[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy: unable to assign default policy to an individual user account

To: openldap-software@openldap.org
Subject: ppolicy: unable to assign default policy to an individual user account
From: Scott Phelps <sphe@loc.gov>
Date: Mon, 06 Aug 2007 03:41:49 -0400
Organization: Library of Congress
User-agent: Thunderbird 2.0.0.6 (Macintosh/20070728)

Environment:
===============
* OS:
      Ubuntu Feisty 7.04
* Slapd Version:
       slapd 2.3.30
* Apt-Package Compile Options (per launchpadlibrarian.net):
       --prefix=/usr --libexecdir='${prefix}/lib'
       --sysconfdir=/etc --localstatedir=/var
       --mandir='${prefix}/share/man'
       --enable-debug --enable-dynamic
       --enable-syslog
       --enable-proctitle
       --enable-ipv6
       --enable-local
       --enable-slapd
       --enable-aci
       --enable-cleartext
       --enable-crypt
       --enable-spasswd
       --enable-modules
       --enable-rewrite
       --enable-rlookups
       --enable-slp
       --enable-wrappers
       --enable-backends=mod
       --enable-ldbm=no
       --enable-overlays=mod
       --enable-slurpd
       --with-subdir=ldap
       --with-cyrus-sasl
       --with-threads
       --with-tls


* slapd.conf (abbridged)
=============
# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/java.schema
include         /etc/ldap/schema/dyngroup.schema
include         /etc/ldap/schema/misc.schema
include         /etc/ldap/schema/sudo.schema
include         /etc/ldap/schema/autofs.schema
include         /etc/ldap/schema/ppolicy.schema
include         /etc/ldap/schema/corba.schema
include         /etc/ldap/schema/authldap.schema
include         /etc/ldap/schema/solaris.schema
include         /etc/ldap/schema/solaris-nis.schema
include         /etc/ldap/schema/solarisdua.schema

modulepath      /usr/lib/ldap
moduleload      back_bdb
moduleload      ppolicy

schemacheck     on

TLSCipherSuite          #####SECRET######
TLSCertificateFile      #####SECRET######
TLSCertificateKeyFile   #####SECRET######
TLSCACertificateFile    #####SECRET######

database        bdb

# Overlay Directives
overlay         ppolicy
ppolicy_default "cn=defaultPolicy,ou=policies,#####SECRET#######"
ppolicy_use_lockout

directory       "/var/lib/ldap"
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index           objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod         on

access to dn.children="ou=people,#####SECRET######" attrs=userPassword
        by group/groupOfNames/member="#####SECRET######" write
        by self write
        by * auth

* defaultPolicy.ldif
========================
dn: cn=defaultPolicy,ou=policies,#####SECRET######
cn: defaultPolicy
objectClass: organizationalRole
objectClass: pwdPolicy
objectClass: top
pwdLockout: TRUE
pwdMaxFailure: 3
pwdAttribute: userPassword
pwdGraceAuthNLimit: 3
pwdLockoutDuration: 15
pwdAllowUserChange: TRUE

* ppolicytest.ldif
=========================
dn: uid=ppolicytest,ou=people,#####SECRET######
uid: ppolicytest
uidNumber: 1012
gidNumber: 100
homeDirectory: /home/ppolicytest
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
structuralObjectClass: inetOrgPerson
entryUUID: e4c33596-d832-102b-8c70-39998be84848
creatorsName: #####SECRET######
createTimestamp: 20070806063457Z
pwdPolicySubentry: cn=defaultPolicy,ou=policies,#####SECRET######
userPassword: {MD5}Gh3JHJBzJcaScd3wyUS8cg==
pwdChangedTime: 20070806070643Z
cn: ppolicytest
entryCSN: 20070806070815Z#000000#00#000000
modifiersName: #####SECRET######
modifyTimestamp: 20070806070815Z
entryDN: uid=ppolicytest,ou=people,#####SECRET######
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE


So with this all in place I get no errors starting slapd (the module
gets loaded.)  I run the following command 4 times:
ldapsearch -P 3 -x  -LLL -e ppolicy -D
"uid=ppolictest,ou=people,#####SECRET######" -W "(objectclass=*)"
Entering an incorrect password each time, however the account never gets
locked out and the operational attributes never change.

TIA, for any advice!

Prev by Date: Re: libcrypto.a : bad value(while doing make step in openldap)
Next by Date: Active Directory Password Cache
Index(es):
- Chronological
- Thread