[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Issue while implementing Password Policy



i had the same problem, and i found the solution on google :-),
anyway, replace userPassowrd with 2.5.4.35 and it should work.

On Tue, Oct 21, 2008 at 11:10 AM,  <daljeet.mehta@wipro.com> wrote:
> Hi,
>
> I am trying to implement password policy in OpenLDAP.
>
> There are already similar postings on the same issue. But I tried all the
> possible solutions and now I am really tired after one week.
>
> Here are the details about my problem
>
>
>
> Operating System: Red Hat Linux ES 5.0
>
> OpenLDAP Release: 2.3.39
>
>
>
> During the addition of userPassword node I get the following error.
>
>
>
> ldapadd -f
> /root/openldap/openldap-2.3.39/servers/slapd/schema/paswd_policy1.ldif -D
> "cn=Manager,dc=xyz,dc=com" -w secret -x
> adding new entry "cn=default,ouname=ppolicy,oname=P_Policy,dc=xyz,dc=com"
> ldapadd: Invalid syntax (21)
>         additional info: pwdAttribute: value #0 invalid per syntax
>
>
>
> Then after reading some of the issues related to it, I tried every possible
> solution. I added overlay path in my slapd.conf and I got the following
> error.
>
>
>
> ./slapd -f /root/openldap/openldap-2.3.39/servers/slapd/slapd.conf -d 1
> @(#) $OpenLDAP: slapd 2.3.39 (Aug 25 2008 11:38:51) $
>
> root@localhost.localdomain:/root/openldap/openldap-2.3.39/servers/slapd
> daemon_init: listen on ldap:///
> daemon_init: 1 listeners to open...
> ldap_url_parse_ext(ldap:///)
> daemon: listener initialized ldap:///
> daemon_init: 2 listeners opened
> slapd init: initiated server.
> slap_sasl_init: initialized!
> bdb_back_initialize: initialize BDB backend
> bdb_back_initialize: Sleepycat Software: Berkeley DB 4.3.29: (September 12,
> 2006)
> hdb_back_initialize: initialize HDB backend
> hdb_back_initialize: Sleepycat Software: Berkeley DB 4.3.29: (September 12,
> 2006)
> overlay "ppolicy" not found
> slapd destroy: freeing system resources.
> slapd stopped.
> connections_destroy: nothing to destroy.
>
>
>
> Following is my configuration file snapshot:-
>
> # This file should NOT be world readable.
> #
> include
> /root/openldap/openldap-2.3.39/servers/slapd/schema/core.schema
> include
> /root/openldap/openldap-2.3.39/servers/slapd/schema/local.schema
> include
> /root/openldap/openldap-2.3.39/servers/slapd/schema/java.schema
> include        /root/openldap/openldap.3.39/servers/slapd/schema/inetorgperson.schema
> #include
> /root/openldap/openldap-2.3.39/servers/slapd/schema/ppolicy.schema
> include         /etc/openldap/schema/ppolicy.schema
> # Define global ACLs to disable default read access.
>
>
>
> # Do not enable referrals until AFTER you have a working directory
> # service AND an understanding of referrals.
> #referral       ldap://root.openldap.org
>
>
>
> pidfile         /var/run/slapd.pid
> argsfile        /var/run/slapd.args
>
>
>
> # Load dynamic backend modules:
> modulepath      /root/openldap/openldap-2.3.39
>
> modulepath       /servers/slapd/overlays
> modulepath      /usr/sbin
> moduleload      ppolicy.la
> moduleload      back_hdb.la
> moduleload      back_monitor.la
> #modulepath     %MODULEDIR%
> # moduleload    back_bdb.la
> # moduleload    back_ldap.la
> # moduleload    back_ldbm.la
> # moduleload    back_passwd.la
> # moduleload    back_shell.la
> moduleload    ppolicy.la
> moduleload      /root/openldap/openldap-2.3.39/libraries/libldap
> overlay ppolicy
> ppolicy_default "cn=default,ouname=ppolicy,oname=P_POLICY,dc=xyz,dc=com"
> ppolicy_use_lockout
> #overlay ppolicy
> #overlay refint
> # Sample security restrictions
> #       Require integrity protection (prevent hijacking)
> #       Require 112-bit (3DES or better) encryption for updates
> #       Require 63-bit encryption for simple bind
> # security ssf=1 update_ssf=112 simple_bind=64
>
> # Sample access control policy:
> #       Root DSE: allow anyone to read it
> #       Subschema (sub)entry DSE: allow anyone to read it
> #       Other DSEs:
> #               Allow self write access
> #               Allow authenticated users read access
> #               Allow anonymous users to authenticate
> #       Directives needed to implement policy:
> # access to dn.base="" by * read
> # access to dn.base="cn=Subschema" by * read
> # access to *
> #       by self write
> #       by users read
> #       by anonymous auth
> #
> # if no access controls are present, the default policy
> # allows anyone and everyone to read anything but restricts
> # updates to rootdn.  (e.g., "access to * by * read")
> #
> # rootdn can always read and write EVERYTHING!
>
>
>
> #######################################################################
> # BDB database definitions
> #######################################################################
>
>
>
> database        bdb
> suffix          "dc=xyz,dc=com"
> rootdn          "cn=Manager,dc=xyz,dc=com"
>
>
>
> # Cleartext passwords, especially for the rootdn, should
> # be avoid.  See slappasswd(8) and slapd.conf(5) for details.
> # Use of strong authentication encouraged.
> rootpw          secret
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory       /usr/local/var/openldap-data
> # Indices to maintain
> index   objectClass     eq
>
>
>
> Trust me I did R & D for 7 days. Even I did a free installation of same
> version and of newer version(2.4.11 release) also I got the same error.
>
> Can you please tell me the steps to make this working. Now it has become
> matter of life and death for me and I will do possibly anything resolve it.
>
> Thanks in advance for your help.
>
>
>
> Thanks & Regards,
>
> Daljeet Mehta
>
>
>
>
>
> Please do not print this email unless it is absolutely necessary.
>
> The information contained in this electronic message and any attachments to
> this message are intended for the exclusive use of the addressee(s) and may
> contain proprietary, confidential or privileged information. If you are not
> the intended recipient, you should not disseminate, distribute or copy this
> e-mail. Please notify the sender immediately and destroy all copies of this
> message and any attachments.
>
> WARNING: Computer viruses can be transmitted via email. The recipient should
> check this email and any attachments for the presence of viruses. The
> company accepts no liability for any damage caused by any virus transmitted
> by this email.
>
> www.wipro.com



-- 
For far too long, power has been concentrated in the hands of "root"
and his "wheel" oligarchy. We have instituted a dictatorship of the
users. All system administration functions will be handled by the
People's Committee for Democratically Organizing the System (PC-DOS).