Hello,
I'm upgrading from openldap 2.4 running on RHEL7 up to 2.6.2 and RHEL8 on new hardware, apparently the way to configure password policy now is by configuring the slapd.conf file rather than loading the ppolicy schema. How do I modify that file properly? I read https://www.openldap.org/doc/admin26/overlays.html#Password%20Policies
on section 12.10.2. Password Policy Configuration, what does it mean to "Instantiate the module in the database"? do you have a sample slapd.conf file I can refer to?
Thank you, Liz
--On Wednesday, June 1, 2022 7:02 PM +0000 "Real Villafan, Elizabeth (US 392K)" elizabeth.real@jpl.nasa.gov wrote:
Hello,
I'm upgrading from openldap 2.4 running on RHEL7 up to 2.6.2 and RHEL8 on new hardware, apparently the way to configure password policy now is by configuring the slapd.conf file rather than loading the ppolicy schema. How do I modify that file properly? I read https://www.openldap.org/doc/admin26/overlays.html#Password%20Policies
You always configured password policies by loading the module. The only change is that instead of having to combine both the schema file and the module, you only need the module.
on section 12.10.2. Password Policy Configuration, what does it mean to "Instantiate the module in the database"? do you have a sample slapd.conf file I can refer to?
The same way you load any other overlay for use with a database.
database mdb ...
overlay ppolicy ...
--Quanah
Ok, so
load the module, does it matter where in the slapd.conf file?
Is the format simply:
database mdb overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
OR is it something like,
objectClass: olcModuleList cn: module{0} olcModuleLoad: ppolicy.la
THEN load it with ldapadd ? # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ppmodule.ldif
Thank you, Liz
On 6/1/22, 11:45 AM, "Quanah Gibson-Mount" quanah@fast-mail.org wrote:
--On Wednesday, June 1, 2022 7:02 PM +0000 "Real Villafan, Elizabeth (US 392K)" elizabeth.real@jpl.nasa.gov wrote:
> > > > Hello, > > > I'm upgrading from openldap 2.4 running on RHEL7 up to 2.6.2 and RHEL8 on > new hardware, apparently the way to configure password policy now is by > configuring the slapd.conf file rather than loading the ppolicy schema. > How do I modify that file properly? I read > https://urldefense.us/v3/__https://www.openldap.org/doc/admin26/overlays.htm...
You always configured password policies by loading the module. The only change is that instead of having to combine both the schema file and the module, you only need the module.
> on section 12.10.2. Password Policy Configuration, what does it mean to > "Instantiate the module in the database"? do you have a sample slapd.conf > file I can refer to?
The same way you load any other overlay for use with a database.
database mdb ...
overlay ppolicy ...
--Quanah
--On Wednesday, June 1, 2022 11:43 PM +0000 "Real Villafan, Elizabeth (US 392K)" elizabeth.real@jpl.nasa.gov wrote:
Ok, so
load the module, does it matter where in the slapd.conf file?
Is the format simply:
database mdb overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
OR is it something like,
objectClass: olcModuleList cn: module{0} olcModuleLoad: ppolicy.la
The above are two different things.
Module load is used to make modules available for use (but doesn't actually use them) if they were built dynamically.
database mdb ... overlay ppolicy ...
Is explicitly tying the ppolicy overlay to the mdb database. A slapd configuration can have multiple databases, each of which uses different sets of overlays, and some overlays can be configured globally.
THEN load it with ldapadd ? # ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/ppmodule.ldif
PPM is an external password checking module that can be combined with ppolicy, but that's separate from configuring ppolicy itself.
--Quanah
openldap-technical@openldap.org