Hello, Wow. I feel like an idiot. I solved my problem. My OpenSUSE clients were sending passwords as md5 and cause my openldap server not able to read the password information. I changed the clients to send password as "exop" and that did the trick.
Jose
--- On Thu, 2/25/10, Jose G. Torres jogeedaklown@yahoo.com wrote:
From: Jose G. Torres jogeedaklown@yahoo.com Subject: Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources) To: openldap-technical@openldap.org Date: Thursday, February 25, 2010, 9:04 AM Hello again, Well I tried the following.
Added the full path of the check_password.so in my slapd.conf under "moduleload". moduleload /opt/openldap/etc/openldap/modules/check_password.so
Added the full path to my check_password.so module in my ldif pwdCheckModule: /opt/openldap/etc/openldap/modules/check_password.so
Recompiled the sources again using the configure used to build the openSUSE package. CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \ LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \ ./configure --prefix=/opt/openldap --with-tls \ --enable-spasswd --enable-crypt --with-gnu-ld \ --enable-ppolicy --enable-modules --enable-dynamic --enable-aci --enable-bdb --enable-hdb \ --enable-rewrite --enable-ldap=yes --enable-meta=mod \ --enable-monitor=yes --enable-slp --enable-overlays=yes \
Still no luck. At least within my ldap logs I see the "Password fails quality checking policy" so at least it is hitting the ldap server for password checking. Any ideas????? Thanks!!!!
Jose
I am trying to get my solaris 10 openldap 2.4.21
server to use my check_password.so module using the ppolicy overlay. When I try to change a user's
password from a linux client, I get the following
error message.
passwd ldapuser Changing password for ldapuser. Enter login(LDAP) password: New Password: Reenter New Password: LDAP password information update failed: Constraint
violation
Password fails quality checking policy passwd: Permission denied
Within my logs, I do not see any error messages from my
check_password.so
module. I created the directory
/opt/openldap/etc/openldap/modules and
placed my module in that directory and I added the
modulepath in my
slapd.conf.
Is there something I missed? Is this
a PAM thing? I know this setup works on a OpenSUSE 11.2 openldap server. Help.
I included part of my slapd.conf, openldap configure,
check_password.c source, makefile and ldd of my check_password.so.
Thanks!!!!
Jose Torres
openldap configure
CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include
\
LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \ ./configure --prefix=/opt/openldap --with-tls \ --enable-spasswd --enable-crypt --with-gnu-ld \ --enable-ppolicy --enable-modules --enable-dynamic
slapd.conf:
include
/opt/openldap/etc/openldap/schema/ppolicy.schema
# Add password policies. modulepath /opt/openldap/etc/openldap/modules overlay ppolicy ppolicy_default
"cn=default,ou=policies,dc=caci,dc=ymp,dc=com"
ppolicy_use_lockout
I tried ppolicy_clear_txt I still have the same
problem.
check_password.c:
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <ctype.h> #include "portable.h" #include "slap.h"
int init_module() { return 0; }
int check_password(char *pPasswd, char **ppErrStr,
Entry *pEntry)
{ char error=0; char retmsg[255]; char *message,*buffer,*token; const char special[]
="!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~";
const char number[] ="1234567890"; const char CAPS[]
="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
error = 0;
if (strstr( pPasswd, " ") != NULL) { error = 1; strcpy(retmsg ,
"******** CHECKPW: Password contains SPACES! ********");
}
buffer = strdup(pPasswd); token = strtok(buffer,special); if ( !(strcmp(token,pPasswd)) || (token
== NULL) )
{ error = 1; strcpy(retmsg ,
"******** CHECKPW: Password does not contain any special c
haracters! ********"); }
buffer = strdup(pPasswd); token = strtok(buffer,number);
if ( !(strcmp(token,pPasswd)) || (token
== NULL) )
{ error = 1; strcpy(retmsg ,
"******** CHECKPW: Password does not contain any numbers!
********"); }
buffer = strdup(pPasswd); token = strtok(buffer,number);
if ( !(strcmp(token,pPasswd)) || (token
== NULL) )
{ error = 1;
strcpy(retmsg , "******** CHECKPW: Password does not contain any CAPITAL L
ETTERS! ********"); }
if (error) { /* Allocate */ message = (char
*)malloc(sizeof(char) * (strlen(retmsg)+1));
/* Copy the contents of
the string. */
strcpy(message,
retmsg);
*ppErrStr=message; } return error; }
Makefile:
check_password.so: check_password.o gcc
-L/opt/openldap/lib -lldap -shared -o check_password.so check_passwo
rd.o check_password.o: check_password.c gcc -fpic
-I../../include -I. -c check_password.c
clean: rm
check_password.so check_password.o
It seems to find the right libraries.
$ ldd modules/check_password.so libldap-2.4.so.2
=> /opt/openldap/lib/libldap-2.4.so.2
libgcc_s.so.1
=> /usr/sfw/lib/libgcc_s.so.1
liblber-2.4.so.2
=> /opt/openldap/lib/liblber-2.4.so.2
libresolv.so.2
=> /usr/lib/libresolv.so.2
libgen.so.1
=> /usr/lib/libgen.so.1
libnsl.so.1
=> /usr/lib/libnsl.so.1
libsocket.so.1
=> /usr/lib/libsocket.so.1
libsasl.so.1
=> /usr/lib/libsasl.so.1
libssl.so.0.9.7
=> /usr/sfw/lib/libssl.so.0.9.7
libcrypto.so.0.9.7 => /usr/sfw/lib/libcrypto.so.0.9.7
libc.so.1
=> /usr/lib/libc.so.1
libmp.so.2
=> /usr/lib/libmp.so.2
libmd.so.1
=> /usr/lib/libmd.so.1
libscf.so.1
=> /usr/lib/libscf.so.1
libdoor.so.1
=> /usr/lib/libdoor.so.1
libuutil.so.1
=> /usr/lib/libuutil.so.1
libssl_extra.so.0.9.7 => /usr/sfw/lib/libssl_extra.so.0.9.7
libcrypto_extra.so.0.9.7 => /usr/sfw/lib/libcrypto_extra.so.0.9.7
libm.so.2
=> /usr/lib/libm.so.2
openldap-technical@openldap.org
-
Jose G. Torres