RES: Openldap 2.3.39 Password Policy - openldap-technical

15 May 2008


      Hi Venkata,
Check where is your slapd binary. In this directory, you will see a libexec
directory. Inside you can find ppolicy.la module. Execute a pwd command and
put pwd output in your slapd.conf file
Here is my slapd.conf file
#######################################################################
# Global definitions
#######################################################################
include         /usr/local/ldap/servers/slapd/schema/core.schema
include         /usr/local/ldap/servers/slapd/schema/cosine.schema
include         /usr/local/ldap/servers/slapd/schema/inetorgperson.schema
include         /usr/local/ldap/servers/slapd/schema/misc.schema
include         /usr/local/ldap/servers/slapd/schema/nis.schema
include         /usr/local/ldap/servers/slapd/schema/ppolicy.schema
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
logfile         /var/log/ldap.log
loglevel        256
# Load dynamic backend modules:
 modulepath        /usr/local/libexec/openldap
### moduleload     back_ldap.la
### moduleload     back_passwd.la
 moduleload     accesslog.la
###  moduleload     pcache.la
 moduleload     ppolicy.la
 moduleload     unique.la
#######################################################################
# BDB database definitions 
#######################################################################
database        bdb
suffix          "c=country"
rootdn          "cn=manager,c=country"
rootpw          {SSHA}password's hash
directory       /usr/local/var/openldap-data/
mode            0600
cachesize       1000000
checkpoint      256 60
overlay ppolicy
ppolicy_default "cn=default,ou=policies,o=org,c=country"
#######################################################################
# ACL's
#######################################################################
access to attrs=userPassword
        by self write
        by anonymous auth
        by dn="cn=manager,c=country" write
        by * read
access to *
        by self write
        by dn="cn=manager,c=country" write
        by * read
#######################################################################
# Indexes
#######################################################################
index   objectClass     eq,pres
index   uid,memberUid   eq,pres,sub
Another tip is remove your shadow parameters from your user accoount. I
mean, when you create an account, unset shadow properties. Leave all shadow
properties defined in ppolicy options. Check my user output
dn: uid=sdanyluk,ou=orgunit,o=org,c=country
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
loginShell: /bin/bash
givenName: Scott
sn: Danyluk
displayName: Scott Danyluk
uid: sdanyluk
homeDirectory: /home/sdanyluk
cn: Scott Danyluk
uidNumber: 14838
userPassword: xxxxxxxxxxxxxxxxxxxxxxx
gidNumber: 25075
Regards
---
Gustavo Mendes de Carvalho
email: gmcarvalho@gmail.com
________________________________
De: Venkata Janardhana [mailto:avjana@gmail.com] 
Enviada em: quinta-feira, 15 de maio de 2008 13:51
Para: jarbas.junior@gmail.com; gmcarvalho@gmail.com
Cc: openldap-technical@openldap.org
Assunto: Openldap 2.3.39 Password Policy,
Hello ,
I see the you had same issue for the openldap 2.3.39 password policy. I am
struggling to get this working like anything. Could you please help me out
in configuring password policy and change the user password.
I have installed openldap 2.3.39  and
./configure --prefix=/usr/local \
            --libexecdir=/usr/sbin \
            --sysconfdir=/etc \
            --localstatedir=/srv/ldap \
            --disable-debug \
            --enable-dynamic \
            --enable-crypt \
            --enable-modules \
            --enable-rlookups \
            --enable-backends \
            --enable-overlays \
            --disable-sql &&
make depend &&
make
make test
su root -c 'make install
I cannot find
modulepath /usr/lib/openldap
moduleload ppolicy.la
files.
    
    
    Here is my slapd.conf and ldap search file
hese are the following slapd.conf file and ldapsearch output.. 
    
    User can login to the ldap server for the first time and could
change the password
    but cannot login with new password or old password. having hard time
in getting password 
    policy working. COuld you some pls help me out.. whats the wrong..
thanks in advance,
    
    #
    # See slapd.conf(5) for details on configuration options.
    # This file should NOT be world readable.
    #
    include         /usr/local/etc/openldap/schema/core.schema
    include         /usr/local/etc/openldap/schema/cosine.schema
    include         /usr/local/etc/openldap/schema/inetorgperson.schema
    include         /usr/local/etc/openldap/schema/nis.schema
    include         /usr/local/etc/openldap/schema/ppolicy.schema
    
    # Define global ACLs to disable default read access.
    
    # Do not enable referrals until AFTER you have a working directory
    # service AND an understanding of referrals.
    #referral       ldap://root.openldap.org
    
    pidfile         /usr/local/var/run/slapd.pid
    argsfile        /usr/local/var/run/slapd.args
    
