this:
pwdAttribute: 2.5.4.35
Support for using "userPassword" as well as the OID was added back in OpenLDAP 2.3. It *should* work with either one. As my test run with test022 did.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
I was able to add the new policy but I'm having trouble applying it to an existing user. Here's the .ldif file I"m using and the error I"m getting.
# ldapmodify -D "cn=Manager,dc=XXX,dc=test" -W -x -f /tmp/apply.ldif Enter LDAP Password: modifying entry "cn=bwayne,ou=users,dc=XXX,dc=test" ldap_modify: Undefined attribute type (17) additional info: pwdPolicySubentry: attribute type undefined
dn: cn=bwayne,ou=users,dc=XXX,dc=test changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=default,ou=policies,dc=XXX,dc=test
On 9/16/13 11:42 PM, "Philip Bubel" philip@bubel.com wrote:
Just tired it use " pwdAttribute: 2.5.4.35". I must have tired it with a different OID.
Thanks everybody, will test more in the morning.
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Monday, September 16, 2013 7:23 PM To: Michael Ströder; openldap-technical@openldap.org; Philip Bubel Subject: Re: invalid syntax (21) error while importing password password policy
--On Tuesday, September 17, 2013 12:33 AM +0200 Michael Ströder michael@stroeder.com wrote:
On Mon, 16 Sep 2013 20:44:24 +0000 Philip Bubel philip@bubel.com wrote
ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax [..] pwdAttribute: userPassword
Should be this:
pwdAttribute: 2.5.4.35
Support for using "userPassword" as well as the OID was added back in OpenLDAP 2.3. It *should* work with either one. As my test run with test022 did.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC
Zimbra :: the leader in open source messaging and collaboration
--On Tuesday, September 17, 2013 4:08 AM +0000 Philip Bubel philip@bubel.com wrote:
I was able to add the new policy but I'm having trouble applying it to an existing user. Here's the .ldif file I"m using and the error I"m getting.
# ldapmodify -D "cn=Manager,dc=XXX,dc=test" -W -x -f /tmp/apply.ldif Enter LDAP Password: modifying entry "cn=bwayne,ou=users,dc=XXX,dc=test" ldap_modify: Undefined attribute type (17) additional info: pwdPolicySubentry: attribute type undefined
This indicates that the ppolicy overlay is not loaded. So did the fact that you couldn't use "userPassword" earlier, which I noted then. Switching to the OID simply let you bypass the fact that the ppolicy overlay wasn't loaded. So now you have two errors that indicate that slapd has not loaded the ppolicy overlay. I would advise you, again, to figure out why ppolicy isn't loading. First by answering the question I asked you earlier -- Does the ppolicy.la file even exist in the modulepath you specified?
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
Just confirmed that policy.la is in the correct place. Here's what I have in slapd.conf
modulepath /usr/lib64/openldap moduleload ppolicy.la
[csadmin@XXX openldap]$ ls -la | grep pp lrwxrwxrwx 1 root root 20 Aug 22 16:06 ppolicy-2.4.so.2 -> ppolicy-2.4.so.2.5.6 -rwxr-xr-x 1 root root 39824 Apr 29 03:50 ppolicy-2.4.so.2.5.6 -rwxr-xr-x 1 root root 936 Apr 29 03:49 ppolicy.la
Anything else I can check?
Thanks for all your help.
On 9/17/13 1:22 AM, "Quanah Gibson-Mount" quanah@zimbra.com wrote:
--On Tuesday, September 17, 2013 4:08 AM +0000 Philip Bubel philip@bubel.com wrote:
I was able to add the new policy but I'm having trouble applying it to an existing user. Here's the .ldif file I"m using and the error I"m getting.
