Hi there,
I'm new to this list, so first of all welcome to everyone.
I have a problem with ppolicy and got stuck finding a solution. I configured slapd using the information from [1] trying to be able to lock users. But anyway, the lock seems to be ignored: As soon as one tries to log in, the pwdLockedTime agument es removed from the entry and I seem to be too blind or dumb to see the reason why.
Here is what happens (testing my own account): b079 /etc/openldap # grep -v "^#" ldif/locked_users.ldif dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org changetype: modify add: pwdAccountLockedTime pwdAccountLockedTime: 20110119225403Z b079 /etc/openldap # ldapmodify -x -D "cn=admin, dc=yyy, dc=zzz, dc=org" -W -f ldif/locked_users.ldif Enter LDAP Password: modifying entry "uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org"
b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan" uid: jan b079 /etc/openldap # ldapwhoami -x -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: dn:uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan"b079 /etc/openldap #
And here is the relevant configuration; b079 /etc/openldap # grep ppolicy slapd.conf include /etc/openldap/schema/ppolicy.schema moduleload ppolicy.so overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=yyy,dc=zzz,dc=org" b079 /etc/openldap #
b079 /etc/openldap # ldapsearch -x -s base -b "cn=default, ou=policies, dc=yyy, dc=zzz, dc=org" # extended LDIF # # LDAPv3 # base <cn=default, ou=policies, dc=yyy, dc=zzz, dc=org> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# default, policies, yyy.zzz.org dn: cn=default,ou=policies,dc=yyy,dc=zzz,dc=org cn: default sn: dummy value objectClass: pwdPolicy objectClass: person objectClass: top pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdInHistory: 0 pwdCheckQuality: 0 pwdLockout: TRUE pwdLockoutDuration: 900 pwdFailureCountInterval: 1800 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdSafeModify: TRUE pwdExpireWarning: 604800 pwdMaxFailure: 5 pwdGraceAuthNLimit: 0 pwdMinLength: 8
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 b079 /etc/openldap #
Thank a lot in advance!
[1] http://www.openldap.org/lists/openldap-technical/200810/msg00107.html
2011/2/13 Jan Kohnert nospam001-lists@jankoh.dyndns.org:
Hi there,
I'm new to this list, so first of all welcome to everyone.
I have a problem with ppolicy and got stuck finding a solution. I configured slapd using the information from [1] trying to be able to lock users. But anyway, the lock seems to be ignored: As soon as one tries to log in, the pwdLockedTime agument es removed from the entry and I seem to be too blind or dumb to see the reason why.
Here is what happens (testing my own account): b079 /etc/openldap # grep -v "^#" ldif/locked_users.ldif dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org changetype: modify add: pwdAccountLockedTime pwdAccountLockedTime: 20110119225403Z b079 /etc/openldap # ldapmodify -x -D "cn=admin, dc=yyy, dc=zzz, dc=org" -W -f ldif/locked_users.ldif Enter LDAP Password: modifying entry "uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org"
b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan" uid: jan b079 /etc/openldap # ldapwhoami -x -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: dn:uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan"b079 /etc/openldap #
And here is the relevant configuration; b079 /etc/openldap # grep ppolicy slapd.conf include /etc/openldap/schema/ppolicy.schema moduleload ppolicy.so overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=yyy,dc=zzz,dc=org" b079 /etc/openldap #
b079 /etc/openldap # ldapsearch -x -s base -b "cn=default, ou=policies, dc=yyy, dc=zzz, dc=org" # extended LDIF # # LDAPv3 # base <cn=default, ou=policies, dc=yyy, dc=zzz, dc=org> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# default, policies, yyy.zzz.org dn: cn=default,ou=policies,dc=yyy,dc=zzz,dc=org cn: default sn: dummy value objectClass: pwdPolicy objectClass: person objectClass: top pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdInHistory: 0 pwdCheckQuality: 0 pwdLockout: TRUE pwdLockoutDuration: 900 pwdFailureCountInterval: 1800 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdSafeModify: TRUE pwdExpireWarning: 604800 pwdMaxFailure: 5 pwdGraceAuthNLimit: 0 pwdMinLength: 8
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 b079 /etc/openldap #
Thank a lot in advance!
[1] http://www.openldap.org/lists/openldap-technical/200810/msg00107.html
Hello Jan,
can you tell us the OpenLDAP version you ar running? For example, 2.4.11 on Debian is known to have bugs on the password policy overlay.
Then you should try to lock your account by failing authentication (use a bad password several times), you should see in your entry operational attributes pwdFailureTime and pwdAccountLockedTime.
Try also to use -e ppolicy in ldapsearch or ldapwhoami commands, to get messages from paswword policy control.
Clément.
