Hi there,
I already compiled last openldap stable version with this commands
# ./configure --program-prefix=/usr/local/ldap --enable-bdb --enable-modules --enable-overlays=yes --enable-backends=yes --disable-ipv6 --with-cyrus-sasl --with-tls --disable-sql
# make depend; make; make install
and after running make test command, I saw that everything was OK, so I can start slapd with ppolicy module included.
When I include pwdPolicy objectclass in user configuration I can see several pwd parameters, but after set some values, I can't see this policy working. I mean, in my user bellow, I set "pwdInHistory = 6", but when I try to change their password, OpanLDAP do not check this value.
Here is command used to change passwords
ldappasswd -w test1234 -a test1234 -s 5432test -x -H ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org ldappasswd -w 5432test -a 5432test -s test1234 -x -H ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org
I can execute this commands ad eternum, with no error messages from LDAP server telling me that my password is not OK. According with my configuration I would use 7 different passwords (6 in history +1 to change) And I can change this password faster than it expires (according with configuration bellow "pwdMinAge: 30" tells me to wait 30 seconds to change my password)
User definition dn: uid=test,ou=orgunit,o=org objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: person objectClass: pwdPolicy loginShell: /bin/bash givenName: test sn: test-test displayName: test test-test uid: test homeDirectory: /home/test shadowFlag: 0 shadowMax: 35 shadowWarning: 7 shadowInactive: 99999 shadowExpire: 99999 cn: test test-test uidNumber: 12190 gidNumber: 25023 shadowMin: 10 pwdAttribute: userPassword pwdMinAge: 30 pwdMaxAge: 120 pwdInHistory: 3 pwdMinLength: 8 pwdExpireWarning: 60 pwdLockout: TRUE pwdLockoutDuration: 60 pwdMaxFailure: 2 pwdSafeModify: TRUE shadowLastChange: 14006 pwdMustChange: FALSE userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Does anybody already uses this pwd definitions ann can explain me if is it OK ? I already read man 5 slapo-ppolicy and I already execute slapindex -v after insert this parameters either. Man 5 does explain all parameters, and I set up them according with man explanation, but it does no work.
Thanks in advance
--- Gustavo Mendes de Carvalho e-mail: gmcarvalho@gmail.com
No tips or tricks ?
--- Gustavo Mendes de Carvalho email: gmcarvalho@gmail.com
-----Mensagem original----- De: Gustavo Mendes de Carvalho [mailto:gmcarvalho@gmail.com] Enviada em: quarta-feira, 7 de maio de 2008 17:59 Para: openldap-technical@openldap.org Assunto: password policy user configuration
Hi there,
I already compiled last openldap stable version with this commands
# ./configure --program-prefix=/usr/local/ldap --enable-bdb --enable-modules --enable-overlays=yes --enable-backends=yes --disable-ipv6 --with-cyrus-sasl --with-tls --disable-sql
# make depend; make; make install
and after running make test command, I saw that everything was OK, so I can start slapd with ppolicy module included.
When I include pwdPolicy objectclass in user configuration I can see several pwd parameters, but after set some values, I can't see this policy working. I mean, in my user bellow, I set "pwdInHistory = 6", but when I try to change their password, OpanLDAP do not check this value.
Here is command used to change passwords. I can execute them as fast as I can copy and paste them
ldappasswd -w test1234 -a test1234 -s 5432test -x -H ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org ldappasswd -w 5432test -a 5432test -s test1234 -x -H ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org ...
I can execute this commands ad eternum, with no error messages from LDAP server telling me that my password is not OK. According with my configuration I would use 7 different passwords (6 in history +1 to change) And I can change this password faster than it expires (according with configuration bellow "pwdMinAge: 30" tells me to wait 30 seconds to change my password)
User definition dn: uid=test,ou=orgunit,o=org objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: person objectClass: pwdPolicy loginShell: /bin/bash givenName: test sn: test-test displayName: test test-test uid: test homeDirectory: /home/test shadowFlag: 0 shadowMax: 35 shadowWarning: 7 shadowInactive: 99999 shadowExpire: 99999 cn: test test-test uidNumber: 12190 gidNumber: 25023 shadowMin: 10 pwdAttribute: userPassword pwdMinAge: 30 pwdMaxAge: 120 pwdInHistory: 3 pwdMinLength: 8 pwdExpireWarning: 60 pwdLockout: TRUE pwdLockoutDuration: 60 pwdMaxFailure: 2 pwdSafeModify: TRUE shadowLastChange: 14006 pwdMustChange: FALSE userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Does anybody already uses this pwd definitions ann can explain me if is it OK ? I already read man 5 slapo-ppolicy and I already execute slapindex -v after insert this parameters either. Man 5 does explain all parameters, and I set up them according with man explanation, but it does no work.
