[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
replication breaks ppolicy
Good morning all
After quite a bit of work, I got replication working (thank you all).
So I forged ahead and deployed the server in our RHEL 5.5 environment. But
now I just realized that none of my ppolicy rules work. Also, the Redhat
clients are configured to use MD5 hash. When I look at the accounts in
webmin, it shows it being crypt????? I know openldap likes salted SHA, but
I thought I'd do what Redhat wanted, which was MD5.
Password history, aging etc... A search used to show me all of my ppolicy
objects.
ldapsearch -v -x -b 'dc=chin,dc=ca' cn=default
But now returns nothing. Users can reuse passwords, so no history or aging
is working. No locking. I had to change ACL's on the provider and consumer
to get the replication working. Would that cause the problem?
Here is my policy LDIF file I added to the server:
# policies, chin.com
dn: ou=policies,dc=chin,dc=ca
objectClass: organizationalUnit
objectClass: top
ou: policies
# default, policies, chin.com
dn: cn=default,ou=policies,dc=chin,dc=ca
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 1920
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
pwdMaxAge: 10368000
pwdExpireWarning: 1209600
pwdMinAge: 86400
Provider:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/ppolicy.schema
### added for host_attr access, this scheme gives me a host object for
wrappers
include /usr/share/doc/nss_ldap-253/ldapns.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 bind_anon_cred
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# note, enabling debbuging info really slows the beast down
#loglevel 128
loglevel 256
#loglevel conns filter
logfile /var/log/slapd.log
# Load dynamic backend modules using this path!!!
modulepath /usr/lib/openldap
moduleload ppolicy.la
moduleload accesslog.la
# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la
#################################################################
schemacheck on
lastmod on
access to attrs=userPassword
by self write
by anonymous auth
by * none
########################################
### ACL for syncrepl.
########################################
#access to attrs=userPassword
# by self write
#by uid=replicator,ou=people,dc=chin,dc=ca read
# by anonymous auth
# by * none
access to attrs=userPassword,shadowLastChange
by dn="dc=admin,dc=chin,dc=ca" write
by anonymous auth
access to *
by dn="dc=admin,dc=chin,dc=ca" write
by * read
#access to attrs=shadowLastChange
# by self write
# by * read
access to *
by * read
#### WIDE OPEN - For testing only
##NOPE access to * by * write
access to *
by * read
# ------------------------------------------------------------------- #
# Access log database instance for replication
# ------------------------------------------------------------------- #
# Accesslog database definitions
database bdb
suffix cn=accesslog
directory /var/lib/db/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
# ------------------------------------------------------------------- #
# Primary database instance
# ------------------------------------------------------------------- #
database bdb
suffix "dc=chin,dc=ca"
rootdn "cn=admin, dc=chin,dc=ca"
# rootpw
rootpw {SSHA}TCYoUVYYYXXXXXbQsitJ3V7zo+c887NC
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
# define the default policy
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca"
ppolicy_use_lockout
# syncrepl Provider for primary db
overlay syncprov
syncprov-checkpoint 1000 60
# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00
# Let the replica DN have limitless searches
limits dn.exact="uid=replicator,ou=People,dc=chin,dc=ca"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
Consumer:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/ppolicy.schema
### added for host_attr access, this scheme gives me a host object for
wrappers
include /usr/share/doc/nss_ldap-253/ldapns.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 bind_anon_cred
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 256
logfile /var/log/slapd.log
modulepath /usr/lib/openldap
# ------------------------------------------------------------------- #
# Primary database instance
# ------------------------------------------------------------------- #
database bdb
suffix "dc=chin,dc=ca"
rootdn "cn=admin,dc=chin,dc=ca"
directory /var/lib/ldap
moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca"
ppolicy_use_lockout
# ------------------------------------------------------------------- #
# Replica configuration instance
# ------------------------------------------------------------------- #
# syncrepl specific indices
index entryUUID eq uniqueMember
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN eq
# syncrepl directives
syncrepl rid=0
provider=ldap://ldap
bindmethod=simple
binddn="uid=replicator,ou=people,dc=chin,dc=ca"
#binddn="cn=admin,dc=chin,dc=ca"
credentials=xxxxx
searchbase="dc=chin,dc=ca"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=off
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
# Refer updates to the master
updateref ldap://ldap
Any suggestions would be dandy and much appreciated. I'm new to LDAP, as
you can tell.
Thanks