[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: invalid syntax (21) error while importing password password policy



Hi,

On Mon, 16 Sep 2013, Philip Bubel wrote:

Thanks.  I've checked and rechecked the /tmp/ppolicy.ldif for
stray/illegal characters, spaces, etc.  I can't find anything.  I deleted
and recreated the file, the line, everything I could think of.

just a wild guess. Try removing

	policy_default "cn=default,ou=policies,dc=XXXX,dc=test"

from your slapd.conf before you have inserted the policy.

Agree with you on upgrading, thatÂs in the plan as well.

Yes 2.4.23 is several years old currently. Once you start using advanced
features you are better of with the latest build.


Greetings
Christian



On 9/16/13 5:09 PM, "Christian Kratzer" <ck-lists@cksoft.de> wrote:

Hi,

On Mon, 16 Sep 2013, Philip Bubel wrote:

Running OpenLdap 2.4.23 on Centos 6.4 and we are having truoble
enabling password polices.  I've read a number of FAQ's online, plus
spent hours searching for a solution to this problem, although a lot of
folks seem to have the same issue I haven't been able to find a solution
that works for us.  I run into trouble running ldapadd to import the new
policy.  I end up with the invalid syntax error I've included below,
along with a copy of the .ldif file and my slapd.conf file.  I was able
to create the policies OU without issue, I also tried using the OID for
pwdAttribute instead of userPassword.

[root@asu10d schema]# ldapadd -D "cn=Manager,dc=XXXX,dc=test" -W -x -f
/tmp/ppolicy.ldif
Enter LDAP Password:
adding new entry "cn=policy,ou=policies,dc=XXXX,dc=test"
ldap_add: Invalid syntax (21)
additional info: pwdAttribute: value #0 invalid per syntax

Please check you /tmp/ppolicy.ldif that there are now illegal characters
in the line with pwdAttribute:

It looks like this is perhaps borken.

Please also consider updating to the latest openldap 2.4.36 via one of
the openly available rpm.

Greetings
Christian


Contents of policy.ldif
n: cn=policy,ou=policies,dc=XXXX,dc=test
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value

Contents of my slapd.conf

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/pmi.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath /usr/lib64/openldap

moduleload ppolicy.la

TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

database config
access to *
      by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
       by dn.exact="cn=Manager,dc=XXXX,dc=test" read
       by * none

database        bdb
suffix          "dc=XXXXX,dc=test"
checkpoint      1024 15
rootdn          "cn=Manager,dc=XXXX,dc=test"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          hello (Temp password used for testing)

overlay ppolicy
policy_default "cn=default,ou=policies,dc=XXXX,dc=test"
policy_use_lockout

directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub



--
Christian Kratzer                      CK Software GmbH
Email:   ck@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian
Kratzer



--
Christian Kratzer                      CK Software GmbH
Email:   ck@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer