[Date Prev][Date Next] [Chronological] [Thread] [Top]

Ppolicy does not seem to work

To: openldap-technical@openldap.org
Subject: Ppolicy does not seem to work
From: Jan Kohnert <nospam001-lists@jankoh.dyndns.org>
Date: Sun, 13 Feb 2011 17:45:08 +0100
User-agent: KMail/1.13.5 (Linux/2.6.34-gentoo-r1; KDE/4.4.5; i686; ; )

Hi there,

I'm new to this list, so first of all welcome to everyone.

I have a problem with ppolicy and got stuck finding a solution. I configured 
slapd using the information from [1] trying to be able to lock users. But 
anyway, the lock seems to be ignored: As soon as one tries to log in, the 
pwdLockedTime agument es removed from the entry and I seem to be too blind or 
dumb to see the reason why.

Here is what happens (testing my own account):
b079 /etc/openldap # grep -v "^#" ldif/locked_users.ldif 
dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org
changetype: modify
add: pwdAccountLockedTime
pwdAccountLockedTime: 20110119225403Z
b079 /etc/openldap # ldapmodify -x -D "cn=admin, dc=yyy, dc=zzz, dc=org" -W -f 
ldif/locked_users.ldif 
Enter LDAP Password: 
modifying entry "uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org"

b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan"
uid: jan
b079 /etc/openldap # ldapwhoami -x -D "uid=jan, ou=xxx, dc=yyy, dc=zzz, 
dc=org" -W 
Enter LDAP Password: 
dn:uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org
b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan"b079 
/etc/openldap #

And here is the relevant configuration;
b079 /etc/openldap # grep ppolicy slapd.conf
include         /etc/openldap/schema/ppolicy.schema
moduleload      ppolicy.so
overlay         ppolicy
ppolicy_default "cn=default,ou=policies,dc=yyy,dc=zzz,dc=org"
b079 /etc/openldap # 

b079 /etc/openldap # ldapsearch -x -s base -b "cn=default, ou=policies, 
dc=yyy, dc=zzz, dc=org"
# extended LDIF
#
# LDAPv3
# base <cn=default, ou=policies, dc=yyy, dc=zzz, dc=org> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

# default, policies, yyy.zzz.org
dn: cn=default,ou=policies,dc=yyy,dc=zzz,dc=org
cn: default
sn: dummy value
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAttribute: userPassword
pwdMinAge: 0
pwdMaxAge: 0
pwdInHistory: 0
pwdCheckQuality: 0
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdFailureCountInterval: 1800
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
pwdExpireWarning: 604800
pwdMaxFailure: 5
pwdGraceAuthNLimit: 0
pwdMinLength: 8

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
b079 /etc/openldap # 

Thank a lot in advance!

[1] http://www.openldap.org/lists/openldap-technical/200810/msg00107.html
 
-- 
MfG Jan

Attachment: signature.asc
Description: This is a digitally signed message part.

Follow-Ups:
- Re: Ppolicy does not seem to work
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: Ppolicy does not seem to work
  - From: Jan Kohnert <nospam001-lists@jankoh.dyndns.org>

Prev by Date: Re: question about cn=config replication and security.
Next by Date: Re: ACL peername
Index(es):
- Chronological
- Thread