[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Implementing PPolicy
- To: openldap-technical@openldap.org
- Subject: Implementing PPolicy
- From: Joshua Schaeffer <jschaeffer0922@gmail.com>
- Date: Sun, 19 Jan 2014 14:18:56 -0700
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=zbRZA4CFhP3tlhITNqj0SKZZ3ItYxWW4sHuEArFaWQQ=; b=lF4Vlk/HLWqOkJ1bGR5j+tY2yhczvdvPMgLSdSq493WGleY50MynYa6krnfsditRVS 0QnCZ8VnAQjKDjZSiWlEx3SMyyfumb7ATQh6mk75VSH4nSu+AlDLjc2N5L5r6Xpd44SJ CAtqJgxMht+xUvzdEwF7pQDEIiIfD9HOpeqEFysnsKYbhCE+rSAEpoGrGpz4UKLBv4We yS9WKfhxhCDARoQgZ2aBHTGbUcL/A8JjnMSD3zj3fe+1cAx6vsIJsO+gRVmvch6JgQxC Gpy9fr61/YfViQGoXrKsuuLAkSTsuvPaptP2suft3amF7gh2BBdiMByNloaW9FsAJxr3 L3LA==
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10
I'm trying implement the password policy overlay into my
openldap setup, I'm running a Debian 7 server
and installed openldap with the package manager.
===================================================
root@baneling:~# dpkg -l | grep slapd
ii slapd 2.4.31-1+nmu2
amd64 OpenLDAP server (slapd)
===================================================
I currently have my ldap
server setup for authentication and authorization, I'm using libnss-ldapd and libpam-ldapd on my
other machines to search the ldap directory and would like to implement the password
policy provided by the overlay. I believe I've added the
schema, loaded the dynamic module, and added
the overlay to my database
correctly, however I'm not sure it's
actually working. I've been mostly following this
article and the openldap documentation:
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
http://www.openldap.org/doc/admin24/overlays.html#Password
Policies
Here is my slapd.d config (shortened for
brevity):
===================================================
root@baneling:~# slapcat -b cn=config
[...]
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
structuralObjectClass: olcModuleList
entryUUID: ad917d22-1583-1033-9e53-473d795f568b
creatorsName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140119183138Z
olcModuleLoad: {0}ppolicy.so
olcModulePath: /usr/lib/ldap
entryCSN: 20140119183433.154615Z#000000#000#000000
modifiersName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140119183433Z
[...]
dn: cn={4}ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}ppolicy
[...]
dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
structuralObjectClass: olcPPolicyConfig
entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b
creatorsName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140119194003Z
entryCSN: 20140119194003.774030Z#000000#000#000000
modifiersName:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140119194003Z
===================================================
And my container for the default policy:
===================================================
root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b
ou=Policies,dc=harmonywave,dc=com
SASL/EXTERNAL authentication started
SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: ou=Policies,dc=harmonywave,dc=com
ou: Policies
objectClass: top
objectClass: organizationalUnit
dn: cn=default,ou=Policies,dc=harmonywave,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdExpireWarning: 432000
pwdFailureCountInterval: 1800
pwdGraceAuthNLimit: 10
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxAge: 7776000
pwdMaxFailure: 6
pwdMinAge: 86400
pwdMinLength: 10
pwdMustChange: FALSE
pwdSafeModify: TRUE
sn: passwdpolicy
===================================================
However, I'm not sure the policy is actually being applied.
I thought it might be because I originally created my user before
adding the schema and overlay, so I deleted the user and recreated
it. I'm able to log into a server using my uid, however if I try
to change my password I get the following:
===================================================
jschaeffer@defiler:~$ passwd
(current) LDAP Password:
New password:
Retype new password:
password change failed: Constraint violation
passwd: Authentication token manipulation error
passwd: password unchanged
===================================================
I've been
entering my current password correctly when it asks and I am using a
complex new password. I also don't
see any of the ppolicy attributes on my user
(pwdChangeTime, pwdFailureTime, pwdGraceUseTime,
etc):
===================================================
root@baneling:~#
ldapsearch -LLL -x -D
cn=admin,dc=harmonywave,dc=com -W -H ldapi:/// -b
uid=jschaeffer,ou=People,dc=harmonywave,dc=com
Enter LDAP Password:
dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
uid: jschaeffer
cn: Joshua Schaeffer
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/jschaeffer
loginShell: /bin/bash
gecos: Joshua Schaeffer
userPassword:: ....
===================================================
I've been searching around for
on the web for answers to
the passwd issue, but I've not been able
to find anything useful.
Does anyone know
how to verify that
the ppolicy overlay is actually working?