This is my setup:
Server: Openldap 2.4.39 installed on RHEL7 Ldap clients: RHEL7 and RHEL5
I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent users with expired accounts to login: ldap_pwd_policy = shadow. This works as expected.
Now I need to allow users to reset their ldap password after logging in to an ldap client. This is what is logged when a user attempts to reset their password using passwd:
rhel7 ldap client: # passwd Changing password for user real Current password: New password: Retype new password: passwd: Authentication token manipulation error
rhel7 ldap server: /var/log/secure pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd pam_sss(passwd:chauthtok): Password change failed for user real: 28 (Module is unknown) Gkr-pam: couldn’t update the login keyring password: no old password was Entered
In an attempt to allow users to change their ldap password, i edited my ACL on the ldap server and added 'shadowLastChange':
dn: olcDatabase={2}hdb,cn=config add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn.base="cn=Alien,dc=cluster,dc=sec312" write by anonymous auth by * none olcAccess: {1}to * by self write by dn.base="cn=Alien,dc=cluster,dc=sec312" write by * read
However that did not work, on the ldap clients I get this on the logs: pam_unix(sshd:auth): authentication failure pam_sss(sshd:auth): authentication failure pam_sss(sshd:auth): received for user reaL 4 (System error)
This is the /etc/pam.d/system-auth file on the rhel7 ldap client: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 authtok_type= password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so ~
What other directive do I need to set to allow users to reset their ldap password when they call passwd?
Thank you, Liz
Real, Elizabeth (392K) wrote:
This is my setup: I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent users with expired accounts to login: ldap_pwd_policy = shadow. This works as expected.
Use OpenLDAP's slapo-ppolicy instead! Using shadow account attributes is deprecated since years.
pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd pam_sss(passwd:chauthtok): Password change failed for user real: 28 (Module is unknown) Gkr-pam: couldn’t update the login keyring password: no old password was Entered
This sounds more like PAM and sssd related. So you should sort this out first - maybe by asking for specific issues on sssd-users mailing list.
In an attempt to allow users to change their ldap password, i edited my ACL on the ldap server and added 'shadowLastChange': [..] olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
Think twice! You should not do that because of security issues!
If you really insist on using shadow account attributes you have to use slapo-smbk5pwd to let slapd set them internally when receiving a Password Modify extended operation.
Ciao, Michael.
Michael,
Thank you for your reply.
I made several attempts to configure slapo-policy but I’m not able to get it to work.
I gathered online documentation and did the following on my openldap 2.4.39 RHEL7 server to enable slapo-ppolicy:
* Loaded the ppolicy schema:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=ppolicy,cn=schema,cn=config”
* Created ldif with the module and overlay: ppolicy1.ldif
dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib64/openldap olcModuleload: ppolicy.la
dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config objectClass: olcPPolicyConfig olcPPolicyDefault: ou=policies,dc=cluster,dc=sec312
* Added the module and overlay:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy1.ldif
* * Created the module ldif: /etc/openldap/slapd.d/cn=config/cn=module{0}.ldif * Created the overlay ldif: /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={0}ppolicy.ldif
* Created a new ou called policies: ou=policies,dc=*****,dc=***** * Created a password policy: passwordPolicy.ldif * Loaded the password policy and I get this error:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "ou=policies,dc=*****,dc=*****" ldap_add: Object class violation (65) additional info: attribute 'ou' not allowed
* Restarted slapd as well but I get the same error.
Any advice will be greatly appreciated.
Thank you, Liz
From: Michael Ströder <michael@stroeder.commailto:michael@stroeder.com> Date: Friday, September 18, 2015 at 9:27 AM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: Re: Allow users to change ldap password with passwd
Real, Elizabeth (392K) wrote: This is my setup: I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent users with expired accounts to login: ldap_pwd_policy = shadow. This works as expected.
Use OpenLDAP's slapo-ppolicy instead! Using shadow account attributes is deprecated since years.
pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd pam_sss(passwd:chauthtok): Password change failed for user real: 28 (Module is unknown) Gkr-pam: couldn’t update the login keyring password: no old password was Entered
This sounds more like PAM and sssd related. So you should sort this out first - maybe by asking for specific issues on sssd-users mailing list.
In an attempt to allow users to change their ldap password, i edited my ACL on the ldap server and added 'shadowLastChange': [..] olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
Think twice! You should not do that because of security issues!
If you really insist on using shadow account attributes you have to use slapo-smbk5pwd to let slapd set them internally when receiving a Password Modify extended operation.