Thanks in advance
--- Gustavo Mendes de Carvalho e-mail: gmcarvalho@gmail.com
I think you need to have a separate container for holding your pwdPolicy. You do not store that information in your user entry.
On May 10, 2008, at 7:20 AM, Gustavo Mendes de Carvalho wrote:
User definition dn: uid=test,ou=orgunit,o=org objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: person objectClass: pwdPolicy loginShell: /bin/bash givenName: test sn: test-test displayName: test test-test uid: test homeDirectory: /home/test shadowFlag: 0 shadowMax: 35 shadowWarning: 7 shadowInactive: 99999 shadowExpire: 99999 cn: test test-test uidNumber: 12190 gidNumber: 25023 shadowMin: 10 pwdAttribute: userPassword
All the stuff below should be put in cn=mypasswdpolicy,cn=Policies,dc=example,dc=com
then you put an entry in your user account as such:
pwdPolicy: cn=mypasswdpolicy,cn=Policies,dc=example,dc=com
pwdMinAge: 30 pwdMaxAge: 120 pwdInHistory: 3 pwdMinLength: 8 pwdExpireWarning: 60 pwdLockout: TRUE pwdLockoutDuration: 60 pwdMaxFailure: 2 pwdSafeModify: TRUE shadowLastChange: 14006 pwdMustChange: FALSE userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
I hope that helps, Scott
Hi Scott,
Thanks for your tip. It helped me to clarify my ideas and following Jarbas' tip, I could fix my bug and solved my problema.
Thank you very much
--- Gustavo Mendes de Carvalho email: gmcarvalho@gmail.com
-----Mensagem original----- De: Scott Classen [mailto:sclassen@lbl.gov] Enviada em: sábado, 10 de maio de 2008 12:05 Para: Gustavo Mendes de Carvalho Cc: openldap-technical@openldap.org Assunto: Re: RES: password policy user configuration
I think you need to have a separate container for holding your pwdPolicy. You do not store that information in your user entry.
On May 10, 2008, at 7:20 AM, Gustavo Mendes de Carvalho wrote:
User definition dn: uid=test,ou=orgunit,o=org objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: person objectClass: pwdPolicy loginShell: /bin/bash givenName: test sn: test-test displayName: test test-test uid: test homeDirectory: /home/test shadowFlag: 0 shadowMax: 35 shadowWarning: 7 shadowInactive: 99999 shadowExpire: 99999 cn: test test-test uidNumber: 12190 gidNumber: 25023 shadowMin: 10 pwdAttribute: userPassword
All the stuff below should be put in cn=mypasswdpolicy,cn=Policies,dc=example,dc=com
then you put an entry in your user account as such:
pwdPolicy: cn=mypasswdpolicy,cn=Policies,dc=example,dc=com
pwdMinAge: 30 pwdMaxAge: 120 pwdInHistory: 3 pwdMinLength: 8 pwdExpireWarning: 60 pwdLockout: TRUE pwdLockoutDuration: 60 pwdMaxFailure: 2 pwdSafeModify: TRUE shadowLastChange: 14006 pwdMustChange: FALSE userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
I hope that helps, Scott
Gustavo, look this http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
You will see a nice example at http://www.connexitor.com/forums/viewtopic.php?f=6&t=25
Att, Jarbas
2008/5/10 Gustavo Mendes de Carvalho gmcarvalho@gmail.com:
No tips or tricks ?
Gustavo Mendes de Carvalho email: gmcarvalho@gmail.com
-----Mensagem original----- De: Gustavo Mendes de Carvalho [mailto:gmcarvalho@gmail.com] Enviada em: quarta-feira, 7 de maio de 2008 17:59 Para: openldap-technical@openldap.org Assunto: password policy user configuration
Hi there,
I already compiled last openldap stable version with this commands
# ./configure --program-prefix=/usr/local/ldap --enable-bdb --enable-modules --enable-overlays=yes --enable-backends=yes --disable-ipv6 --with-cyrus-sasl --with-tls --disable-sql
# make depend; make; make install
and after running make test command, I saw that everything was OK, so I can start slapd with ppolicy module included.
When I include pwdPolicy objectclass in user configuration I can see several pwd parameters, but after set some values, I can't see this policy working. I mean, in my user bellow, I set "pwdInHistory = 6", but when I try to change their password, OpanLDAP do not check this value.
Here is command used to change passwords. I can execute them as fast as I can copy and paste them
ldappasswd -w test1234 -a test1234 -s 5432test -x -H ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org ldappasswd -w 5432test -a 5432test -s test1234 -x -H ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org ...
