Hi folks,
I use a OpenLDAP as a central accounting servers through the sshd service and I use sudo also. All works like a charm. However I wanto to use SLAPO_PPOLICY(5).
Well, I think I've implemented it correctly:
xen-ldap01:~# ldapsearch -x -b 'cn=DefaultPassword,ou=Policies,dc=company,dc=com' # extended LDIF # # LDAPv3 # base <cn=DefaultPassword,ou=Policies,dc=company,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# DefaultPassword, Policies, company.com dn: cn=DefaultPassword,ou=Policies,dc=company,dc=com cn: DefaultPassword objectClass: top objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 15552000 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 3 pwdMinLength: 8 pwdMaxFailure: 5 pwdLockout: TRUE pwdInHistory: 5 pwdAllowUserChange: TRUE pwdSafeModify: TRUE
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
The main problem is I don't know how to ckeck it. I mean, when a user connects to a machine (a box which is OpenLDAP client) using sshd, sshd goes to OpenLDAP and query about the user and his password. But I don't see anymore that the classical "Password:" prompt.
So ¿how can I check if ppolicy is really working? I want to test it, changing the password for example or blocking a user who type wrong their password for more tant 5 times.
I suspect a PAM issue (after all, the sshd service goes to LDAP using PAM modules), but I'm not sure.
¿Any clue?
In OpenLDAP server I can see that ppolicy is working as expected:
Jun 16 18:12:13 xen-ldapbeta slapd[1834]: ppolicy_bind: Setting warning for password expiry for uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com = 112 seconds Jun 16 18:13:12 xen-ldapbeta slapd[1834]: ppolicy_bind: Setting warning for password expiry for uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com = 53 seconds Jun 16 18:13:44 xen-ldapbeta slapd[1834]: ppolicy_bind: Setting warning for password expiry for uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com = 21 seconds Jun 16 18:13:59 xen-ldapbeta slapd[1834]: ppolicy_bind: Setting warning for password expiry for uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com = 6 seconds Jun 16 18:14:11 xen-ldapbeta slapd[1834]: ppolicy_bind: Entry uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com has an expired password: 0 grace logins Jun 16 18:14:19 xen-ldapbeta slapd[1834]: ppolicy_bind: Entry uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com has an expired password: 0 grace logins Jun 16 18:19:43 xen-ldapbeta slapd[1834]: ppolicy_bind: Entry uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com has an expired password: 0 grace logins
but I don't understand why in the client prompt I don't see these warning. The only warning I see is when the password has already expired (setting up the 'pam_password_prohibit_message' in ldap.conf client side):
You are required to change your LDAP password immediately. Please visit http://my_gui_to_change_password Old Password:
¿Why can I see this message and not the expire time or grace login warnings?
On Tuesday 16 June 2009 18:37:25 Jordi Espasa Clofent wrote:
In OpenLDAP server I can see that ppolicy is working as expected:
Jun 16 18:12:13 xen-ldapbeta slapd[1834]: ppolicy_bind: Setting warning for password expiry for uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com = 112 seconds Jun 16 18:13:12 xen-ldapbeta slapd[1834]: ppolicy_bind: Setting warning for password expiry for uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com = 53 seconds Jun 16 18:13:44 xen-ldapbeta slapd[1834]: ppolicy_bind: Setting warning for password expiry for uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com = 21 seconds Jun 16 18:13:59 xen-ldapbeta slapd[1834]: ppolicy_bind: Setting warning for password expiry for uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com = 6 seconds Jun 16 18:14:11 xen-ldapbeta slapd[1834]: ppolicy_bind: Entry uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com has an expired password: 0 grace logins Jun 16 18:14:19 xen-ldapbeta slapd[1834]: ppolicy_bind: Entry uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com has an expired password: 0 grace logins Jun 16 18:19:43 xen-ldapbeta slapd[1834]: ppolicy_bind: Entry uid=jespasac,ou=CAT,ou=Tecnic,dc=company,dc=com has an expired password: 0 grace logins
Have you set 'pam_lookup_policy yes' in pam_ldap's ldap.conf?
Are you using pam_ldap in the "account" lines of your PAM configuration?
but I don't understand why in the client prompt I don't see these warning. The only warning I see is when the password has already expired (setting up the 'pam_password_prohibit_message' in ldap.conf client side):
You are required to change your LDAP password immediately. Please visit http://my_gui_to_change_password Old Password:
¿Why can I see this message and not the expire time or grace login warnings?
Buchan,
Have you set 'pam_lookup_policy yes' in pam_ldap's ldap.conf?
Yes.
# cat /usr/local/etc/ldap.conf | grep pam_lookup pam_lookup_policy yes
Are you using pam_ldap in the "account" lines of your PAM configuration?
Yes (if you refer to sshd, which is the service that I use with PAM to make the request in LDAP cluster).
# cat /etc/pam.d/sshd | grep account # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so
In http://www.nabble.com/Re:-Password-expiry-warning-message-from-ppolicy-td807... , Prakash Velayutham says:
"Wanted to give a heads up. I have found a solution to this one and it was not pam_ldap. It was the OpenSSH on my system. I was running OpenSSH 4.1p1 and looks like this issue was fixed in 4.3p2 and higher. I got the latest 4.5p2 and things are working now. I will test some more and report back again soon. "
Effectively, I use FreeBSD 7.0 which is shipped with OpenSSH 4.5p1; but I've upgrade teh OpenSSH to 5.2p1 and I cannot see the warning messages yet.
openldap-technical@openldap.org
-
Buchan Milne -
Jordi Espasa Clofent