Ciao, Michael.
Real, Elizabeth (392K) wrote:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "ou=policies,dc=*****,dc=*****" ldap_add: Object class violation (65) additional info: attribute 'ou' not allowed
How does passwordPolicy.ldif look like? What's the set of object classes used?
Ciao, Michael.
This is the passwordPolicy.ldif:
dn: ou=policies,dc=*****,dc=***** objectClass: pwdPolicy objectClass: person objectClass: top cn: policies sn: policies pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 3600 #pwdFailureCountInterval: 30 #pwdGraceAuthNLimit: 5 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: FALSE
Thank you, Liz
From: Michael Ströder <michael@stroeder.commailto:michael@stroeder.com> Date: Thursday, September 24, 2015 at 10:56 AM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: Re: Allow users to change ldap password with passwd
Real, Elizabeth (392K) wrote: # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "ou=policies,dc=*****,dc=*****" ldap_add: Object class violation (65) additional info: attribute 'ou' not allowed
How does passwordPolicy.ldif look like? What's the set of object classes used?
Ciao, Michael.
Real, Elizabeth (392K) wrote:
This is the passwordPolicy.ldif:
dn: ou=policies,dc=*****,dc=***** objectClass: pwdPolicy objectClass: person objectClass: top cn: policies sn: policies
If that is what you want to use you cannot use ou for forming the RDN.
Simply use instead dn: cn=policies,dc=*****,dc=***** to match your entry.
Ciao, Michael.
I replaced ou with cn, tried loading the ldif and got this message:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=policies,dc=*****,dc=*****" ldap_add: Insufficient access (50) additional info: no write access to parent
Thank you, Liz
From: Michael Ströder <michael@stroeder.commailto:michael@stroeder.com> Date: Thursday, September 24, 2015 at 11:12 AM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: Re: Allow users to change ldap password with passwd
Real, Elizabeth (392K) wrote: This is the passwordPolicy.ldif: dn: ou=policies,dc=*****,dc=***** objectClass: pwdPolicy objectClass: person objectClass: top cn: policies sn: policies
If that is what you want to use you cannot use ou for forming the RDN.
Simply use instead dn: cn=policies,dc=*****,dc=***** to match your entry.
Ciao, Michael.
Real, Elizabeth (392K) wrote:
I replaced ou with cn, tried loading the ldif and got this message:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=policies,dc=*****,dc=*****" ldap_add: Insufficient access (50) additional info: no write access to parent
I guess you want to use another bind-DN with -D when writing to your normal DB backend / naming context dc=*****,dc=*****.
And defining -Y and -D together does not make sense. Please consult the man page and look at various bind methods more closely.
Ciao, Michael.
Michael,
I modified the command and was able to implement the password policy using: # ldapadd -x -W -D cn=****,dc=****,dc=**** -f passwordPolicy.ldif
Verified the policy was applied: # ldapsearch -x -D cn=****,dc=****,dc=**** -H ldap:// -b dc=****,dc=**** -W
# real, People, ****.**** dn: uid=real,ou=People,dc=****,dc=**** uid: real homeDirectory: /home/real memberUid: real … … # policies, ****.**** dn: cn=policies,dc=cluster,dc=sec312 objectClass: pwdPolicy objectClass: person objectClass: top cn:: cG9saWNpZXMg sn: policies pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 3600 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: FALSE
# search result search: 2 result: 0 Success
# numResponses: 598 # numEntries: 597
TEST: I reset the password for user ‘real’ an ldap client using passwd, the password was successfully changed. However, the new user password did not change on the ldap server. It appears that the policy is not updating the ou where my user ‘real’ belongs to.
Maybe it’s got to do with my ldap tree and where I configured my password policy (cn=policies), this is how it is now:
dc=****, dc=**** cn=policies … … ou=People … …
Thank you, Liz
From: Michael Ströder <michael@stroeder.commailto:michael@stroeder.com> Date: Thursday, September 24, 2015 at 11:42 AM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: Re: Allow users to change ldap password with passwd
Real, Elizabeth (392K) wrote: I replaced ou with cn, tried loading the ldif and got this message: # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=policies,dc=*****,dc=*****" ldap_add: Insufficient access (50) additional info: no write access to parent
I guess you want to use another bind-DN with -D when writing to your normal DB backend / naming context dc=*****,dc=*****.
And defining -Y and -D together does not make sense. Please consult the man page and look at various bind methods more closely.
Ciao, Michael.
