Hello,
I am trying to apply per domain password policy. [At some point, it seems, these scripts worked for me, but I must have messed something up either in the setup or the scripts.]
I managed to load ppolicy.la and from lsof(8), I can see it. Now, I want to be able to turn password policy on each domain.
I have a simple script invoked as: $sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif The ppolicy.ldif is: dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyDefault: cn=ppolicy,ou=policies,dc=example,dc=com olcPPolicyUseLockout: TRUE olcPPolicyHashCleartext: TRUE
When I try to add the online configuration, I get: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: User Schema load failed for attribute "pwdAttribute". Error code 17: attribute type undefined
I also have an LDIF for default policy, added as: $ldapadd -x -D cn=admin,dc=example,dc=com -W -f default_ppolicy.ldif
It contains: dn: ou=policies,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: policies
dn: cn=ppolicy,ou=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicyChecker objectClass: pwdPolicy cn: ppolicy pwdAttribute: userPassword pwdInHistory: 8 pwdMinLength: 8 pwdMaxFailure: 3 pwdFailureCountInterval: 1800 pwdCheckQuality: 0 pwdMustChange: TRUE pwdGraceAuthNLimit: 0 pwdMaxAge: 7776000 pwdExpireWarning: 1209600 pwdLockoutDuration: 900 pwdLockout: TRUE
When I try to add default_ppolicy.ldif, I get: adding new entry "ou=policies,dc=example,dc=com" adding new entry "cn=ppolicy,ou=policies,dc=example,dc=com" ldap_add: Invalid syntax (21) additional info: objectClass: value #2 invalid per syntax
It seems that OU=policies is created, but CN=ppolicy is not created. Is that right? I have four (4) values for objectClass. How can I find out which one is triggering the error?
Any suggestions where I should start looking?!
Thank you,
Igor Shmukler
Igor Shmukler wrote:
adding new entry "olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: User Schema load failed for attribute "pwdAttribute". Error code 17: attribute type undefined
Did you load the ppolicy schema before?
Ciao, Michael.
Hello Michael,
I did not, explicitly. At least, not since I last rebuilt my server. I will look into this.
Thank you,
Igor Shmukler
On Mon, Mar 9, 2015 at 1:34 PM, Michael Ströder michael@stroeder.com wrote:
Igor Shmukler wrote:
adding new entry "olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: User Schema load failed for attribute "pwdAttribute". Error code 17: attribute type undefined
Did you load the ppolicy schema before?
Ciao, Michael.
Hi again Michael and everyone,
I have ppolicy.schema is /etc/ldap/schema/ppolicy.schema - hopefully the correct location. I enabled/loaded ppolicy.la by running the below: dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: ppolicy.la
The dynamically linked shared object seems to be loading correctly.
I see that my config database has schema records as below: dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config
Do not see one for ppolicy nor have I already found a way to load ppolicy.schema. I could probably convert the ppolicy.schema file, using the schema2ldif script; then load the resulting ldif using ldapi. Is that how ppolicy.schema is typically "entered" into an OpenLDAP server?
Thank you,
Igor Shmukler
On Mon, Mar 9, 2015 at 1:39 PM, Igor Shmukler igor.shmukler@gmail.com wrote:
Hello Michael,
I did not, explicitly. At least, not since I last rebuilt my server. I will look into this.
Thank you,
Igor Shmukler
On Mon, Mar 9, 2015 at 1:34 PM, Michael Ströder michael@stroeder.com wrote:
Igor Shmukler wrote:
adding new entry "olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: User Schema load failed for attribute "pwdAttribute". Error code 17: attribute type undefined
Did you load the ppolicy schema before?
Ciao, Michael.
Right. Now, it works. Thank you.
On Mon, Mar 9, 2015 at 2:37 PM, Michael Ströder michael@stroeder.com wrote:
Igor Shmukler wrote:
I have ppolicy.schema is /etc/ldap/schema/ppolicy.schema - hopefully the correct location.
You need to use ppolicy.ldif also installed by OpenLDAP's make install.
Ciao, Michael.
El 09/03/15 a las 12:10, Igor Shmukler escribió:
I also have an LDIF for default policy, added as: $ldapadd -x -D cn=admin,dc=example,dc=com -W -f default_ppolicy.ldif
It contains: dn: ou=policies,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: policies
dn: cn=ppolicy,ou=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicyChecker objectClass: pwdPolicy cn: ppolicy pwdAttribute: userPassword
I think the problem is the pwdAttribute attribute in your ldif. Although in examples is shown as you have, in my case I had to put the OID of the userPassword, not the "userPassword" string.
Hello Angel,
Yes, you are correct. Just like Michael suggested yesterday, my ppolicy schema was not loaded. I had it in the system earlier, which added extra confusion. As per Michael's advice, I found [on my system] and loaded a ready-made ppolicy.ldif and there are no more configuration errors, for now. :)
Sincerely,
Igor Shmukler
On Tue, Mar 10, 2015 at 9:06 AM, Angel L. Mateo amateo@um.es wrote:
El 09/03/15 a las 12:10, Igor Shmukler escribió:
I also have an LDIF for default policy, added as: $ldapadd -x -D cn=admin,dc=example,dc=com -W -f default_ppolicy.ldif
It contains: dn: ou=policies,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: policies
dn: cn=ppolicy,ou=policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicyChecker objectClass: pwdPolicy cn: ppolicy pwdAttribute: userPassword
I think the problem is the pwdAttribute attribute in your ldif.Although in examples is shown as you have, in my case I had to put the OID of the userPassword, not the "userPassword" string.
-- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868887590 Fax: 868888337
openldap-technical@openldap.org
-
Angel L. Mateo -
Igor Shmukler -
Michael Ströder