[Date Prev][Date Next] [Chronological] [Thread] [Top]
Testing Password Policies - Overlay ppolicy

To: <openldap-software@OpenLDAP.org>
Subject: Testing Password Policies - Overlay ppolicy
From: "Errol Neal" <eneal@dfi-intl.com>
Date: Thu, 21 Sep 2006 17:40:19 -0400
Content-class: urn:content-classes:message
Thread-index: AcbdxoiqjmIz+HCTQkeFAB4WPSbe9A==
Thread-topic: Testing Password Policies - Overlay ppolicy
My attempts to replicate the ppolicy tests in test022-ppolicy that are
done when you run 'make test' have failed and I'm not quite sure why. 
I'm running 2.3.27 configured as such:

./configure " '--prefix=/usr/local/ldap' '--enable-overlays=mod'
'--enable-modules' '--enable-bdb' '--enable-rlookups'
'--enable-ppolicy=mod' '--enable-accesslog

Slapd.conf
###

############################################################
include         /usr/local/ldap/etc/openldap/schema/core.schema
include         /usr/local/ldap/etc/openldap/schema/cosine.schema
include         /usr/local/ldap/etc/openldap/schema/nis.schema
include         /usr/local/ldap/etc/openldap/schema/corba.schema
include         /usr/local/ldap/etc/openldap/schema/inetorgperson.schema
include         /usr/local/ldap/etc/openldap/schema/misc.schema
include         /usr/local/ldap/etc/openldap/schema/openldap.schema
include         /usr/local/ldap/etc/openldap/schema/ppolicy.schema
pidfile         /var/run/ldap/slapd.pid
argsfile        /var/run/ldap/slapd.args
modulepath    /usr/local/ldap/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la
moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=std,ou=portal,ou=policies,dc=ttpua,dc=portal"
ppolicy_use_lockout
access to dn="" by * read
password-hash   {SSHA}
database        bdb
suffix          "dc=ttpua,dc=portal"
rootdn          "cn=scoobydoo,dc=ttpua,dc=portal"
rootpw {SSHA}WYbywCIVw8fWeqskkVlqdDSgIuV3oCob
directory       /usr/local/ldap/var/openldap-data
index default eq
index objectClass,uid,dc,o,ou
<snip>


Here is also a slapcat of my directory so far:

###

dn: dc=ttpua,dc=portal
dc: ttpua
objectClass: dcObject
objectClass: organizationalUnit
ou: TTPUA Portal
structuralObjectClass: organizationalUnit
entryUUID: f0a9c1ec-dd27-102a-9bfc-3fef944328a2
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920191410Z
modifyTimestamp: 20060920191410Z
entryCSN: 20060920191410Z#000000#00#000000

dn: ou=users,dc=ttpua,dc=portal
ou: users
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: f0b2c404-dd27-102a-9bfd-3fef944328a2
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920191410Z
modifyTimestamp: 20060920191410Z
entryCSN: 20060920191410Z#000001#00#000000

dn: ou=system,ou=users,dc=ttpua,dc=portal
ou: system
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: f0b3d042-dd27-102a-9bfe-3fef944328a2
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920191410Z
modifyTimestamp: 20060920191410Z
entryCSN: 20060920191410Z#000002#00#000000

dn: ou=portal,ou=users,dc=ttpua,dc=portal
ou: portal
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: f0b4b8c2-dd27-102a-9bff-3fef944328a2
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920191410Z
modifyTimestamp: 20060920191410Z
entryCSN: 20060920191410Z#000003#00#000000

dn: ou=disabled,ou=portal,ou=users,dc=ttpua,dc=portal
ou: disabled
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: f0b5a19c-dd27-102a-9c00-3fef944328a2
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920191410Z
modifyTimestamp: 20060920191410Z
entryCSN: 20060920191410Z#000004#00#000000

dn: ou=active,ou=portal,ou=users,dc=ttpua,dc=portal
ou: active
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: f0b663e8-dd27-102a-9c01-3fef944328a2
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920191410Z
modifyTimestamp: 20060920191410Z
entryCSN: 20060920191410Z#000005#00#000000

dn: ou=pending,ou=portal,ou=users,dc=ttpua,dc=portal
ou: pending
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: f0b750fa-dd27-102a-9c02-3fef944328a2
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920191410Z
modifyTimestamp: 20060920191410Z
entryCSN: 20060920191410Z#000006#00#000000

dn: ou=roles,dc=ttpua,dc=portal
ou: roles
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: f0b839e8-dd27-102a-9c03-3fef944328a2
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920191410Z
modifyTimestamp: 20060920191410Z
entryCSN: 20060920191410Z#000007#00#000000