Elizabeth,
sorry, your wording does not result in any valid interpretation on my side. Especially you obfuscated too much.
To see what's really going on you should again carefully examine your configuration, slapd logs and check the command-lines more carefully.
Ciao, Michael.
Real, Elizabeth (392K) wrote:
Michael,
I modified the command and was able to implement the password policy using: # ldapadd -x -W -D cn=****,dc=****,dc=**** -f passwordPolicy.ldif
Verified the policy was applied: # ldapsearch -x -D cn=****,dc=****,dc=**** -H ldap:// -b dc=****,dc=**** -W
# real, People, ****.**** dn: uid=real,ou=People,dc=****,dc=**** uid: real homeDirectory: /home/real memberUid: real … … # policies, ****.**** dn: cn=policies,dc=cluster,dc=sec312 objectClass: pwdPolicy objectClass: person objectClass: top cn:: cG9saWNpZXMg sn: policies pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 3600 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: FALSE
# search result search: 2 result: 0 Success
# numResponses: 598 # numEntries: 597
TEST: I reset the password for user ‘real’ an ldap client using passwd, the password was successfully changed. However, the new user password did not change on the ldap server. It appears that the policy is not updating the ou where my user ‘real’ belongs to.
Maybe it’s got to do with my ldap tree and where I configured my password policy (cn=policies), this is how it is now:
dc=****, dc=**** cn=policies … … ou=People … …
Thank you, Liz
From: Michael Ströder <michael@stroeder.commailto:michael@stroeder.com> Date: Thursday, September 24, 2015 at 11:42 AM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: Re: Allow users to change ldap password with passwd
Real, Elizabeth (392K) wrote: I replaced ou with cn, tried loading the ldif and got this message: # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=policies,dc=*****,dc=*****" ldap_add: Insufficient access (50) additional info: no write access to parent
I guess you want to use another bind-DN with -D when writing to your normal DB backend / naming context dc=*****,dc=*****.
And defining -Y and -D together does not make sense. Please consult the man page and look at various bind methods more closely.
Ciao, Michael.
-- Michael Ströder Klauprechtstr. 11 Dipl.-Inform. D-76137 Karlsruhe, Germany Tel.: +49 721 8304316 Mobil: +49 170 2391920 E-Mail: michael@stroeder.com http://www.stroeder.com
I have reinstalled openldap and applied slapo-ppolicy carefully looking at man pages and the configuration.
How do I then apply this to existing openldap accounts?
Thank you, Liz
From: Michael Ströder <michael@stroeder.commailto:michael@stroeder.com> Date: Monday, September 28, 2015 at 10:57 PM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: Re: Allow users to change ldap password with passwd
Elizabeth,
sorry, your wording does not result in any valid interpretation on my side. Especially you obfuscated too much.
To see what's really going on you should again carefully examine your configuration, slapd logs and check the command-lines more carefully.
Ciao, Michael.
Real, Elizabeth (392K) wrote: Michael, I modified the command and was able to implement the password policy using: # ldapadd -x -W -D cn=****,dc=****,dc=**** -f passwordPolicy.ldif Verified the policy was applied: # ldapsearch -x -D cn=****,dc=****,dc=**** -H ldap:// -b dc=****,dc=**** -W # real, People, ****.**** dn: uid=real,ou=People,dc=****,dc=**** uid: real homeDirectory: /home/real memberUid: real … … # policies, ****.**** dn: cn=policies,dc=cluster,dc=sec312 objectClass: pwdPolicy objectClass: person objectClass: top cn:: cG9saWNpZXMg sn: policies pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 3600 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: FALSE # search result search: 2 result: 0 Success # numResponses: 598 # numEntries: 597 TEST: I reset the password for user ‘real’ an ldap client using passwd, the password was successfully changed. However, the new user password did not change on the ldap server. It appears that the policy is not updating the ou where my user ‘real’ belongs to. Maybe it’s got to do with my ldap tree and where I configured my password policy (cn=policies), this is how it is now: dc=****, dc=**** cn=policies … … ou=People … … Thank you, Liz From: Michael Ströder <michael@stroeder.commailto:michael@stroeder.commailto:michael@stroeder.com> Date: Thursday, September 24, 2015 at 11:42 AM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: Re: Allow users to change ldap password with passwd Real, Elizabeth (392K) wrote: I replaced ou with cn, tried loading the ldif and got this message: # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=policies,dc=*****,dc=*****" ldap_add: Insufficient access (50) additional info: no write access to parent I guess you want to use another bind-DN with -D when writing to your normal DB backend / naming context dc=*****,dc=*****. And defining -Y and -D together does not make sense. Please consult the man page and look at various bind methods more closely. Ciao, Michael.