    # Load dynamic backend modules:
    # modulepath    /usr/local/libexec/openldap
    # moduleload    back_bdb.la
    # moduleload    back_ldap.la
    # moduleload    back_ldbm.la
    # moduleload    back_passwd.la
    # moduleload    back_shell.la
    
    # Sample security restrictions
    #       Require integrity protection (prevent hijacking)
    #       Require 112-bit (3DES or better) encryption for updates
    #       Require 63-bit encryption for simple bind
    # security ssf=1 update_ssf=112 simple_bind=64
    
    # Sample access control policy:
    #       Root DSE: allow anyone to read it
    #       Subschema (sub)entry DSE: allow anyone to read it
    #       Other DSEs:
    #               Allow self write access
    #               Allow authenticated users read access
    #               Allow anonymous users to authenticate
    #       Directives needed to implement policy:
    # access to dn.base="" by * read
    # access to dn.base="cn=Subschema" by * read
    # access to *
    #       by self write
    #       by users read
    #       by anonymous auth
    #
    # if no access controls are present, the default policy
    # allows anyone and everyone to read anything but restricts
    # updates to rootdn.  (e.g., "access to * by * read")
    #
    # rootdn can always read and write EVERYTHING!
    access to amdexrs=userPassword
            by self write
            by * auth
    
    access to *
            by * read
    
#######################################################################
    # BDB database definitions
    
#######################################################################
    
    database        bdb
    suffix          "dc=sales,dc=amdex,dc=com"
    rootdn          "cn=Manager,dc=sales,dc=amdex,dc=com"
    # Cleartext passwords, especially for the rootdn, should
    # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
    # Use of strong authentication encouraged.
    rootpw          secret
    # The database directory MUST exist prior to running slapd AND
    # should only be accessible by the slapd and slap tools.
    # Mode 700 recommended.
    directory       /usr/local/var/openldap-data
    # Indices to maintain
    index   objectClass     eq
    
    
    ----------------------------------------------------------
    
    
    
    [root@testserver06 openldap]# ldapsearch -x -b
'dc=sales,dc=amdex,dc=com' '(objectclass=*)'
    # extended LDIF
    #
    # LDAPv3
    # base <dc=sales,dc=amdex,dc=com> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #
    
    # sales.amdex.com
    dn: dc=sales,dc=amdex,dc=com
    dc: sales
    objectClass: top
    objectClass: domain
    objectClass: domainRelatedObject
    associatedDomain: sales.amdex.com
    
    # People, sales.amdex.com
    dn: ou=People,dc=sales,dc=amdex,dc=com
    ou: People
    objectClass: top
    objectClass: organizationalUnit
    objectClass: domainRelatedObject
    associatedDomain: sales.amdex.com
    
    # Group, sales.amdex.com
    dn: ou=Group,dc=sales,dc=amdex,dc=com
    ou: Group
    objectClass: top
    objectClass: organizationalUnit
    objectClass: domainRelatedObject
    associatedDomain: sales.amdex.com
    
    # ja5199, Group, sales.amdex.com
    dn: cn=ja5199,ou=Group,dc=sales,dc=amdex,dc=com
    objectClass: posixGroup
    objectClass: top
    cn: ja5199
    gidNumber: 609
    
    # ja5199, People, sales.amdex.com
    dn: uid=ja5199,ou=People,dc=sales,dc=amdex,dc=com
    uid: ja5199
    cn: Jana Avula
    givenName: Jana
    sn: Avula
    mail: ja5199@sales.amdex.com
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: top
    objectClass: shadowAccount
    shadowLastChange: 14001
    shadowMax: 99999
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 609
    gidNumber: 609
    homeDirectory: /home/ja5199
    gecos: Jana Avula
    
    # Policies, sales.amdex.com
    dn: ou=Policies,dc=sales,dc=amdex,dc=com
    objectClass: top
    objectClass: organizationalUnit
    ou: Policies
    
    # default, Policies, sales.amdex.com
    dn: cn=default,ou=Policies,dc=sales,dc=amdex,dc=com
    objectClass: top
    objectClass: device
    objectClass: pwdPolicy
    cn: default
    pwdamdexribute: 2.5.4.35
    pwdMaxAge: 15552000
    pwdExpireWarning: 864000
    pwdInHistory: 1
    pwdCheckQuality: 0
    pwdMinLength: 8
    pwdMaxFailure: 4
    pwdLockout: TRUE
    pwdLockoutDuration: 1920
    pwdGraceAuthNLimit: 5
    pwdFailureCountInterval: 0
    pwdMustChange: TRUE
    pwdAllowUserChange: TRUE
    pwdSafeModify: TRUE
    
    # search result
    search: 2
    result: 0 Success
    
    # numResponses: 8
    # numEntries: 7