[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: PPolicy
I have ppolicy partially working, pieced together from examples on the
web from Howard and others. Please find my sanitized slapd.conf attached.
Here is my ppolicy DIT entry:
# default, Policies, example.com
dn: cn=default,ou=Policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
objectClass: device
pwdAttribute: userPassword
pwdMaxAge: 2592000
This is merely to expire user logins after the specified number of
seconds (password aging)...
The problems that I'm having though:
1. getting the provider to replicate changes to the password policy to
the consumer.
2. the password policies dont take effect until people change their
passwords! (good and bad to this...)
Thanks,
--
Joshua M. Miller - RHCE,VCP
Greg Ryan wrote:
Has anyone ever gotten ppolicy to work? I have been trying for weeks and
just cant get it to work at all. Does anyone have any config examples
from a working ppolicy config?
# slapd.conf
include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
include /usr/share/openldap/schema/inetcomperson.schema
include /usr/share/openldap/schema/nis.schema
include /usr/share/openldap/schema/corba.schema
include /usr/share/openldap/schema/java.schema
include /usr/share/openldap/schema/krb5-kdc.schema
include /usr/share/openldap/schema/kerberosobject.schema
include /usr/share/openldap/schema/misc.schema
include /usr/share/openldap/schema/openldap.schema
include /usr/share/openldap/schema/autofs.schema
include /usr/share/openldap/schema/samba.schema
include /usr/share/openldap/schema/kolab.schema
include /usr/share/openldap/schema/evolutionperson.schema
include /usr/share/openldap/schema/calendar.schema
include /usr/share/openldap/schema/sudo.schema
include /usr/share/openldap/schema/dnszone.schema
include /usr/share/openldap/schema/dhcp.schema
include /usr/share/openldap/schema/ppolicy.schema
#
pidfile /var/run/ldap/slapd.pid
argsfile /var/run/ldap/slapd.args
loglevel 256
# Setup TLS/SSL stuff
TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCertificateFile /etc/openldap/ssl/host.example.com.crt
TLSCertificateKeyFile /etc/openldap/ssl/host.pem
TLSCACertificateFile /usr/share/ssl/certs/cacert.crt
TLSVerifyClient never
# Require TLS even on port 389
security ssf=168 tls=168 update_ssf=168 update_tls=168 simple_bind=128
# Setup password hash requirement
password-hash {crypt}
# Setup ACLs
access to attrs=userPassword
by dn.exact="uid=replicator,ou=People,dc=example,dc=com" read
by self write
by * auth
access to *
by dn.exact="uid=replicator,ou=People,dc=example,dc=com" read
by * write
by self auth
access to *
by * read
by anonymous auth
# Load appropriate modules
moduleload /usr/lib/openldap/syncprov.la
moduleload /usr/lib/openldap/ppolicy.la
moduleload /usr/lib/openldap/unique.la
moduleload /usr/lib/openldap/back_ldap.la
moduleload /usr/lib/openldap/lastmod.la
#
database bdb
suffix "dc=example,dc=com"
rootdn "cn=manager,dc=example,dc=com"
rootpw "secret"
directory /var/lib/ldap
checkpoint 256 5
#
# Setup syncrep replication
#
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
#
index objectClass,uid,dc,o,ou eq
index cn eq,subinitial
index uidNumber eq
index gidNumber eq
index entryCSN eq
index entryUUID eq
index nisNetgroupTriple eq
index memberUid,uniqueMember eq
# Replicas running syncrepl as non-rootdn need unrestricted size/time limits:
limits group="cn=replicators,ou=Group,dc=example,dc=com"
size=unlimited
time=unlimited
# password policy
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"
- References:
- PPolicy
- From: "Greg Ryan" <Greg.Ryan@vegas.com>