[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources)
- To: openldap-technical@openldap.org
- Subject: Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources)
- From: "Jose G. Torres" <jogeedaklown@yahoo.com>
- Date: Mon, 1 Mar 2010 10:05:42 -0800 (PST)
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1267466743; bh=ndiffOt8e2aPU8QyR+Q+99EwJoaYcKcKkLNkquAB6Jo=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=erq9w8UMMM0hw4TCsSN2CFOBJpTxFhxeYIBjsdXJj9WXDJ4FeaI41QOhUinpSeEFOyPcAzWB+eypXBlHsyjJk722uB2NhFjJTfIJXAHPN+qCb4Fvo4/QzxL5G25ZgraraX5yi61N5exJT4MTleSfyel4BllShj2D4HbyNbjvC7A=
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=mLSWtBknjeyv08qpl/O/VqrvwtqLX0zXjl5Kttf/07ndKpZ/eNP0Bbi5EHVGWempfO03D+W9DfGFfXhfRxHHmVPhdKnag0+oXLf9pFQYUDcpHkWKOHiWWgEUk2LRhJWEP2/9ccpcitbsFMZD12FnrsT8cC8BA/ZcioV2NT5a4rs=;
Hello,
Wow. I feel like an idiot. I solved my problem. My OpenSUSE clients were sending passwords as md5 and cause my openldap server not able to read the password information. I changed the clients to send password as "exop" and that did the trick.
Jose
--- On Thu, 2/25/10, Jose G. Torres <jogeedaklown@yahoo.com> wrote:
> From: Jose G. Torres <jogeedaklown@yahoo.com>
> Subject: Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources)
> To: openldap-technical@openldap.org
> Date: Thursday, February 25, 2010, 9:04 AM
> Hello again,
> Well I tried the following.
>
> Added the full path of the check_password.so in my
> slapd.conf under "moduleload".
> moduleload
> /opt/openldap/etc/openldap/modules/check_password.so
>
> Added the full path to my check_password.so module in my
> ldif
> pwdCheckModule:
> /opt/openldap/etc/openldap/modules/check_password.so
>
> Recompiled the sources again using the configure used to
> build the openSUSE package.
> CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \
> LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \
> ./configure --prefix=/opt/openldap --with-tls \
> --enable-spasswd --enable-crypt --with-gnu-ld \
> --enable-ppolicy --enable-modules --enable-dynamic
> --enable-aci --enable-bdb --enable-hdb \
> --enable-rewrite --enable-ldap=yes --enable-meta=mod \
> --enable-monitor=yes --enable-slp --enable-overlays=yes \
>
> Still no luck. At least within my ldap logs I see the
> "Password fails quality checking policy" so at least it is
> hitting the ldap server for password checking. Any
> ideas????? Thanks!!!!
>
> Jose
>
> > I am trying to get my solaris 10 openldap 2.4.21
> server to use my check_password.so module using the ppolicy
> overlay. When I try to change a user's
> > password from a linux client, I get the following
> error message.
> >
> > passwd ldapuser
> > Changing password for ldapuser.
> > Enter login(LDAP) password:
> > New Password:
> > Reenter New Password:
> > LDAP password information update failed: Constraint
> violation
> > Password fails quality checking policy
> > passwd: Permission denied
> >
> >
> > Within
> > my logs, I do not see any error messages from my
> check_password.so
> > module. I created the directory
> /opt/openldap/etc/openldap/modules and
> > placed my module in that directory and I added the
> modulepath in my
> > slapd.conf.
> >
> > Is there something I missed? Is this
> a PAM thing? I know this setup works on a OpenSUSE 11.2
> openldap server. Help.
> >
> > I included part of my slapd.conf, openldap configure,
> check_password.c source, makefile and ldd of my
> check_password.so.
> >
> > Thanks!!!!
> >
> > Jose Torres
> >
> >
> > openldap configure
> > ******************
> >
> > CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include
> \
> > LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \
> > ./configure --prefix=/opt/openldap --with-tls \
> > --enable-spasswd --enable-crypt --with-gnu-ld \
> > --enable-ppolicy --enable-modules --enable-dynamic
> >
> >
> > slapd.conf:
> > **********
> >
> > include
> /opt/openldap/etc/openldap/schema/ppolicy.schema
> >
> > # Add password policies.
