[Date Prev][Date Next] [Chronological] [Thread] [Top]

Struggling with ppolicy



Hey folks,

If this is the wrong list, please let me know and I'd be happy to send
it to the right one.

As I've mentioned in a previous post (which hasn't been posted yet, so I
apologize if you've seen any of this information already) I've got a FC6
box, with OpenLDAP 2.3.30.  I'm attempting to get ppolicy to work, and I
can now successfully start OpenLDAP with the ppolicy directive in it:

### abridged slapd.conf ###
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/ppolicy.schema

modulepath /usr/lib/openldap

overlay ppolicy
ppolicy_default "cn=Password Policy,ou=policies,ou=example,ou=com"

access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
by self write
by * auth
access to *
by * read

database bdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX
directory /var/lib/ldap

index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
sasl-secprops none


### Password Policy entry via slapcat ###
dn: cn=Password Policy,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: Password Policy
pwdAttribute: 2.5.4.35
pwdMaxAge: 3888000
pwdInHistory: 2
pwdCheckQuality: 1
pwdMinLength: 6
pwdExpireWarning: 432000
pwdGraceAuthNLimit: 5
pwdMaxFailure: 10
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
pwdLockoutDuration: 7776000
pwdLockout: TRUE
structuralObjectClass: device
entryUUID: 2e1eee98-83ea-102c-9736-1d2794f3677b
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20080311190746Z
entryCSN: 20080311190746Z#000000#00#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20080311190746Z


[root@server openldap]# /etc/init.d/ldap start
Checking configuration files for slapd: WARNING: No dynamic config
support for overlay ppolicy.
config file testing succeeded
[ OK ]
Starting slapd: [ OK ]

>From what I gather, since I'm using a slapd.conf and not a back-bdb,
that warning does not apply to me.

However, when I add users, I see no special attributes that show they're
being regulated by ppolicy (Googling turned up some ldif's that had
pwdPolicySubentry attributes - should I have that?) Additionally, I can
enter passwords such as 'a' - single characters, and it doesn't complain
at all.  In fact, none of the restrictions are being enforced, and I'm
really scratching my head.  The options I compiled with were:

        --enable-plugins \
        --enable-ppolicy=yes \
        --enable-slapd \
        --enable-slurpd \
        --enable-multimaster \
        --enable-bdb \
        --enable-hdb \
        --enable-ldap \
        --enable-ldbm \
        --with-ldbm-api=%{ldbm_backend} \
        --enable-meta \
        --enable-monitor \
        --enable-null \
        --enable-shell \
        --enable-sql=mod \
        --disable-perl \
        --disable-shared \
        --disable-dynamic \
        --enable-static \
        --with-kerberos=k5only



Thanks in advance for any help...

Best Regards,
Ryan