I had ppolicy working. Then it stopped. I've cut some stuff for security but I've included some debug info off the ldap server and the ldapsearch + output for that user. Most notably pwdHistory and pwdChangedTime no longer updates. pwdMinLength seems to work, as does pwdCheckQuality. Any ideas why it stopped working or what else I can use to debug? I've recently changed the hash, but it didn't coincide with the date ppolicy stopped working.
Matt
From Ldap server debug:
acl: internal mod entryCSN: modify access granted acl: internal mod modifiersName: modify access granted acl: internal mod modifyTimestamp: modify access granted bdb_modify_internal: replace userPassword bdb_modify_internal: replace entryCSN bdb_modify_internal: replace modifiersName bdb_modify_internal: replace modifyTimestampca
oc_check_required entry (uid=testuser,ou=fte,ou=people), objectClass "posixAccount" oc_check_required entry (uid=testuser,ou=fte,ou=people), objectClass "shadowAccount" oc_check_required entry (uid=testuser,ou=fte,ou=people), objectClass "inetOrgPerson" oc_check_allowed type "roomNumber" oc_check_allowed type "employeeType" oc_check_allowed type "shadowExpire" oc_check_allowed type "homePhone" oc_check_allowed type "givenName" oc_check_allowed type "mobile" oc_check_allowed type "objectClass" oc_check_allowed type "shadowLastChange" oc_check_allowed type "uid" oc_check_allowed type "mail" oc_check_allowed type "uidNumber" oc_check_allowed type "cn" oc_check_allowed type "telephoneNumber" oc_check_allowed type "loginShell" oc_check_allowed type "host" oc_check_allowed type "gidNumber" oc_check_allowed type "gecos" oc_check_allowed type "homeDirectory" oc_check_allowed type "sn" oc_check_allowed type "structuralObjectClass" oc_check_allowed type "entryUUID" oc_check_allowed type "creatorsName" oc_check_allowed type "createTimestamp" oc_check_allowed type "pwdHistory" oc_check_allowed type "pwdChangedTime" oc_check_allowed type "pwdPolicySubentry" oc_check_allowed type "userPassword" oc_check_allowed type "entryCSN" oc_check_allowed type "modifiersName" oc_check_allowed type "modifyTimestamp"
Ldapsearch: # testuser, fte, people, dn: uid=testuser,ou=fte,ou=people structuralObjectClass: inetOrgPerson entryUUID: 2c51bca1-1460-4b26-ae20-3c054c861d30 creatorsName: cn=admin createTimestamp: 20110523222307Z pwdHistory: 20110606211017Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}aZlEl1nHU2K
pwdHistory: 20110606211045Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}LCJWgHumf2f
pwdHistory: 20110606211056Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}toDKXKosvds
pwdChangedTime: 20110606211056Z pwdPolicySubentry: cn=default,ou=policies entryCSN: 20110617223036.234028Z#000000#000#000000 modifiersName: uid=testuser,ou=fte,ou=people modifyTimestamp: 20110617223036Z entryDN: uid=testuser,ou=fte,ou=people subschemaSubentry: cn=Subschema hasSubordinates: FALSE
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
No advice on this? Matt
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Bidwell, Matt Sent: Friday, June 17, 2011 5:10 PM To: openldap-technical@openldap.org Subject: ppolicy works, then doesn't
I had ppolicy working. Then it stopped. I've cut some stuff for security but I've included some debug info off the ldap server and the ldapsearch + output for that user. Most notably pwdHistory and pwdChangedTime no longer updates. pwdMinLength seems to work, as does pwdCheckQuality. Any ideas why it stopped working or what else I can use to debug? I've recently changed the hash, but it didn't coincide with the date ppolicy stopped working.
Matt
From Ldap server debug:
acl: internal mod entryCSN: modify access granted acl: internal mod modifiersName: modify access granted acl: internal mod modifyTimestamp: modify access granted bdb_modify_internal: replace userPassword bdb_modify_internal: replace entryCSN bdb_modify_internal: replace modifiersName bdb_modify_internal: replace modifyTimestampca
oc_check_required entry (uid=testuser,ou=fte,ou=people), objectClass "posixAccount" oc_check_required entry (uid=testuser,ou=fte,ou=people), objectClass "shadowAccount" oc_check_required entry (uid=testuser,ou=fte,ou=people), objectClass "inetOrgPerson" oc_check_allowed type "roomNumber" oc_check_allowed type "employeeType" oc_check_allowed type "shadowExpire" oc_check_allowed type "homePhone" oc_check_allowed type "givenName" oc_check_allowed type "mobile" oc_check_allowed type "objectClass" oc_check_allowed type "shadowLastChange" oc_check_allowed type "uid" oc_check_allowed type "mail" oc_check_allowed type "uidNumber" oc_check_allowed type "cn" oc_check_allowed type "telephoneNumber" oc_check_allowed type "loginShell" oc_check_allowed type "host" oc_check_allowed type "gidNumber" oc_check_allowed type "gecos" oc_check_allowed type "homeDirectory" oc_check_allowed type "sn" oc_check_allowed type "structuralObjectClass" oc_check_allowed type "entryUUID" oc_check_allowed type "creatorsName" oc_check_allowed type "createTimestamp" oc_check_allowed type "pwdHistory" oc_check_allowed type "pwdChangedTime" oc_check_allowed type "pwdPolicySubentry" oc_check_allowed type "userPassword" oc_check_allowed type "entryCSN" oc_check_allowed type "modifiersName" oc_check_allowed type "modifyTimestamp"
Ldapsearch: # testuser, fte, people, dn: uid=testuser,ou=fte,ou=people structuralObjectClass: inetOrgPerson entryUUID: 2c51bca1-1460-4b26-ae20-3c054c861d30 creatorsName: cn=admin createTimestamp: 20110523222307Z pwdHistory: 20110606211017Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}aZlEl1nHU2K
pwdHistory: 20110606211045Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}LCJWgHumf2f
pwdHistory: 20110606211056Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}toDKXKosvds
pwdChangedTime: 20110606211056Z pwdPolicySubentry: cn=default,ou=policies entryCSN: 20110617223036.234028Z#000000#000#000000 modifiersName: uid=testuser,ou=fte,ou=people modifyTimestamp: 20110617223036Z entryDN: uid=testuser,ou=fte,ou=people subschemaSubentry: cn=Subschema hasSubordinates: FALSE
# search result search: 3 result: 0 Success
# numResponses: 2 # numEntries: 1
openldap-technical@openldap.org