Greetings,
I'm trying to set up a very simple LDAP server using OpenLDAP (via OLC) and it seems hopeless. The sticking point is ppolicy. I have followed several online guides (http://www.ryanfrantz.com/posts/openldap-implementing-the-password-policy-ov..., https://www.oostergo.net/node/85, to name a few), all of which seem to essentially detail the same procedure, and have met with no success. Whilst following those instructions, I receive no error messages. All commands complete successfully and do not indicate failures of any kind. Looking at the cn=config and target DITs, all data seems to have been imported as expected. Despite that fact, passwd follows a "mystery policy" which bears no resemblance to the policy that I have specified, and ldappasswd follows "no policy at all you can do whatever you want". Is there some way for me to empirically determine what these commands are doing, and why my policy does nothing? Thanks in advance...
cn=module{0},cn=config
objectClass: olcModuleList cn: module{0} olcModuleLoad: {0}ppolicy.la olcModuleLoad: {1}back_hdb olcModuleLoad: {2}ppolicy olcModulePath: /usr/lib/ldap
olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=dla" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=dla" write by * read olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcLastMod: TRUE olcSuffix: dc=dla
olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=passwordDefault,ou=policies,dc=dla olcPPolicyForwardUpdates: FALSE olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE
cn=passwordDefault,ou=policies,dc=dla
objectClass: person objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: top cn: passwordDefault pwdAttribute: 2.5.4.35 sn: passwordDefault pwdMinLength: 12
Am Wed, 19 Aug 2015 13:07:11 -0700 schrieb Jeremy Trammell - DLA jtrammell@deeplearninganalytics.com:
Greetings,
I'm trying to set up a very simple LDAP server using OpenLDAP (via OLC) and it seems hopeless. The sticking point is ppolicy. I have followed several online guides (http://www.ryanfrantz.com/posts/openldap-implementing-the-password-policy-ov..., https://www.oostergo.net/node/85, to name a few), all of which seem to essentially detail the same procedure, and have met with no success. Whilst following those instructions, I receive no error messages. All commands complete successfully and do not indicate failures of any kind. Looking at the cn=config and target DITs, all data seems to have been imported as expected. Despite that fact, passwd follows a "mystery policy" which bears no resemblance to the policy that I have specified, and ldappasswd follows "no policy at all you can do whatever you want". Is there some way for me to empirically determine what these commands are doing, and why my policy does nothing? Thanks in advance...
cn=module{0},cn=config
objectClass: olcModuleList cn: module{0} olcModuleLoad: {0}ppolicy.la olcModuleLoad: {1}back_hdb olcModuleLoad: {2}ppolicy olcModulePath: /usr/lib/ldap
The module names are not correct. Hint: check /usr/lib/ldap for correct module names.
-Dieter
On 08/20/2015 07:50 AM, Dieter Klünter wrote:
Am Wed, 19 Aug 2015 13:07:11 -0700 schrieb Jeremy Trammell - DLA jtrammell@deeplearninganalytics.com:
Greetings,
I'm trying to set up a very simple LDAP server using OpenLDAP (via OLC) and it seems hopeless. The sticking point is ppolicy. I have followed several online guides (http://www.ryanfrantz.com/posts/openldap-implementing-the-password-policy-ov..., https://www.oostergo.net/node/85, to name a few), all of which seem to essentially detail the same procedure, and have met with no success. Whilst following those instructions, I receive no error messages. All commands complete successfully and do not indicate failures of any kind. Looking at the cn=config and target DITs, all data seems to have been imported as expected. Despite that fact, passwd follows a "mystery policy" which bears no resemblance to the policy that I have specified, and ldappasswd follows "no policy at all you can do whatever you want". Is there some way for me to empirically determine what these commands are doing, and why my policy does nothing? Thanks in advance...
cn=module{0},cn=config
objectClass: olcModuleList cn: module{0} olcModuleLoad: {0}ppolicy.la olcModuleLoad: {1}back_hdb olcModuleLoad: {2}ppolicy olcModulePath: /usr/lib/ldap
The module names are not correct. Hint: check /usr/lib/ldap for correct module names.
-Dieter
Okay, so what is the correct module name? It's listed as ppolicy in /usr/lib/ldap:
lrwxrwxrwx 1 root root 20 May 25 10:09 ppolicy-2.4.so.2 -> ppolicy-2.4.so.2.8.3 -rw-r--r-- 1 root root 39328 May 25 10:09 ppolicy-2.4.so.2.8.3 -rw-r--r-- 1 root root 954 May 25 10:08 ppolicy.la lrwxrwxrwx 1 root root 20 May 25 10:09 ppolicy.so -> ppolicy-2.4.so.2.8.3
Hi,
ppolicy is the right name, however it is invoked two times in your olcModuleLoad param, keep only one.
According reported configuration, only three params of password policy are defined:
1/ olcPPolicyHashCleartext: TRUE 2/ olcPPolicyUseLockout: FALSE 3/ pwdMinLength: 12
what you should check to test:
1/ Password is hashed (SSHA by default) when it's provided as cleartext 2/ ldap entry never locked after several failed attempt to bind 3/ Password modification rejected with error message when length of new one is less than 12 characters.
That's what "empirically these commands do".
*Important* Be careful, rootdn bypass passwored policy.
Hope this help
Cheers.
