[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ppolicy: unable to assign default policy to an individual user account
- To: openldap-software@openldap.org
- Subject: ppolicy: unable to assign default policy to an individual user account
- From: Scott Phelps <sphe@loc.gov>
- Date: Mon, 06 Aug 2007 03:41:49 -0400
- Organization: Library of Congress
- User-agent: Thunderbird 2.0.0.6 (Macintosh/20070728)
Environment:
===============
* OS:
Ubuntu Feisty 7.04
* Slapd Version:
slapd 2.3.30
* Apt-Package Compile Options (per launchpadlibrarian.net):
--prefix=/usr --libexecdir='${prefix}/lib'
--sysconfdir=/etc --localstatedir=/var
--mandir='${prefix}/share/man'
--enable-debug --enable-dynamic
--enable-syslog
--enable-proctitle
--enable-ipv6
--enable-local
--enable-slapd
--enable-aci
--enable-cleartext
--enable-crypt
--enable-spasswd
--enable-modules
--enable-rewrite
--enable-rlookups
--enable-slp
--enable-wrappers
--enable-backends=mod
--enable-ldbm=no
--enable-overlays=mod
--enable-slurpd
--with-subdir=ldap
--with-cyrus-sasl
--with-threads
--with-tls
* slapd.conf (abbridged)
=============
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/sudo.schema
include /etc/ldap/schema/autofs.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/authldap.schema
include /etc/ldap/schema/solaris.schema
include /etc/ldap/schema/solaris-nis.schema
include /etc/ldap/schema/solarisdua.schema
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload ppolicy
schemacheck on
TLSCipherSuite #####SECRET######
TLSCertificateFile #####SECRET######
TLSCertificateKeyFile #####SECRET######
TLSCACertificateFile #####SECRET######
database bdb
# Overlay Directives
overlay ppolicy
ppolicy_default "cn=defaultPolicy,ou=policies,#####SECRET#######"
ppolicy_use_lockout
directory "/var/lib/ldap"
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
access to dn.children="ou=people,#####SECRET######" attrs=userPassword
by group/groupOfNames/member="#####SECRET######" write
by self write
by * auth
* defaultPolicy.ldif
========================
dn: cn=defaultPolicy,ou=policies,#####SECRET######
cn: defaultPolicy
objectClass: organizationalRole
objectClass: pwdPolicy
objectClass: top
pwdLockout: TRUE
pwdMaxFailure: 3
pwdAttribute: userPassword
pwdGraceAuthNLimit: 3
pwdLockoutDuration: 15
pwdAllowUserChange: TRUE
* ppolicytest.ldif
=========================
dn: uid=ppolicytest,ou=people,#####SECRET######
uid: ppolicytest
uidNumber: 1012
gidNumber: 100
homeDirectory: /home/ppolicytest
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
structuralObjectClass: inetOrgPerson
entryUUID: e4c33596-d832-102b-8c70-39998be84848
creatorsName: #####SECRET######
createTimestamp: 20070806063457Z
pwdPolicySubentry: cn=defaultPolicy,ou=policies,#####SECRET######
userPassword: {MD5}Gh3JHJBzJcaScd3wyUS8cg==
pwdChangedTime: 20070806070643Z
cn: ppolicytest
entryCSN: 20070806070815Z#000000#00#000000
modifiersName: #####SECRET######
modifyTimestamp: 20070806070815Z
entryDN: uid=ppolicytest,ou=people,#####SECRET######
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
So with this all in place I get no errors starting slapd (the module
gets loaded.) I run the following command 4 times:
ldapsearch -P 3 -x -LLL -e ppolicy -D
"uid=ppolictest,ou=people,#####SECRET######" -W "(objectclass=*)"
Entering an incorrect password each time, however the account never gets
locked out and the operational attributes never change.
TIA, for any advice!