-- Michael Ströder Klauprechtstr. 11 Dipl.-Inform. D-76137 Karlsruhe, Germany Tel.: +49 721 8304316 Mobil: +49 170 2391920 E-Mail: michael@stroeder.commailto:michael@stroeder.com http://www.stroeder.com
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Real, Elizabeth (392K) Sent: Monday, October 05, 2015 1:18 PM To: Michael Ströder; openldap-technical@openldap.org Subject: Re: Allow users to change ldap password with passwd
I have reinstalled openldap and applied slapo-ppolicy carefully looking at man pages and the configuration.
How do I then apply this to existing openldap accounts?
Thank you, Liz
You need to have a 'pwdPolicySubentry' attribute assigned to each user and the value for that attribute would have to be a valid DN of the password policy itself.
For example, below is what I used to add password policy recently - fix as needed, YMMV
#!/bin/bash # # assign password policy to LDAP users for USER in `cat users`; do ldapmodify -x -D cn=rootbinddn,dc=example,dc=com -w $SOME_PASSWORD <<! dn: uid=$USER,ou=people,dc=example,dc=com changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=personnelpp,ou=Policies,dc=example,dc=com ! Done
Craig
Thanks for the tip. I added the pwdPolicySubentry to one user but it did not work, the attribute is not listed for the user.
I read that this attribute has to be enabled in the ppolicy schema?? I looked at my ppolicy schema which is located here: /etc/openldap/slapd.d/cn=config/cn=schema/cn={3}ppolicy.ldif HOWEVER I did not find pwdPolicySubentry.
What version of openldap is your suggestion based of? I’m running v2.4.39.
Thanks, Liz
From: Craig White <CWhite@skytouchtechnology.commailto:CWhite@skytouchtechnology.com> Date: Monday, October 5, 2015 at 2:41 PM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, Michael Ströder <michael@stroeder.commailto:michael@stroeder.com>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: RE: Allow users to change ldap password with passwd
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Real, Elizabeth (392K) Sent: Monday, October 05, 2015 1:18 PM To: Michael Ströder; openldap-technical@openldap.orgmailto:openldap-technical@openldap.org Subject: Re: Allow users to change ldap password with passwd
I have reinstalled openldap and applied slapo-ppolicy carefully looking at man pages and the configuration.
How do I then apply this to existing openldap accounts?
Thank you, Liz
You need to have a ‘pwdPolicySubentry’ attribute assigned to each user and the value for that attribute would have to be a valid DN of the password policy itself.
For example, below is what I used to add password policy recently – fix as needed, YMMV
#!/bin/bash # # assign password policy to LDAP users for USER in `cat users`; do ldapmodify -x -D cn=rootbinddn,dc=example,dc=com -w $SOME_PASSWORD <<! dn: uid=$USER,ou=people,dc=example,dc=com changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=personnelpp,ou=Policies,dc=example,dc=com ! Done
Craig
From: Real, Elizabeth (392K) [mailto:Elizabeth.Real@jpl.nasa.gov] Sent: Monday, October 05, 2015 3:41 PM To: Craig White; Michael Ströder; openldap-technical@openldap.org Subject: Re: Allow users to change ldap password with passwd
Thanks for the tip. I added the pwdPolicySubentry to one user but it did not work, the attribute is not listed for the user.
I read that this attribute has to be enabled in the ppolicy schema?? I looked at my ppolicy schema which is located here: /etc/openldap/slapd.d/cn=config/cn=schema/cn={3}ppolicy.ldif HOWEVER I did not find pwdPolicySubentry.
What version of openldap is your suggestion based of? I'm running v2.4.39. You really need to increase your level of LDAP fu.
pwdPolicySubEntry is an operational attribute which won't normally show up.
Google is your friend.
Craig
On Mon, Oct 05, 2015 at 09:41:25PM +0000, Craig White wrote:
You need to have a 'pwdPolicySubentry' attribute assigned to each user and the value for that attribute would have to be a valid DN of the password policy itself.
Either that, or an appropriate olcPPolicyDefault configured on the ppolicy overlay instance (as above, value should be the DN of the default password policy entry). That will be used for any entry that doesn't have an explicit pwdPolicySubentry.
openldap-technical@openldap.org
-
Craig White -
Michael Ströder -
Real, Elizabeth (392K) -
Ryan Tandy