[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PPolicy



I have ppolicy partially working, pieced together from examples on the web from Howard and others. Please find my sanitized slapd.conf attached.

Here is my ppolicy DIT entry:

# default, Policies, example.com
dn: cn=default,ou=Policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
objectClass: device
pwdAttribute: userPassword
pwdMaxAge: 2592000

This is merely to expire user logins after the specified number of seconds (password aging)...

The problems that I'm having though:
1. getting the provider to replicate changes to the password policy to the consumer.
2. the password policies dont take effect until people change their passwords! (good and bad to this...)


Thanks,
--
Joshua M. Miller - RHCE,VCP


Greg Ryan wrote:
Has anyone ever gotten ppolicy to work? I have been trying for weeks and just cant get it to work at all. Does anyone have any config examples from a working ppolicy config?
# slapd.conf
include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
include /usr/share/openldap/schema/inetcomperson.schema
include /usr/share/openldap/schema/nis.schema
include /usr/share/openldap/schema/corba.schema
include /usr/share/openldap/schema/java.schema
include /usr/share/openldap/schema/krb5-kdc.schema
include /usr/share/openldap/schema/kerberosobject.schema
include /usr/share/openldap/schema/misc.schema
include /usr/share/openldap/schema/openldap.schema
include /usr/share/openldap/schema/autofs.schema
include /usr/share/openldap/schema/samba.schema
include /usr/share/openldap/schema/kolab.schema
include /usr/share/openldap/schema/evolutionperson.schema
include /usr/share/openldap/schema/calendar.schema
include /usr/share/openldap/schema/sudo.schema
include /usr/share/openldap/schema/dnszone.schema
include /usr/share/openldap/schema/dhcp.schema
include /usr/share/openldap/schema/ppolicy.schema
#
pidfile         /var/run/ldap/slapd.pid
argsfile        /var/run/ldap/slapd.args
loglevel	256

# Setup TLS/SSL stuff
TLSCipherSuite HIGH:MEDIUM:+SSLv2:RSA
TLSCertificateFile /etc/openldap/ssl/host.example.com.crt
TLSCertificateKeyFile /etc/openldap/ssl/host.pem
TLSCACertificateFile /usr/share/ssl/certs/cacert.crt
TLSVerifyClient         never

# Require TLS even on port 389
security ssf=168 tls=168 update_ssf=168 update_tls=168 simple_bind=128

# Setup password hash requirement
password-hash {crypt}

# Setup ACLs
access to attrs=userPassword
  by dn.exact="uid=replicator,ou=People,dc=example,dc=com"  read
  by self write
  by * auth
access to *
  by dn.exact="uid=replicator,ou=People,dc=example,dc=com"  read
	by * write
	by self auth
access to *
  by * read
  by anonymous auth

# Load appropriate modules
moduleload /usr/lib/openldap/syncprov.la
moduleload /usr/lib/openldap/ppolicy.la
moduleload /usr/lib/openldap/unique.la
moduleload /usr/lib/openldap/back_ldap.la
moduleload /usr/lib/openldap/lastmod.la
#
database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=manager,dc=example,dc=com"
rootpw          "secret"
directory       /var/lib/ldap
checkpoint 256 5

#
# Setup syncrep replication
#
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
#
index   objectClass,uid,dc,o,ou  eq
index   cn                eq,subinitial
index   uidNumber         eq
index   gidNumber         eq
index   entryCSN          eq
index   entryUUID	        eq
index   nisNetgroupTriple eq
index   memberUid,uniqueMember         eq

# Replicas running syncrepl as non-rootdn need unrestricted size/time limits:
limits group="cn=replicators,ou=Group,dc=example,dc=com"
 size=unlimited
 time=unlimited

# password policy
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"