[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: how implement pwdpolicy



Rahima Shaheen wrote:
Hi,

I am very new to open ldap. I can run slap an add edit new entry. Now I
want to implement pwdpolicy. I tried it several times. I like to
describe what I said.

1.	run slapd without modifying anything.
2.	create an ou=policies.  Script as following

dn: ou=policies,dc=my-domain,dc=com

objectClass: organizationalUnit

objectClass: top

ou: policies

3. write policy.schema. 4. include policy.schema; but overlay is not added. run slapd
again. In the core.schema attributetype userpassword was comment out
5. Now I want to create policy.ldif. Script
dn: cn=default,ou=policies,dc=my-domain,dc=com

cn: default

objectClass: pwdPolicy

objectClass: person

objectClass: top

pwdAllowUserChange: TRUE

pwdAttribute: userPassword

pwdCheckQuality: 2

pwdExpireWarning: 600

pwdFailureCountInterval: 30

pwdGraceAuthNLimit: 5

pwdInHistory: 5

pwdLockout: TRUE

pwdLockoutDuration: 0

pwdMaxAge: 0

pwdMaxFailure: 5

pwdMinAge: 0

pwdMinLength: 5

pwdMustChange: FALSE

pwdSafeModify: FALSE

#sn: 'dummy value' objectClass: organizationalUnit

It gives an error "Invalid syntax (21) pwdAttribute: value #0 invalid
per syntax. Why it gives such error?  My assumption is ppolicy.schema
attribute is not created successfully. Another point in core.schema
attributeType; userPassword is comment out. If I uncomment it. slapd -d
1 gives an duplicate attribute type. Give a solution please.

Now my question is
a.       how I am sure that my PPolicy.schema is created? I don't have
any ppolicy.la

b.       what does do policy.la.

Other people have answered these questions (ppolicy.schema is simply
included in your slapd.conf file and ppolicy.la is a wrappered library).

You include the ppolicy.schema file by using a directive such as:

    include         /etc/openldap/schema/ppolicy.schema

in your slapd.conf file.  You also bring in the actual executable bit
of ppolicy code via:

    moduleload      ppolicy.la

in your slapd.conf file.  Finally, you have to add something like:

    # Password policy enforcement...
    #    Set up password policies via the "ppolicy" overlay.
    #    Unless otherwise specified by a "pwdPolicySubentry"
    #    attribute in a user's entry, they will use the policy
    #    defined in the "ppolicy_default" entry here.
    #    We force "Invalid Credentials" errors on locked accounts
    #    and we store the passwords in LDAP in cleartext to satisfy
    #    SASL.
    overlay ppolicy
    ppolicy_default "cn=DefaultPassword,ou=Policies,dc=mycompany,dc=com"
    ppolicy_use_lockout
    ppolicy_hash_cleartext

in slapd.conf to set up how ppolicy works.

Now, as to how to set up the database itself, here is an LDIF file I use
to seed my database by feeding it to slapcat:

-------------------------- CUT HERE ----------------------------------
# ROOT OF LDAP TREE
#  Set up the root of the tree...
dn: dc=mycompany,dc=com
dc: mycompany
objectClass: top
objectClass: domain

# ORGANIZATIONAL UNITS
#  This ou is used for the actual user IDs...
dn: ou=People,dc=mycompany,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

#  This ou is for the user group IDs...
dn: ou=Group,dc=mycompany,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit

#  This ou is for password policies and the like...
dn: ou=Policies,dc=mycompany,dc=com
ou: Policies
objectClass: top
objectClass: organizationalUnit

# PASSWORD POLICIES
#  This one is the default policy that all users get EXCEPT for the
#  "special" folk (such as "sysman")...
dn: cn=DefaultPassword,ou=Policies,dc=mycompany,dc=com
cn: DefaultPassword
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: userPassword
pwdMinAge: 86400
pwdMaxAge: 7776000
pwdExpireWarning: 604800
pwdGraceAuthnLimit: 3
pwdMinLength: 10
pwdCheckQuality: 2
pwdCheckModule: check_password.so
pwdMaxFailure: 6
pwdLockout: TRUE
pwdLockoutDuration: 180
pwdFailureCountInterval: 120
pwdInHistory: 4
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdSafeModify: FALSE

#  This one is the special policy that users whose passwords should
#  NOT expire get (such as "sysman")...
dn: cn=NoExpirePassword,ou=Policies,dc=mycompany,dc=com
cn: NoExpirePassword
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdMinAge: 0
pwdMaxAge: 0
pwdExpireWarning: 0
pwdGraceAuthnLimit: 3
pwdMinLength: 10
pwdCheckQuality: 2
pwdMaxFailure: 3
pwdLockoutDuration: 180
pwdFailureCountInterval: 120
pwdInHistory: 4
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdSafeModify: TRUE

# LDAP MAIN AUTHORITY
#  This group is for "sysman", the absolute authority for the LDAP
#  database...
dn: cn=sysman,ou=Group,dc=mycompany,dc=com
objectClass: posixGroup
objectClass: top
cn: sysman
userPassword: Y0uR3@llyD0n+w@n++0kn0w!
gidNumber: 500

#  This is sysman's user ID...
dn: uid=sysman,ou=People,dc=mycompany,dc=com
uid: sysman
cn: LDAP System Manager
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 1
shadowMax: 90
shadowWarning: 7
shadowLastChange: 13945
loginShell: /bin/bash
gecos: LDAP System Manager
homeDirectory: /home/sysman
uidNumber: 500
gidNumber: 500
userPassword: Y0uR3@llyD0n+w@n++0kn0w!
pwdPolicySubentry: cn=NoExpirePassword,ou=Policies,dc=mycompany,dc=com
-------------------------- CUT HERE ----------------------------------

Note that the "pwdCheckModule: check_password.so" bits are specifying
a password checking module I wrote.  If you want your own, you'll have
to write it, compile it as a sharable library and put the binary in the
libexec directory where slapd can get at it (typically
/usr/local/libexec/openldap).

Note also that we were using cleartext passwords to satisfy some old
SASL stuff inherent in our architecture.  I don't like that, but I'm
stuck with it.  You'll need to change the "userPassword:" entries to
reflect your encryption scheme (something along the lines of
"userPassword: {sha1} encryptedstring" if you use SHA1 encryption).

----------------------------------------------------------------------
- Rick Stevens, Unix Geek                          rps2@socal.rr.com -
-                                                                    -
-           Lottery: A tax on people who are bad at math.            -
----------------------------------------------------------------------