Hello experts,
I tried to enable ppolicy on a test openldap server.
As I read I first create an OU policies with the default cn
# LDIF Export for cn=default,ou=policies,dc=example,dc=com # Server: My Slave LDAP Server (ldap://localhost) # Search Scope: base # Search Filter: (objectClass=*) # Total Entries: 1 # # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on September 10, 2013 2:10 pm # Version: 1.2.0.5
version: 1
# Entry 1: cn=default,ou=policies,dc=example,dc=com dn: cn=default,ou=policies,dc=example,dc=com cn: default objectclass: top objectclass: device objectclass: pwdPolicy objectclass: pwdPolicyChecker pwdallowuserchange: TRUE pwdattribute: userPassword pwdcheckmodule: mmc-check-password.so pwdcheckquality: 0 pwdexpirewarning: 600 pwdfailurecountinterval: 0 pwdgraceauthnlimit: 5 pwdinhistory: 5 pwdlockout: TRUE pwdlockoutduration: 0 pwdmaxage: 90 pwdmaxfailure: 5 pwdminlength: 8 pwdmustchange: TRUE pwdsafemodify: FALSE
and add it to my base.
I also added the ppolicy schema, the module load and the overlay
include /etc/ldap/schema/ppolicy.schema
moduleload ppolicy.la
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout
In /etc/ldap/ldap.conf I change pam_lookup_policy yes
I restarted slapd and change my own client to use my test open ldap server. And it seems working.
But suddenly I was not able to do a sudo, change my passwd or login in another session.
I checked the log of my server and found
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 ENTRY dn="cn=jacques foucry,ou=people,dc=example,dc=com" Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND dn="cn=Jacques Foucry,ou=People,dc=example,dc=com" method=128 Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND dn="cn=Jacques Foucry,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0 Sep 10 16:17:22 ldap-slave slapd[1672]: ppolicy_bind: Entry cn=Jacques Foucry,ou=People,dc=example,dc=com has an expired password: 0 grace logins Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 RESULT tag=97 err=49 text= Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND anonymous mech=implicit ssf=0 Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND dn="" method=128 Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 RESULT tag=97 err=0 text=
So I added to my user some attributes. First the OU pwdPolicy (with userPassord as attribute) then pwdAllowUserChange, pwdGraceAuthNLimit (and put 7 on it) PwdLockout (false) pwdLockoutDuration (0) pwdMustChange (true) pwdSafeModify(true).
I still have the same error.
So there is something I misunderstood.
Can some on explain what's wrognand how can I correct it?
Thanks in advance for your help, Best regards, Jacques Foucry
2013/9/10 Jacques Foucry jacques.foucry@novasparks.com
Hello experts,
I tried to enable ppolicy on a test openldap server.
As I read I first create an OU policies with the default cn
# LDIF Export for cn=default,ou=policies,dc=**example,dc=com # Server: My Slave LDAP Server (ldap://localhost) # Search Scope: base # Search Filter: (objectClass=*) # Total Entries: 1 # # Generated by phpLDAPadmin (http://phpldapadmin.**sourceforge.nethttp://phpldapadmin.sourceforge.net) on September 10, 2013 2:10 pm # Version: 1.2.0.5
version: 1
# Entry 1: cn=default,ou=policies,dc=**example,dc=com dn: cn=default,ou=policies,dc=**example,dc=com cn: default objectclass: top objectclass: device objectclass: pwdPolicy objectclass: pwdPolicyChecker pwdallowuserchange: TRUE pwdattribute: userPassword pwdcheckmodule: mmc-check-password.so pwdcheckquality: 0 pwdexpirewarning: 600 pwdfailurecountinterval: 0 pwdgraceauthnlimit: 5 pwdinhistory: 5 pwdlockout: TRUE pwdlockoutduration: 0 pwdmaxage: 90 pwdmaxfailure: 5 pwdminlength: 8 pwdmustchange: TRUE pwdsafemodify: FALSE
and add it to my base.
I also added the ppolicy schema, the module load and the overlay
include /etc/ldap/schema/ppolicy.**schema
moduleload ppolicy.la
overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=**example,dc=com" ppolicy_hash_cleartext ppolicy_use_lockout
In /etc/ldap/ldap.conf I change pam_lookup_policy yes
I restarted slapd and change my own client to use my test open ldap server. And it seems working.
But suddenly I was not able to do a sudo, change my passwd or login in another session.
I checked the log of my server and found
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 ENTRY dn="cn=jacques foucry,ou=people,dc=example,**dc=com" Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND dn="cn=Jacques Foucry,ou=People,dc=example,**dc=com" method=128 Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND dn="cn=Jacques Foucry,ou=People,dc=example,**dc=com" mech=SIMPLE ssf=0 Sep 10 16:17:22 ldap-slave slapd[1672]: ppolicy_bind: Entry cn=Jacques Foucry,ou=People,dc=example,**dc=com has an expired password: 0 grace logins Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 RESULT tag=97 err=49 text= Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND anonymous mech=implicit ssf=0 Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND dn="" method=128 Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 RESULT tag=97 err=0 text=
So I added to my user some attributes. First the OU pwdPolicy (with userPassord as attribute) then pwdAllowUserChange, pwdGraceAuthNLimit (and put 7 on it) PwdLockout (false) pwdLockoutDuration (0) pwdMustChange (true) pwdSafeModify(true).
I still have the same error.
So there is something I misunderstood.
Can some on explain what's wrognand how can I correct it?
You configured :
pwdmaxage: 90
Means after 90 seconds, your password is expired. Change this to a better value.
Clément.
Le 10/09/2013 17:15, Clément OUDOT a écrit :
pwdmaxage: 90
Means after 90 seconds, your password is expired. Change this to a better value.
Argh.... With a higher value it works now.
Thanks for your help.
I still a a question.
If I add the pwdMaxAge in my users record, did this value override the ppolicies value ?
In fact I don't want see some password expire.
Thanks in advance, Jacques Foucry
2013/9/10 Jacques Foucry jacques.foucry@novasparks.com
Le 10/09/2013 17:15, Clément OUDOT a écrit :
pwdmaxage: 90
Means after 90 seconds, your password is expired. Change this to a better value.
Argh.... With a higher value it works now.
Thanks for your help.
I still a a question.
If I add the pwdMaxAge in my users record, did this value override the ppolicies value ?
In fact I don't want see some password expire.
pwdMaxAge must not be inside a user entry, only inside a ppolicy configuration entry.
To avoid some passwords to expire, create another ppolicy without pwdMaxAge, and set it to entries in the pwdPolicySubentry attribute.
Clément.
Hi,
On Tue, 10 Sep 2013, Jacques Foucry wrote:
Le 10/09/2013 17:15, Clément OUDOT a écrit :
pwdmaxage: 90
Means after 90 seconds, your password is expired. Change this to a better value.
Argh.... With a higher value it works now.
Thanks for your help.
I still a a question.
If I add the pwdMaxAge in my users record, did this value override the ppolicies value ?
no. These attributes only work when applied to a password policy.
In fact I don't want see some password expire.
add a separate password policy for those users reference it from your users dn with:
pwdPolicySubentry: cn=no expiration,ou=policies,dc=**example,dc=com
Greetings Christian
Thanks in advance, Jacques Foucry
openldap-technical@openldap.org
-
Christian Kratzer -
Clément OUDOT -
Jacques Foucry