[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Operational attribute pwdFailureTime not being added to entries
Hello,
First let me thank the gracious folks on this list who have lent their
advice to me on my path towards implementing ppolicy. I'm making
progress; I can reject new passwords based on password history, and
reject weak passwords. However, I'm having a bit of a time trying to
get the lockouts to work. My policy is defined as:
56 cn=Password Policy,ou=Policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: Password Policy
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdMinLength: 6
pwdExpireWarning: 432000
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
pwdLockout: TRUE
pwdCheckQuality: 1
pwdGraceAuthNLimit: 0
pwdInHistory: 6
pwdLockoutDuration: 60
pwdMaxFailure: 3
However, even after many failure attempts, I see no pwdFailureTime attributes in the offending user's entry:
dn: uid=testuser,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: testuser
sn: testuser
givenName: testuser
uid: testuser
uidNumber: 1009
gidNumber: 513
homeDirectory: /home/testuser
loginShell: /bin/bash
gecos: System User
structuralObjectClass: inetOrgPerson
entryUUID: 42d5971e-7b49-102c-8aae-af676a6dbed9
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20080229193543Z
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-1484159386-3942804292-94657008-3018
sambaPrimaryGroupSID: S-1-5-21-1484159386-3942804292-94657008-513
sambaLogonScript: logon.bat
sambaProfilePath: \\masterldap.example.com\profiles\testuser
sambaHomePath: \\masterldap.example.com\testuser
sambaHomeDrive: H:
pwdHistory: 20080313194326Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}C2DOwhgHFTc
XmGxRdqlpBUz12eZpRXI4
pwdHistory: 20080313194602Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}AboL9Sp7678
X2KsPv8sMPE5CC2i6c6LY
pwdHistory: 20080313194626Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}7hUqCecYGvd
g5bx1ybw71YQcZShicmFk
pwdHistory: 20080313194852Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}E920Fe1PlYV
Bwjn+rpiOFO8UaiRzZnB6
pwdHistory: 20080313200637Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}hFfD2xFwG/T
s5PVg3CAIf4i6rkpaZnNM
pwdHistory: 20080313200941Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}/GpzR2wV7dy
XITeU+5nBpFyTKdgxQzk4
sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [U]
sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaPwdLastSet: 1205438797
sambaPwdMustChange: 1209326797
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
pwdChangedTime: 20080313200941Z
entryCSN: 20080313200941Z#000000#00#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20080313200941Z
Is the shadowAccount attribute killing me? I'm not really sure. Just for completeness, the slapd.conf (abridged) looks like:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/ppolicy.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap
database bdb
suffix "dc=example,dc=com"
directory /var/lib/ldap
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}tFEA391Y3ZLHXkQDDk6f0t1ZkJEuMwIj
overlay ppolicy
ppolicy_default "cn=Password Policy,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
by self write
by * auth
access to *
by * read
moduleload smbk5pwd.la
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
loglevel -1
sasl-secprops none
As always, thank you for your help.
Best Regards,
Ryan