Hello,
Clément OUDOT schrieb:
2011/2/13 Jan Kohnert nospam001-lists@yyy.zzz.org:
I have a problem with ppolicy and got stuck finding a solution. I configured slapd using the information from [1] trying to be able to lock users. But anyway, the lock seems to be ignored: As soon as one tries to log in, the pwdLockedTime agument es removed from the entry and I seem to be too blind or dumb to see the reason why.
[config stuff]
can you tell us the OpenLDAP version you ar running? For example, 2.4.11 on Debian is known to have bugs on the password policy overlay.
Running Gentoo here: b079 /etc/openldap # eix net-nds/openldap [I] net-nds/openldap Available versions: 2.3.43-r1 2.4.19-r1 ~2.4.21 2.4.23 {(+)berkdb crypt -cxx debug experimental gdbm gnutls icu iodbc ipv6 kerberos minimal odbc overlays perl samba sasl selinux slp smbkrb5passwd ssl syslog tcpd} Installed versions: 2.4.23(06:58:54 18.11.2010)(berkdb crypt ipv6 overlays perl sasl ssl tcpd -cxx -debug -experimental -gnutls -icu -iodbc - kerberos -minimal -odbc -samba -selinux -slp -smbkrb5passwd -syslog) Homepage: http://www.OpenLDAP.org/ Description: LDAP suite of application and development tools
b079 /etc/openldap #
Then you should try to lock your account by failing authentication (use a bad password several times), you should see in your entry operational attributes pwdFailureTime and pwdAccountLockedTime.
This one works!
b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapsearch -x -e ppolicy -b "ou=xxx, dc=yyy, dc=zzz, dc=org" "(uid=jan)" pwdFailureTime # extended LDIF # # LDAPv3 # base <ou=xxx, dc=yyy, dc=zzz, dc=org> with scope subtree # filter: (uid=jan) # requesting: pwdFailureTime #
# jan, xxx, yyy.zzz.org dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org pwdFailureTime: 20110214195244Z pwdFailureTime: 20110214195246Z pwdFailureTime: 20110214195247Z pwdFailureTime: 20110214195249Z pwdFailureTime: 20110214195250Z
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 b079 /etc/openldap # ldapsearch -x -e ppolicy -b "ou=xxx, dc=yyy, dc=zzz, dc=org" "(uid=jan)" pwdAccountLockedTime # extended LDIF # # LDAPv3 # base <ou=xxx, dc=yyy, dc=zzz, dc=org> with scope subtree # filter: (uid=jan) # requesting: pwdAccountLockedTime #
# jan, xxx, yyy.zzz.org dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org pwdAccountLockedTime: 20110214195250Z
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: ldap_bind: Invalid credentials (49) b079 /etc/openldap # ldapsearch -x -e ppolicy -b "ou=xxx, dc=yyy, dc=zzz, dc=org" "(uid=jan)" pwdFailureTime # extended LDIF # # LDAPv3 # base <ou=xxx, dc=yyy, dc=zzz, dc=org> with scope subtree # filter: (uid=jan) # requesting: pwdFailureTime #
# jan, xxx, yyy.zzz.org dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org pwdFailureTime: 20110214195244Z pwdFailureTime: 20110214195246Z pwdFailureTime: 20110214195247Z pwdFailureTime: 20110214195249Z pwdFailureTime: 20110214195250Z
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 b079 /etc/openldap #
Try also to use -e ppolicy in ldapsearch or ldapwhoami commands, to get messages from paswword policy control.
That one does not seem to generate more precise error messages:
b079 /etc/openldap # ldapsearch -x -s base -e ppolicy -b "cn=default, ou=policies, dc=yyy, dc=zzz, dc=org" # extended LDIF # # LDAPv3 # base <cn=default, ou=policies, dc=yyy, dc=zzz, dc=org> with scope baseObject # filter: (objectclass=*) # requesting: ALL #
# default, policies, yyy.zzz.org dn: cn=default,ou=policies,dc=yyy,dc=zzz,dc=org cn: default sn: dummy value objectClass: pwdPolicy objectClass: person objectClass: top pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdInHistory: 0 pwdCheckQuality: 0 pwdLockout: TRUE pwdLockoutDuration: 900 pwdFailureCountInterval: 1800 pwdMustChange: FALSE pwdAllowUserChange: TRUE pwdSafeModify: TRUE pwdExpireWarning: 604800 pwdMaxFailure: 5 pwdGraceAuthNLimit: 0 pwdMinLength: 8
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 b079 /etc/openldap # ldapmodify -x -e ppolicy -D "cn=admin, dc=yyy, dc=zzz, dc=org" -W -f ldif/locked_users.ldif Enter LDAP Password: modifying entry "uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org"
b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan"uid: jan b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, dc=org" -W Enter LDAP Password: dn:uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org b079 /etc/openldap #
Jan Kohnert schrieb:
I have a problem with ppolicy and got stuck finding a solution. I configured slapd using the information from [1] trying to be able to lock users. But anyway, the lock seems to be ignored: As soon as one tries to log in, the pwdLockedTime agument es removed from the entry and I seem to be too blind or dumb to see the reason why.
b079 /etc/openldap # ldapsearch -x -s base -b "cn=default, ou=policies, dc=yyy, dc=zzz, dc=org"
pwdLockout: TRUE pwdLockoutDuration: 900
I think, I got the problem: Setting the lockout time older than pwdLockoutDuration lets ppolicy ignore the lockout. That's just fine and as I configured. I just did not understand that one.
