ppolicy woes - openldap-technical

18 Jul 2008


      Greetings,
I've been trying to get openldap working with the ppolicy stuff for
the last week.  I think I've got things setup correctly, but the
account lockout stuff isn't working and I can't figure out what I've
done wrong.
I've attached below the slapd.conf, ldap.conf and the ldif file I used
to set up the test server.  I'm relatively inexperienced in LDAP so I
double checked things, but maybe....
If I include the ACL access part in the slapd.conf file (shown below),
I can't ssh into a client that is using the server to authenticate.
If I remove the access section, I can connect just fine, but then it
authenticates me even though an ldapsearch with the -e ppolicy flag
shows "ldap_bind: Invalid credentials (49); Account locked"
I'm running openldap 2.3.39 on Cent OS 5.0.  I'm starting ldap with the 
-d -1 option and don't see any error messages.  Any suggestions?
Thanks,
Bob
================================
Below are the files used to populate the ppolicy attributes, and the
slapd.conf and ldap.conf files on the server.
===============================
1) The following was used to populate the LDAP server, with the top level
objects and the ppolicy values
===============================
dn: dc=foo,dc=bar,dc=edu
objectClass: top
objectClass: organization
objectClass: dcObject
o: foo
dc: foo
dn: ou=People, dc=foo,dc=bar,dc=edu
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=foo,dc=bar,dc=edu
objectClass: top
objectclass: organizationalUnit
ou: Group
dn: ou=Policies, dc=foo,dc=bar,dc=edu
objectClass: top
objectClass: organizationalUnit
ou: Policies
dn: cn=Standard Policy, ou=Policies, dc=foo,dc=bar,dc=edu
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: Standard Policy
pwdAttribute: 2.5.4.35
# min passwd change of 7 days
pwdMinAge: 604800
# max passwd change of 90 days
pwdMaxAge: 7776000
# expire warning in 7 days
pwdExpireWarning: 604800
# Can't reuse the last 24 passwords
pwdInHistory: 24
# the server must verify the new passwd for changes to be made
pwdCheckQuality: 2
# min passwd length
pwdMinLength: 8
# Number of failed passwd attempts before lockout
pwdMaxFailure: 3
# lockout user for failed attempts
pwdLockout: TRUE
# only lockout user for 15 minutes
pwdLockoutDuration: 900
# Do not allow expired passwd's to access system
pwdGraceAuthNLimit: 0
# only reset passwd attempt count on successful login
pwdFailureCountInterval: 0
# specifies user must change passwd after admin has reset it
pwdMustChange: TRUE
# users can change their passwords
pwdAllowUserChange: TRUE
# Allows the user to change their passwd without typing in the old.
pwdSafeModify: TRUE
===============================
2) Here is the slapd.conf file
===============================
# master slapd config -- for testing
# $OpenLDAP: pkg/ldap/tests/data/slapd-ppolicy.conf,v 1.6.2.7 2007/01/02 
21:44:12 kurt Exp $
## This work is part of OpenLDAP Software http://www.openldap.org/.
##
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## http://www.OpenLDAP.org/license.html.
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/ppolicy.schema
pidfile		/var/lib/ldap/run/slapd.pid
argsfile	/var/lib/ldap/run/slapd.args
#mod#modulepath	../servers/slapd/back-bdb/
#mod#moduleload	back_bdb.la
#monitormod#modulepath ../servers/slapd/back-monitor/
#monitormod#moduleload back_monitor.la
modulepath /usr/sbin/openldap/
moduleload ppolicy.la
#######################################################################
# database definitions
#######################################################################
database	bdb
suffix		"dc=foo,dc=bar,dc=edu"
directory	/var/lib/ldap/openldap-data
rootdn		"cn=Manager,dc=foo,dc=bar,dc=edu"
rootpw		{SSHA}<root slappasswd went here>
index		objectClass eq
#hdb#index		objectClass eq
#ldbm#index		objectClass eq
overlay		ppolicy
ppolicy_default	"cn=Standard Policy,ou=Policies,dc=foo,dc=bar,dc=edu"
ppolicy_use_lockout
access to attr=userPassword
    by self write
    by anonymous auth
    by dn.base="cn=Admin,dc=foo,dc=bar,dc=edu" write
    by dn.base="cn=Manager,dc=foo,dc=bar,dc=edu" write
         by * none
access to *
    by self write
    by dn.base="cn=Admin,dc=foo,dc=bar,dc=edu" write
    by dn.base="cn=Manager,dc=foo,dc=bar,dc=edu" write
    by * read
#database	monitor
==================================================
3) Here is the ldap.conf file on the client and server
==================================================
# @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# The man pages for this file are nss_ldap(5) and pam_ldap(5)
#
# PADL Software
# http://www.padl.com
#
# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1
# The distinguished name of the search base.
base dc=foo,dc=bar,dc=edu
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=Manager,dc=foo,dc=bar,dc=edu
# The port.
# Optional: default is 389.
port 389
# The search scope.
#scope sub
#scope one
#scope base
# Search timelimit
#timelimit 30
timelimit 120
# Bind/connect timelimit
#bind_timelimit 30
bind_timelimit 120
# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
idle_timelimit 3600
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change 
your password.
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX		base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd	ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd	ou=People,dc=example,dc=com?one
#nss_base_shadow	ou=People,dc=example,dc=com?one
#nss_base_group		ou=Group,dc=example,dc=com?one
#nss_base_hosts		ou=Hosts,dc=example,dc=com?one
#nss_base_services	ou=Services,dc=example,dc=com?one
#nss_base_networks	ou=Networks,dc=example,dc=com?one
#nss_base_protocols	ou=Protocols,dc=example,dc=com?one
#nss_base_rpc		ou=Rpc,dc=example,dc=com?one
#nss_base_ethers	ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks	ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams	ou=Ethers,dc=example,dc=com?one
#nss_base_aliases	ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup	ou=Netgroup,dc=example,dc=com?one
# Just assume that there are no supplemental groups for these named users
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute	rfc2307attribute	mapped_attribute
#nss_map_objectclass	rfc2307objectclass	mapped_objectclass
# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member
# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad
# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad
# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad
# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting.  The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5