Le 20/08/2015 16:57, Jeremy Trammell - DLA a écrit :
On 08/20/2015 07:50 AM, Dieter Klünter wrote:
Am Wed, 19 Aug 2015 13:07:11 -0700 schrieb Jeremy Trammell - DLA jtrammell@deeplearninganalytics.com:
Greetings,
I'm trying to set up a very simple LDAP server using OpenLDAP (via OLC) and it seems hopeless. The sticking point is ppolicy. I have followed several online guides (http://www.ryanfrantz.com/posts/openldap-implementing-the-password-policy-ov...,
https://www.oostergo.net/node/85, to name a few), all of which seem to essentially detail the same procedure, and have met with no success. Whilst following those instructions, I receive no error messages. All commands complete successfully and do not indicate failures of any kind. Looking at the cn=config and target DITs, all data seems to have been imported as expected. Despite that fact, passwd follows a "mystery policy" which bears no resemblance to the policy that I have specified, and ldappasswd follows "no policy at all you can do whatever you want". Is there some way for me to empirically determine what these commands are doing, and why my policy does nothing? Thanks in advance...
cn=module{0},cn=config
objectClass: olcModuleList cn: module{0} olcModuleLoad: {0}ppolicy.la olcModuleLoad: {1}back_hdb olcModuleLoad: {2}ppolicy olcModulePath: /usr/lib/ldap
The module names are not correct. Hint: check /usr/lib/ldap for correct module names.
-Dieter
Okay, so what is the correct module name? It's listed as ppolicy in /usr/lib/ldap:
lrwxrwxrwx 1 root root 20 May 25 10:09 ppolicy-2.4.so.2 -> ppolicy-2.4.so.2.8.3 -rw-r--r-- 1 root root 39328 May 25 10:09 ppolicy-2.4.so.2.8.3 -rw-r--r-- 1 root root 954 May 25 10:08 ppolicy.la lrwxrwxrwx 1 root root 20 May 25 10:09 ppolicy.so -> ppolicy-2.4.so.2.8.3
Am Thu, 20 Aug 2015 07:57:08 -0700 schrieb Jeremy Trammell - DLA jtrammell@deeplearninganalytics.com:
On 08/20/2015 07:50 AM, Dieter Klünter wrote:
Am Wed, 19 Aug 2015 13:07:11 -0700 schrieb Jeremy Trammell - DLA jtrammell@deeplearninganalytics.com:
Greetings,
I'm trying to set up a very simple LDAP server using OpenLDAP (via OLC) and it seems hopeless. The sticking point is ppolicy. I have followed several online guides (http://www.ryanfrantz.com/posts/openldap-implementing-the-password-policy-ov..., https://www.oostergo.net/node/85, to name a few), all of which seem to essentially detail the same procedure, and have met with no success. Whilst following those instructions, I receive no error messages. All commands complete successfully and do not indicate failures of any kind. Looking at the cn=config and target DITs, all data seems to have been imported as expected. Despite that fact, passwd follows a "mystery policy" which bears no resemblance to the policy that I have specified, and ldappasswd follows "no policy at all you can do whatever you want". Is there some way for me to empirically determine what these commands are doing, and why my policy does nothing? Thanks in advance...
cn=module{0},cn=config
objectClass: olcModuleList cn: module{0} olcModuleLoad: {0}ppolicy.la olcModuleLoad: {1}back_hdb olcModuleLoad: {2}ppolicy olcModulePath: /usr/lib/ldap
The module names are not correct. Hint: check /usr/lib/ldap for correct module names.
-Dieter
Okay, so what is the correct module name? It's listed as ppolicy in /usr/lib/ldap:
lrwxrwxrwx 1 root root 20 May 25 10:09 ppolicy-2.4.so.2 -> ppolicy-2.4.so.2.8.3 -rw-r--r-- 1 root root 39328 May 25 10:09 ppolicy-2.4.so.2.8.3 -rw-r--r-- 1 root root 954 May 25 10:08 ppolicy.la lrwxrwxrwx 1 root root 20 May 25 10:09 ppolicy.so -> ppolicy-2.4.so.2.8.3
back_hdb.la ppolicy.la
-Dieter
Hi all,
<module-name> | <module-name>.la
do same thing: link a system library. .. at the end of the day.
Really, there is a technical diff, first one *dynamically* link the library (using <module-name>.so file), second one *statically* link the library (using <module-name>.la file).
what should we do is using *only* one of these alternatives at the same time.
Cheers.
Le 22/08/2015 09:10, Dieter Klünter a écrit :
The module names are not correct. Hint: check /usr/lib/ldap for correct module names.
-Dieter
Okay, so what is the correct module name? It's listed as ppolicy in /usr/lib/ldap:
lrwxrwxrwx 1 root root 20 May 25 10:09 ppolicy-2.4.so.2 -> ppolicy-2.4.so.2.8.3 -rw-r--r-- 1 root root 39328 May 25 10:09 ppolicy-2.4.so.2.8.3 -rw-r--r-- 1 root root 954 May 25 10:08 ppolicy.la lrwxrwxrwx 1 root root 20 May 25 10:09 ppolicy.so -> ppolicy-2.4.so.2.8.3
back_hdb.la ppolicy.la
-Dieter
openldap-technical@openldap.org
-
Abdelhamid Meddeb -
Dieter Klünter -
Jeremy Trammell - DLA