Hi Everybody,
Tanks Clément and tempo for your replies.
Sorry for my late reply, last week was really busy.
I confirm that applying ppolicy configuration, its now working fine.
Ulrich, bellow, you have all the steps (Ubuntu with 2.5.14 openldap)
Thanks / Merci
Best
Damien
#configppolicy.ldif
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=abc,dc=org
sudo -u openldap slapadd -n0 -l configppolicy.ldif ################### # Policies.ldif dn: ou=policies,dc=abc,dc=org objectClass: organizationalUnit ou: policies
sudo -u openldap slapadd -n1 -l Policies.ldif ################### # Policies2.ldif dn: cn=default,ou=policies,dc=abc,dc=org objectClass: pwdPolicy objectClass: organizationalRole cn: default pwdAttribute: userPassword pwdMinAge: 0 pwdMinLength: .... pwdCheckQuality: 2 pwdMaxFailure: ... pwdLockout: TRUE pwdLockoutDuration: ....
...
sudo -u openldap slapadd -n1 -l Policies2.ldif
And restart slapd service
On 12/7/23 15:42, Windl, Ulrich wrote:
Hi!
You mean something like this?: dn: cn=PP-Default,dc=policies,dc=...,dc=de changetype: add objectClass: namedObject objectClass: pwdPolicy cn: PP-Default pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 1 pwdExpireWarning: 604800 pwdFailureCountInterval: 1209600 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 10 pwdMinAge: 30 pwdMinLength: 8 pwdMustChange: TRUE pwdSafeModify: FALSE
This is for an older version (obviously), however...
Regards, Ulrich
-----Original Message----- From: tempo@net-c.com tempo@net-c.com Sent: Tuesday, July 11, 2023 6:02 PM To: bremont@cvz.es; openldap-technical@openldap.org Subject: [EXT] Re: pwdAccountLockedTime does not have any impact
Hi,
Could you show us your ppolicy settings please ?
As far as I remember, you need at least pwdLockout set to TRUE in order to have the attribute pwdAccountLockedTime checked.
De : CVZ bremont@cvz.es À : openldap-technical@openldap.org Sujet : pwdAccountLockedTime does not have any impact Date : 11/07/2023 11:41:41 Europe/Paris
Hi Everybody, <https://urldefense.com/v3/__https://stackoverflow.com/posts/76341444/timelin... >
Sorry, we are figghting with pwdAccountLockedTime.
I want to use "pwdAccountLockedTime" attribute to automatically lock an account using OpenLDAP (v.2.5.14). Whatever the value in the field, the account is never locked.
I first started by activating the "ppolicy" module using slapadd and a ppolicy-module.ldif file suh as mentioned here "https://urldefense.com/v3/__https://stackoverflow.com/questions/49257247/how... " <https://urldefense.com/v3/__https://stackoverflow.com/questions/49257247/how... > , then I have checked that the module is loaded and I did not have any problem:
$ sudo slapcat -n 0 | grep olcModuleLoad | grep ppolicy olcModuleLoad: {0}ppolicy
Then, I have extended the LDAP scheme to allow using of ppolicy attributes such as "pwdAccountLockedTime". I have set it to "00000101000000Z" in order to lock permanently an account (to check if it was working). But I still can connect (using LDAP Admin tools) with the account that was supposed to be locked.
We also tried to modify the value
dn: uid=... replace: pwdAccountLockedTime pwdAccountLockedTime: 20221021135537Z
And even with dates in the future, but we are still able to connect. With whoami command, or from a SOGo webmail connected to the LDAP server.
Any idea? Thank in advance for your help.
Best Damien
openldap-technical@openldap.org
-
CVZ