> > modulepath /opt/openldap/etc/openldap/modules
> > overlay ppolicy
> > ppolicy_default
> "cn=default,ou=policies,dc=caci,dc=ymp,dc=com"
> > ppolicy_use_lockout
> >
> > I tried ppolicy_clear_txt I still have the same
> problem.
> >
> > check_password.c:
> > ****************
> >
> > #include <stdio.h>
> > #include <stdlib.h>
> > #include <string.h>
> > #include <ctype.h>
> > #include "portable.h"
> > #include "slap.h"
> >
> > int init_module()
> > {
> > return 0;
> > }
> >
> > int check_password(char *pPasswd, char **ppErrStr,
> Entry *pEntry)
> > {
> > char error=0;
> > char retmsg[255];
> > char *message,*buffer,*token;
> > const char special[]
> ="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~";
> > const char number[] ="1234567890";
> > const char CAPS[]
> ="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
> >
> > error = 0;
> >
> >
> > if (strstr( pPasswd, " ") != NULL)
> > {
> > error = 1;
> > strcpy(retmsg ,
> "******** CHECKPW: Password contains SPACES! ********");
> > }
> >
> > buffer = strdup(pPasswd);
> > token = strtok(buffer,special);
> > if ( !(strcmp(token,pPasswd)) || (token
> == NULL) )
> > {
> > error = 1;
> > strcpy(retmsg ,
> "******** CHECKPW: Password does not contain any special c
> > haracters! ********");
> > }
> >
> > buffer = strdup(pPasswd);
> > token = strtok(buffer,number);
> >
> > if ( !(strcmp(token,pPasswd)) || (token
> == NULL) )
> > {
> > error = 1;
> > strcpy(retmsg ,
> "******** CHECKPW: Password does not contain any numbers!
> > ********");
> > }
> >
> > buffer = strdup(pPasswd);
> > token = strtok(buffer,number);
> >
> > if ( !(strcmp(token,pPasswd)) || (token
> == NULL) )
> > {
> > error = 1;
> >
> strcpy(retmsg , "******** CHECKPW: Password does not contain
> any CAPITAL L
> > ETTERS! ********");
> > }
> >
> > if (error)
> > {
> > /* Allocate */
> > message = (char
> *)malloc(sizeof(char) * (strlen(retmsg)+1));
> > /* Copy the contents of
> the string. */
> > strcpy(message,
> retmsg);
> > *ppErrStr=message;
> > }
> > return error;
> > }
> >
> > Makefile:
> > *********
> >
> > check_password.so: check_password.o
> > gcc
> -L/opt/openldap/lib -lldap -shared -o check_password.so
> check_passwo
> > rd.o
> > check_password.o: check_password.c
> > gcc -fpic
> -I../../include -I. -c check_password.c
> > clean:
> > rm
> check_password.so check_password.o
> >
> >
> > It seems to find the right libraries.
> >
> > $ ldd modules/check_password.so
> > libldap-2.4.so.2
> =>
> /opt/openldap/lib/libldap-2.4.so.2
> > libgcc_s.so.1
> =>
> /usr/sfw/lib/libgcc_s.so.1
> > liblber-2.4.so.2
> =>
> /opt/openldap/lib/liblber-2.4.so.2
> > libresolv.so.2
> => /usr/lib/libresolv.so.2
> > libgen.so.1
> => /usr/lib/libgen.so.1
> > libnsl.so.1
> => /usr/lib/libnsl.so.1
> > libsocket.so.1
> => /usr/lib/libsocket.so.1
> > libsasl.so.1
> => /usr/lib/libsasl.so.1
> > libssl.so.0.9.7
> =>
> /usr/sfw/lib/libssl.so.0.9.7
> >
> libcrypto.so.0.9.7 =>
> /usr/sfw/lib/libcrypto.so.0.9.7
> > libc.so.1
> => /usr/lib/libc.so.1
> > libmp.so.2
> => /usr/lib/libmp.so.2
> > libmd.so.1
> => /usr/lib/libmd.so.1
> > libscf.so.1
> => /usr/lib/libscf.so.1
> > libdoor.so.1
> => /usr/lib/libdoor.so.1
> > libuutil.so.1
> =>
> /usr/lib/libuutil.so.1
> >
> libssl_extra.so.0.9.7 =>
> /usr/sfw/lib/libssl_extra.so.0.9.7
> >
> libcrypto_extra.so.0.9.7 =>
> /usr/sfw/lib/libcrypto_extra.so.0.9.7
> > libm.so.2
> => /usr/lib/libm.so.2
>
>
>
>