dn: ou=portal,ou=roles,dc=ttpua,dc=portal
ou: portal
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: f0b92a9c-dd27-102a-9c04-3fef944328a2
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920191410Z
modifyTimestamp: 20060920191410Z
entryCSN: 20060920191410Z#000008#00#000000

dn: ou=policies,dc=ttpua,dc=portal
ou: policies
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: f0ba10ec-dd27-102a-9c05-3fef944328a2
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920191410Z
modifyTimestamp: 20060920191410Z
entryCSN: 20060920191410Z#000009#00#000000

dn: ou=portal,ou=policies,dc=ttpua,dc=portal
ou: portal
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: f0bafb4c-dd27-102a-9c06-3fef944328a2
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920191410Z
modifyTimestamp: 20060920191410Z
entryCSN: 20060920191410Z#00000a#00#000000

dn: cn=std,ou=portal,ou=policies,dc=ttpua,dc=portal
objectClass: pwdPolicy
objectClass: top
objectClass: device
cn: std
pwdAttribute: userPassword
pwdMaxAge: 7516800
pwdExpireWarning: 432000
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 1920
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
structuralObjectClass: device
entryUUID: b0976292-dd29-102a-8aff-4f205a2326f4
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920192642Z
modifyTimestamp: 20060920192642Z
entryCSN: 20060920192642Z#000000#00#000000

dn: ou=testing,ou=portal,ou=users,dc=ttpua,dc=portal
ou: testing
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: badddc52-dd30-102a-8afe-613291c80c74
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920201706Z
entryCSN: 20060920201706Z#000000#00#000000
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifyTimestamp: 20060920201706Z

dn: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
objectClass: top
objectClass: person
sn: scoobydoo
cn: scoobydoo
structuralObjectClass: person
entryUUID: 56d4aa34-dd39-102a-93bd-2d2088fc7504
creatorsName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
createTimestamp: 20060920211843Z
entryCSN: 20060920211922Z#000000#00#000000
modifiersName: cn=scoobydoo,ou=system,ou=users,dc=ttpua,dc=portal
modifyTimestamp: 20060920211922Z

dn: cn=test,ou=portal,ou=policies,dc=ttpua,dc=portal
objectClass: pwdPolicy
objectClass: top
objectClass: device
cn: test
pwdAttribute: userPassword
pwdMaxAge: 360
pwdExpireWarning: 120
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 60
pwdFailureCountInterval: 120
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
pwdGraceAuthNLimit: 3
structuralObjectClass: device
entryUUID: dde41790-ddb0-102a-9d8f-2524a04c2d05
creatorsName: cn=scoobydoo,dc=ttpua,dc=portal
modifiersName: cn=scoobydoo,dc=ttpua,dc=portal
createTimestamp: 20060921113420Z
modifyTimestamp: 20060921113420Z
entryCSN: 20060921113420Z#000000#00#000000

dn: uid=testuser,ou=testing,ou=portal,ou=users,dc=ttpua,dc=portal
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: testuser
uid: testuser
sn: testuser
structuralObjectClass: inetOrgPerson
entryUUID: f6507ba2-ddb0-102a-9210-29d6716ce04a
creatorsName: cn=scoobydoo,dc=ttpua,dc=portal
createTimestamp: 20060921113501Z
userPassword:: e1NIQX0zSEpLOFkrOTFPV1JpZlgrZG9wZmd4RlNjRkE9
pwdPolicySubentry: cn=test,ou=portal,ou=policies,dc=ttpua,dc=portal
entryCSN: 20060921120254Z#000000#00#000000
modifiersName: cn=scoobydoo,dc=ttpua,dc=portal
modifyTimestamp: 20060921120254Z



In test022-ppolicy, simple tests are peformed. They test acct lockout,
acct reset, grace time and etc. As I said above, I'm just trying to
replicate the same tests first of all, trying to see if I can get my
account locked out. 
If I run:

./ldapsearch -x -P 3 -LLL -e ppolicy -h localhost -D
uid=testuser,ou=testing,ou=portal,ou=users,dc=ttpua,dc=portal -w
badpasswd

3 times, according to my test policy, the testuser account should be
locked out and on try number 4, receive an errot that this is the case.
This is not occuring. When I ran make test, test022-ppolicy completed OK
according to the output. I'm not doing anything diffrently here as far
as my eyes can see. Can someone give me some direction. 

Thank you,

Errol Neal
__________________________________________
Errol Uriel Neal Jr.
Sr. Network Administrator
DFI International, Inc.
1717 Pennsylvania Ave NW, Suite 1300
Washington, DC  20006
Tel (202)452-6955
Fax (202)452-6910
eneal@dfi-intl.com
www.dfi-intl.com
Prev by Date: Re: Need some help with ACLs
Next by Date: Re: OpenLDAP client TLS configuration
Index(es):
- Chronological
- Thread