[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources)



Hello,
Wow.  I feel like an idiot.  I solved my problem.  My OpenSUSE clients were sending passwords as md5 and cause my openldap server not able to read the password information.  I changed the clients to send password as "exop"  and that did the trick.  

Jose

--- On Thu, 2/25/10, Jose G. Torres <jogeedaklown@yahoo.com> wrote:

> From: Jose G. Torres <jogeedaklown@yahoo.com>
> Subject: Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources)
> To: openldap-technical@openldap.org
> Date: Thursday, February 25, 2010, 9:04 AM
> Hello again,
> Well I tried the following.
> 
> Added the full path of the check_password.so in my
> slapd.conf under "moduleload".
> moduleload 
> /opt/openldap/etc/openldap/modules/check_password.so
> 
> Added the full path to my check_password.so module in my
> ldif
> pwdCheckModule:
> /opt/openldap/etc/openldap/modules/check_password.so
> 
> Recompiled the sources again using the configure used to
> build the openSUSE package.
> CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \
> LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \
> ./configure --prefix=/opt/openldap --with-tls \
> --enable-spasswd --enable-crypt --with-gnu-ld \
> --enable-ppolicy --enable-modules --enable-dynamic
> --enable-aci --enable-bdb --enable-hdb \
> --enable-rewrite --enable-ldap=yes --enable-meta=mod \
> --enable-monitor=yes --enable-slp --enable-overlays=yes \
> 
> Still no luck.  At least within my ldap logs I see the
> "Password fails quality checking policy" so at least it is
> hitting the ldap server for password checking.  Any
> ideas?????  Thanks!!!!
> 
> Jose
> 
> > I am trying to get my solaris 10 openldap 2.4.21
> server to use my check_password.so module using the ppolicy
> overlay.  When I try to change a user's
> > password from a linux client, I get the following
> error message.
> > 
> > passwd ldapuser
> > Changing password for ldapuser.
> > Enter login(LDAP) password:
> > New Password:
> > Reenter New Password:
> > LDAP password information update failed: Constraint
> violation
> > Password fails quality checking policy
> > passwd: Permission denied
> > 
> > 
> > Within
> > my logs, I do not see any error messages from my
> check_password.so
> > module.  I created the directory
> /opt/openldap/etc/openldap/modules and
> > placed my module in that directory and I added the
> modulepath in my
> > slapd.conf.
> > 
> > Is there something I missed?   Is this
> a PAM thing? I know this setup works on a OpenSUSE 11.2
> openldap server.  Help.
> > 
> > I included part of my slapd.conf, openldap configure,
> check_password.c source, makefile and ldd of my
> check_password.so. 
> > 
> > Thanks!!!!
> > 
> > Jose Torres
> > 
> > 
> > openldap configure
> > ******************
> > 
> > CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include
> \
> > LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \
> > ./configure --prefix=/opt/openldap --with-tls \
> > --enable-spasswd --enable-crypt --with-gnu-ld \
> > --enable-ppolicy --enable-modules --enable-dynamic
> > 
> > 
> > slapd.conf:
> > **********
> > 
> > include     
>    /opt/openldap/etc/openldap/schema/ppolicy.schema
> > 
> > # Add password policies.
> > modulepath /opt/openldap/etc/openldap/modules
> > overlay ppolicy
> > ppolicy_default
> "cn=default,ou=policies,dc=caci,dc=ymp,dc=com"
> > ppolicy_use_lockout
> > 
> > I tried ppolicy_clear_txt I still have the same
> problem.
> > 
> > check_password.c:
> > ****************
> > 