Setting the account locktime to current time locks out the user (as just tested) correctly.
So there comes the next question: Is there a way to lock out specific users permanently (other than creating a cronjob setting the lockout time new after 900s) or do I need to set pwdLockoutDuration to inf and so are forced to manually reset users whose accounts were tried to be cracked?
Jan Kohnert wrote:
So there comes the next question: Is there a way to lock out specific users permanently (other than creating a cronjob setting the lockout time new after 900s) or do I need to set pwdLockoutDuration to inf and so are forced to manually reset users whose accounts were tried to be cracked?
Read the slapo-ppolicy manpage again. This is explicitly documented.
On Mon, Feb 14, 2011 at 02:23:30PM -0800, Howard Chu wrote:
Jan Kohnert wrote:
So there comes the next question: Is there a way to lock out specific users permanently (other than creating a cronjob setting the lockout time new after 900s) or do I need to set pwdLockoutDuration to inf and so are forced to manually reset users whose accounts were tried to be cracked?
Read the slapo-ppolicy manpage again. This is explicitly documented.
I assume that you are talking about setting pwdAccountLockedTime to 000001010000Z which is what I have generally done in these situations.
I think the man page could be improved here. For one thing, pwdAccountLockedTime is listed as an operational attribute: this is quite correct, but most such attributes cannot be set by user or admin action. The wording does not explicitly say that the attribute can be set, and indeed the schema fragment in the manpage includes NO-USER-MODIFICATION which implies that it *cannot* be set. In fact the schema used by the server does not include that flag so this is a doc error.
It is also worth noting that there are issues relating to replication when using this attribute.
I will open an ITS and suggest new wording.
Andrew
Andrew Findlay schrieb:
On Mon, Feb 14, 2011 at 02:23:30PM -0800, Howard Chu wrote:
Jan Kohnert wrote:
So there comes the next question: Is there a way to lock out specific users permanently (other than creating a cronjob setting the lockout time new after 900s) or do I need to set pwdLockoutDuration to inf and so are forced to manually reset users whose accounts were tried to be cracked?
Read the slapo-ppolicy manpage again. This is explicitly documented.
I assume that you are talking about setting pwdAccountLockedTime to 000001010000Z which is what I have generally done in these situations.
This is exactly what I was looking for. Did I overread why this special date is supposed to be date "0"? From a simple point of view I would have expected it to be all zeros. Date gives: jankoh@kohni ~ $ date -d 0 "+%Y%m%d%H%M%SZ" 20110216000000Z jankoh@kohni ~ $ which was today 0 o'clock.
Thanks again and best regards.
On Wed, Feb 16, 2011 at 12:58:48PM +0100, Jan Kohnert wrote:
I assume that you are talking about setting pwdAccountLockedTime to 000001010000Z which is what I have generally done in these situations.
This is exactly what I was looking for. Did I overread why this special date is supposed to be date "0"? From a simple point of view I would have expected it to be all zeros. Date gives: jankoh@kohni ~ $ date -d 0 "+%Y%m%d%H%M%SZ" 20110216000000Z jankoh@kohni ~ $ which was today 0 o'clock.
There is no month zero nor day zero. Try this:
$ date -d 00000101 Sat Jan 1 00:00:00 LMT 0000
The actual date used for this purpose is defined in the standard (actually an Internet Draft). The designers could have chosen any date obviously preceding the invention of digital computers.
Andrew
Andrew Findlay schrieb:
On Wed, Feb 16, 2011 at 12:58:48PM +0100, Jan Kohnert wrote:
I assume that you are talking about setting pwdAccountLockedTime to 000001010000Z which is what I have generally done in these situations.
This is exactly what I was looking for. Did I overread why this special date is supposed to be date "0"? From a simple point of view I would have expected it to be all zeros.
There is no month zero nor day zero.
The actual date used for this purpose is defined in the standard (actually an Internet Draft). The designers could have chosen any date obviously preceding the invention of digital computers.
That sounds logical. Thanks for clarification.
openldap-technical@openldap.org
-
Andrew Findlay -
Clément OUDOT -
Howard Chu -
Jan Kohnert