# ldapmodify -D "cn=Manager,dc=XXX,dc=test" -W -x -f /tmp/apply.ldif Enter LDAP Password: modifying entry "cn=bwayne,ou=users,dc=XXX,dc=test" ldap_modify: Undefined attribute type (17) additional info: pwdPolicySubentry: attribute type undefined
This indicates that the ppolicy overlay is not loaded. So did the fact that you couldn't use "userPassword" earlier, which I noted then. Switching to the OID simply let you bypass the fact that the ppolicy overlay wasn't loaded. So now you have two errors that indicate that slapd has not loaded the ppolicy overlay. I would advise you, again, to figure out why ppolicy isn't loading. First by answering the question I asked you earlier -- Does the ppolicy.la file even exist in the modulepath you specified?
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC
Zimbra :: the leader in open source messaging and collaboration
--On Tuesday, September 17, 2013 1:07 PM +0000 Philip Bubel philip@bubel.com wrote:
Just confirmed that policy.la is in the correct place. Here's what I have in slapd.conf
modulepath /usr/lib64/openldap moduleload ppolicy.la
[csadmin@XXX openldap]$ ls -la | grep pp lrwxrwxrwx 1 root root 20 Aug 22 16:06 ppolicy-2.4.so.2 -> ppolicy-2.4.so.2.5.6 -rwxr-xr-x 1 root root 39824 Apr 29 03:50 ppolicy-2.4.so.2.5.6 -rwxr-xr-x 1 root root 936 Apr 29 03:49 ppolicy.la
Anything else I can check?
Well, you can start slapd with -d -1 to see if it reports any issues while loading the module. However, it appears you are continuing to use the RHEL build of OpenLDAP, which is known to be fundamentally broken in a multitude of ways. Personally, I would move to using the LTB packages, adjust your configuration to use cn=config, and then look at resolving any issues with ppolicy should they remain.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
I run slapd -d -1 and looked through the output and it appears the policy is loading. See below. Any other thoughts? We are looking at new server versions as well
ldif_read_file: read entry file: "/etc/openldap/slapd.d/cn=config/cn=schema/cn={10}ppolicy.ldif" => str2entry: "dn: cn={10}ppolicy objectClass: olcSchemaConfig cn: {10}ppolicy olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter val' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L oadable module that instantiates "check_password() function' EQUALITY caseExa ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY pwdCheckModule ) olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) structuralObjectClass: olcSchemaConfig
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Tuesday, September 17, 2013 11:27 AM To: Philip Bubel; Michael Ströder; openldap-technical@openldap.org Subject: Re: invalid syntax (21) error while importing password password policy
--On Tuesday, September 17, 2013 1:07 PM +0000 Philip Bubel philip@bubel.com wrote:
Just confirmed that policy.la is in the correct place. Here's what I have in slapd.conf
modulepath /usr/lib64/openldap moduleload ppolicy.la
[csadmin@XXX openldap]$ ls -la | grep pp lrwxrwxrwx 1 root root 20 Aug 22 16:06 ppolicy-2.4.so.2 -> ppolicy-2.4.so.2.5.6 -rwxr-xr-x 1 root root 39824 Apr 29 03:50 ppolicy-2.4.so.2.5.6 -rwxr-xr-x 1 root root 936 Apr 29 03:49 ppolicy.la
Anything else I can check?
Well, you can start slapd with -d -1 to see if it reports any issues while loading the module. However, it appears you are continuing to use the RHEL build of OpenLDAP, which is known to be fundamentally broken in a multitude of ways. Personally, I would move to using the LTB packages, adjust your configuration to use cn=config, and then look at resolving any issues with ppolicy should they remain.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Tuesday, September 17, 2013 7:57 PM +0000 Philip Bubel philip@bubel.com wrote:
I run slapd -d -1 and looked through the output and it appears the policy is loading. See below. Any other thoughts? We are looking at new server versions as well
ldif_read_file: read entry file: "/etc/openldap/slapd.d/cn=config/cn=schema/cn={10}ppolicy.ldif" =>
All this shows is the ppolicy schema file loading. It doesn't indicate anything about whether or not the ppolicy overlay loaded.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
To avoid having to post the entire output any keywords I can look for in the output?