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> > #include <ctype.h>
> > #include "portable.h"
> > #include "slap.h"
> > 
> > int init_module()
> > {
> >     return 0;
> > }
> > 
> > int check_password(char *pPasswd, char **ppErrStr,
> Entry *pEntry)
> > {
> >    char error=0;
> >    char retmsg[255];
> >    char *message,*buffer,*token;
> >    const char special[]
> ="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~";
> >    const char number[] ="1234567890";
> >    const char CAPS[]
> ="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
> > 
> >    error = 0;
> > 
> > 
> >    if (strstr( pPasswd, " ") != NULL)
> >    {
> >       error = 1;
> >       strcpy(retmsg ,
> "******** CHECKPW: Password contains SPACES! ********");
> >    }
> > 
> >    buffer = strdup(pPasswd);
> >    token = strtok(buffer,special);
> >    if ( !(strcmp(token,pPasswd)) || (token
> == NULL) )
> >    {
> >       error = 1;
> >       strcpy(retmsg ,
> "******** CHECKPW: Password does not contain any special c
> > haracters! ********");
> >    }
> > 
> >    buffer = strdup(pPasswd);
> >    token = strtok(buffer,number);
> > 
> >    if ( !(strcmp(token,pPasswd)) || (token
> == NULL) )
> >    {
> >       error = 1;
> >       strcpy(retmsg ,
> "******** CHECKPW: Password does not contain any numbers!
> > ********");
> >    }
> > 
> >    buffer = strdup(pPasswd);
> >    token = strtok(buffer,number);
> > 
> >    if ( !(strcmp(token,pPasswd)) || (token
> == NULL) )
> >    {
> >       error = 1;
> >               
> strcpy(retmsg , "******** CHECKPW: Password does not contain
> any CAPITAL L
> > ETTERS! ********");
> >    }
> > 
> >    if (error)
> >    {
> >       /* Allocate  */
> >       message = (char
> *)malloc(sizeof(char) * (strlen(retmsg)+1));
> >       /* Copy the contents of
> the string. */
> >       strcpy(message,
> retmsg);
> >       *ppErrStr=message;
> >    }
> >    return error;
> > }
> > 
> > Makefile:
> > *********
> > 
> > check_password.so: check_password.o
> >         gcc
> -L/opt/openldap/lib -lldap -shared -o check_password.so
> check_passwo
> > rd.o
> > check_password.o: check_password.c
> >         gcc -fpic
> -I../../include -I. -c check_password.c
> > clean:
> >         rm
> check_password.so check_password.o
> > 
> > 
> > It seems to find the right libraries.
> > 
> > $ ldd modules/check_password.so
> >         libldap-2.4.so.2
> =>     
> /opt/openldap/lib/libldap-2.4.so.2
> >         libgcc_s.so.1
> =>     
>    /usr/sfw/lib/libgcc_s.so.1
> >         liblber-2.4.so.2
> =>     
> /opt/openldap/lib/liblber-2.4.so.2
> >         libresolv.so.2
> =>        /usr/lib/libresolv.so.2
> >         libgen.so.1
> =>   /usr/lib/libgen.so.1
> >         libnsl.so.1
> =>   /usr/lib/libnsl.so.1
> >         libsocket.so.1
> =>        /usr/lib/libsocket.so.1
> >         libsasl.so.1
> =>  /usr/lib/libsasl.so.1
> >         libssl.so.0.9.7
> =>   
>    /usr/sfw/lib/libssl.so.0.9.7
> >     
>    libcrypto.so.0.9.7 =>   
> /usr/sfw/lib/libcrypto.so.0.9.7
> >         libc.so.1
> =>     /usr/lib/libc.so.1
> >         libmp.so.2
> =>    /usr/lib/libmp.so.2
> >         libmd.so.1
> =>    /usr/lib/libmd.so.1
> >         libscf.so.1
> =>   /usr/lib/libscf.so.1
> >         libdoor.so.1
> =>  /usr/lib/libdoor.so.1
> >         libuutil.so.1
> =>     
>    /usr/lib/libuutil.so.1
> >     
>    libssl_extra.so.0.9.7 =>   
>      /usr/sfw/lib/libssl_extra.so.0.9.7
> >     
>    libcrypto_extra.so.0.9.7 => 
>     /usr/sfw/lib/libcrypto_extra.so.0.9.7
> >         libm.so.2
> =>     /usr/lib/libm.so.2
> 
> 
>       
>