[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ppolicy I need help
Hello experts,
I tried to enable ppolicy on a test openldap server.
As I read I first create an OU policies with the default cn
# LDIF Export for cn=default,ou=policies,dc=example,dc=com
# Server: My Slave LDAP Server (ldap://localhost)
# Search Scope: base
# Search Filter: (objectClass=*)
# Total Entries: 1
#
# Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on
September 10, 2013 2:10 pm
# Version: 1.2.0.5
version: 1
# Entry 1: cn=default,ou=policies,dc=example,dc=com
dn: cn=default,ou=policies,dc=example,dc=com
cn: default
objectclass: top
objectclass: device
objectclass: pwdPolicy
objectclass: pwdPolicyChecker
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckmodule: mmc-check-password.so
pwdcheckquality: 0
pwdexpirewarning: 600
pwdfailurecountinterval: 0
pwdgraceauthnlimit: 5
pwdinhistory: 5
pwdlockout: TRUE
pwdlockoutduration: 0
pwdmaxage: 90
pwdmaxfailure: 5
pwdminlength: 8
pwdmustchange: TRUE
pwdsafemodify: FALSE
and add it to my base.
I also added the ppolicy schema, the module load and the overlay
include /etc/ldap/schema/ppolicy.schema
moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout
In /etc/ldap/ldap.conf I change
pam_lookup_policy yes
I restarted slapd and change my own client to use my test open ldap
server. And it seems working.
But suddenly I was not able to do a sudo, change my passwd or login in
another session.
I checked the log of my server and found
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 ENTRY
dn="cn=jacques foucry,ou=people,dc=example,dc=com"
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND
dn="cn=Jacques Foucry,ou=People,dc=example,dc=com" method=128
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND
dn="cn=Jacques Foucry,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0
Sep 10 16:17:22 ldap-slave slapd[1672]: ppolicy_bind: Entry cn=Jacques
Foucry,ou=People,dc=example,dc=com has an expired password: 0 grace logins
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 RESULT tag=97
err=49 text=
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND anonymous
mech=implicit ssf=0
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND dn="" method=128
Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 RESULT tag=97
err=0 text=
So I added to my user some attributes. First the OU pwdPolicy (with
userPassord as attribute) then pwdAllowUserChange, pwdGraceAuthNLimit
(and put 7 on it) PwdLockout (false) pwdLockoutDuration (0)
pwdMustChange (true) pwdSafeModify(true).
I still have the same error.
So there is something I misunderstood.
Can some on explain what's wrognand how can I correct it?
Thanks in advance for your help,
Best regards,
Jacques Foucry
--
Jacques Foucry
*NOVÎSPARKS *
IT Manager
Tel : +33 (0)1 42 68 12 61
jacques.foucry@novasparks.com