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Tuesday, September 17, 2013 4:02 PM To: Philip Bubel; Michael Ströder; openldap-technical@openldap.org Subject: RE: invalid syntax (21) error while importing password password policy
--On Tuesday, September 17, 2013 7:57 PM +0000 Philip Bubel philip@bubel.com wrote:
I run slapd -d -1 and looked through the output and it appears the policy is loading. See below. Any other thoughts? We are looking at new server versions as well
ldif_read_file: read entry file: "/etc/openldap/slapd.d/cn=config/cn=schema/cn={10}ppolicy.ldif" =>
All this shows is the ppolicy schema file loading. It doesn't indicate anything about whether or not the ppolicy overlay loaded.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Tuesday, September 17, 2013 8:07 PM +0000 Philip Bubel philip@bubel.com wrote:
To avoid having to post the entire output any keywords I can look for in the output?
You want to find the section where it loads the ppolicy module, like:
5238ae03 loaded module ppolicy.la
or not if it failed.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
Yeah, clearly have a problem then. The phase loaded or ppolicy.la dosn't appear anywhere in my output.
Thanks again for the advice, if you have anyplace else for us to look it would be appreciated.
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Tuesday, September 17, 2013 4:10 PM To: Philip Bubel; openldap-technical@openldap.org Subject: RE: invalid syntax (21) error while importing password password policy
--On Tuesday, September 17, 2013 8:07 PM +0000 Philip Bubel philip@bubel.com wrote:
To avoid having to post the entire output any keywords I can look for in the output?
You want to find the section where it loads the ppolicy module, like:
5238ae03 loaded module ppolicy.la
or not if it failed.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC -------------------- Zimbra :: the leader in open source messaging and collaboration
You could strace the slapd binary, maybe its looking in a different location for your modules? When I do so on my slapd (where ppolicy.la is loaded as part of my config) I see the following:
open("/etc/openldap/schema/ppolicy.schema", O_RDONLY) = 10 open("/usr/lib64/openldap/ppolicy.la", O_RDONLY) = 10 read(10, "# ppolicy.la - a libtool library"..., 4096) = 936 open("/usr/lib64/openldap/ppolicy-2.4.so.2", O_RDONLY) = 10
-Michael Proto
On Tue, Sep 17, 2013 at 4:13 PM, Philip Bubel philip@bubel.com wrote:
Yeah, clearly have a problem then. The phase loaded or ppolicy.la dosn't appear anywhere in my output.
Thanks again for the advice, if you have anyplace else for us to look it would be appreciated.
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: Tuesday, September 17, 2013 4:10 PM To: Philip Bubel; openldap-technical@openldap.org Subject: RE: invalid syntax (21) error while importing password password policy
--On Tuesday, September 17, 2013 8:07 PM +0000 Philip Bubel < philip@bubel.com> wrote:
To avoid having to post the entire output any keywords I can look for in the output?
You want to find the section where it loads the ppolicy module, like:
5238ae03 loaded module ppolicy.la
or not if it failed.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra Software, LLC
Zimbra :: the leader in open source messaging and collaboration
On 09/17/2013 01:33 AM, Michael Ströder wrote:
On Mon, 16 Sep 2013 20:44:24 +0000 Philip Bubel philip@bubel.com wrote
ldap_add: Invalid syntax (21) additional info: pwdAttribute: value #0 invalid per syntax [..] pwdAttribute: userPassword
Should be this:
pwdAttribute: 2.5.4.35
Hi all,
That was mine problem too. "userPassword" instead of "2.5.4.35" doesn't work in 2.4.31 (I used debian wheezy). Is this problem distro dependent?
openldap-technical@openldap.org
-
Christian Kratzer -
Michael Proto -
Michael Ströder -
Nerijus Kislauskas -
Philip Bubel -
Quanah Gibson-Mount