[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy *help*



On Monday 13 August 2007 23:25:58 Scott Phelps wrote:

[...]

> database        bdb
>
> # Overlay Directives
> overlay         ppolicy
> ppolicy_default "cn=defaultPolicy,ou=policies,#####SECRET#######"
> ppolicy_use_lockout
>
> directory       "/var/lib/ldap"
> # For the Debian package we use 2MB as default but be sure to update this
> # value if you have plenty of RAM
> dbconfig set_cachesize 0 2097152 0
> # Sven Hartge reported that he had to set this value incredibly high
> # to get slapd running at all. See http://bugs.debian.org/303057
> # for more information.
> # Number of objects that can be locked at the same time.
> dbconfig set_lk_max_objects 1500
> # Number of locks (both requested and granted)
> dbconfig set_lk_max_locks 1500
> # Number of lockers
> dbconfig set_lk_max_lockers 1500
> # Indexing options for database #1
> index           objectClass eq
> # Save the time that the entry gets modified, for database #1
> lastmod         on
>
> access to dn.children="ou=people,#####SECRET######" attrs=userPassword
>         by group/groupOfNames/member="#####SECRET######" write
>         by self write
>         by * auth
>


This database has no rootdn set. AFAIK, you need a rootdn to be configured for 
the internal writes by ppolicy to work (I can't be sure as all my databases 
with ppolicy have rootdn's).

> * defaultPolicy.ldif
> ========================
> dn: cn=defaultPolicy,ou=policies,#####SECRET######
> cn: defaultPolicy
> objectClass: organizationalRole
> objectClass: pwdPolicy
> objectClass: top
> pwdLockout: TRUE
> pwdMaxFailure: 3
> pwdAttribute: userPassword
> pwdGraceAuthNLimit: 3
> pwdLockoutDuration: 15
> pwdAllowUserChange: TRUE
>
> * ppolicytest.ldif
> =========================
> dn: uid=ppolicytest,ou=people,#####SECRET######
> uid: ppolicytest
> uidNumber: 1012
> gidNumber: 100
> homeDirectory: /home/ppolicytest
> loginShell: /bin/bash
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> structuralObjectClass: inetOrgPerson
> entryUUID: e4c33596-d832-102b-8c70-39998be84848
> creatorsName: #####SECRET######
> createTimestamp: 20070806063457Z
> pwdPolicySubentry: cn=defaultPolicy,ou=policies,#####SECRET######
> userPassword: {MD5}Gh3JHJBzJcaScd3wyUS8cg==
> pwdChangedTime: 20070806070643Z
> cn: ppolicytest
> entryCSN: 20070806070815Z#000000#00#000000
> modifiersName: #####SECRET######
> modifyTimestamp: 20070806070815Z
> entryDN: uid=ppolicytest,ou=people,#####SECRET######
> subschemaSubentry: cn=Subschema
> hasSubordinates: FALSE
>
>
> So with this all in place I get no errors starting slapd (the module
> gets loaded.)  I run the following command 4 times:
> ldapsearch -P 3 -x  -LLL -e ppolicy -D
> "uid=ppolictest,ou=people,#####SECRET######" -W "(objectclass=*)"
> Entering an incorrect password each time, however the account never gets
> locked out and the operational attributes never change.


Regards,
Buchan