I can execute this commands ad eternum, with no error messages from LDAP server telling me that my password is not OK. According with my configuration I would use 7 different passwords (6 in history +1 to change) And I can change this password faster than it expires (according with configuration bellow "pwdMinAge: 30" tells me to wait 30 seconds to change my password)
User definition dn: uid=test,ou=orgunit,o=org objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: person objectClass: pwdPolicy loginShell: /bin/bash givenName: test sn: test-test displayName: test test-test uid: test homeDirectory: /home/test shadowFlag: 0 shadowMax: 35 shadowWarning: 7 shadowInactive: 99999 shadowExpire: 99999 cn: test test-test uidNumber: 12190 gidNumber: 25023 shadowMin: 10 pwdAttribute: userPassword pwdMinAge: 30 pwdMaxAge: 120 pwdInHistory: 3 pwdMinLength: 8 pwdExpireWarning: 60 pwdLockout: TRUE pwdLockoutDuration: 60 pwdMaxFailure: 2 pwdSafeModify: TRUE shadowLastChange: 14006 pwdMustChange: FALSE userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Does anybody already uses this pwd definitions ann can explain me if is it OK ? I already read man 5 slapo-ppolicy and I already execute slapindex -v after insert this parameters either. Man 5 does explain all parameters, and I set up them according with man explanation, but it does no work.
Thanks in advance
Gustavo Mendes de Carvalho e-mail: gmcarvalho@gmail.com
Jarbas,
Thank you very much for your tip. It was really important to help me to fix my bug and put it to work.
--- Gustavo Mendes de Carvalho email: gmcarvalho@gmail.com
-----Mensagem original----- De: Jarbas Peixoto Júnior [mailto:jarbas.junior@gmail.com] Enviada em: segunda-feira, 12 de maio de 2008 10:18 Para: Gustavo Mendes de Carvalho Cc: openldap-technical@openldap.org Assunto: Re: password policy user configuration
Gustavo, look this http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
You will see a nice example at http://www.connexitor.com/forums/viewtopic.php?f=6&t=25
Att, Jarbas
2008/5/10 Gustavo Mendes de Carvalho gmcarvalho@gmail.com:
No tips or tricks ?
Gustavo Mendes de Carvalho email: gmcarvalho@gmail.com
-----Mensagem original----- De: Gustavo Mendes de Carvalho [mailto:gmcarvalho@gmail.com] Enviada em: quarta-feira, 7 de maio de 2008 17:59 Para: openldap-technical@openldap.org Assunto: password policy user configuration
Hi there,
I already compiled last openldap stable version with this commands
# ./configure --program-prefix=/usr/local/ldap --enable-bdb --enable-modules --enable-overlays=yes --enable-backends=yes --disable-ipv6 --with-cyrus-sasl --with-tls --disable-sql
# make depend; make; make install
and after running make test command, I saw that everything was OK, so I can start slapd with ppolicy module included.
When I include pwdPolicy objectclass in user configuration I can see several pwd parameters, but after set some values, I can't see this
policy working.
I mean, in my user bellow, I set "pwdInHistory = 6", but when I try to change their password, OpanLDAP do not check this value.
Here is command used to change passwords. I can execute them as fast as I can copy and paste them
ldappasswd -w test1234 -a test1234 -s 5432test -x -H ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org ldappasswd -w 5432test -a 5432test -s test1234 -x -H ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org ...
I can execute this commands ad eternum, with no error messages from LDAP server telling me that my password is not OK. According with my configuration I would use 7 different passwords (6 in history +1 to change) And I can change this password faster than it expires (according with configuration bellow "pwdMinAge: 30" tells me to wait 30 seconds to change my password)
User definition dn: uid=test,ou=orgunit,o=org objectClass: posixAccount objectClass: top objectClass: inetOrgPerson objectClass: shadowAccount objectClass: person objectClass: pwdPolicy loginShell: /bin/bash givenName: test sn: test-test displayName: test test-test uid: test homeDirectory: /home/test shadowFlag: 0 shadowMax: 35 shadowWarning: 7 shadowInactive: 99999 shadowExpire: 99999 cn: test test-test uidNumber: 12190 gidNumber: 25023 shadowMin: 10 pwdAttribute: userPassword pwdMinAge: 30 pwdMaxAge: 120 pwdInHistory: 3 pwdMinLength: 8 pwdExpireWarning: 60 pwdLockout: TRUE pwdLockoutDuration: 60 pwdMaxFailure: 2 pwdSafeModify: TRUE shadowLastChange: 14006 pwdMustChange: FALSE userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Does anybody already uses this pwd definitions ann can explain me if is it OK ? I already read man 5 slapo-ppolicy and I already execute slapindex -v after insert this parameters either. Man 5 does explain all parameters, and I set up them according with man explanation, but it
does no work.
Thanks in advance
Gustavo Mendes de Carvalho e-mail: gmcarvalho@gmail.com
openldap-technical@openldap.org