[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Implementing PPolicy



Am Sun, 19 Jan 2014 14:18:56 -0700
schrieb Joshua Schaeffer <jschaeffer0922@gmail.com>:

> I'm trying implement the password policy overlay into my openldap
> setup, I'm running a Debian 7 server and installed openldap with the
> package manager.
> 
> ===================================================
> root@baneling:~# dpkg -l | grep slapd
> ii  slapd                            2.4.31-1+nmu2 amd64
> OpenLDAP server (slapd)
> ===================================================
> 
> I currently have my ldap server setup for authentication and 
> authorization, I'm using libnss-ldapd and libpam-ldapd on my other 
> machines to search the ldap directory and would like to implement the 
> password policy provided by the overlay.  I believe I've added the 
> schema, loaded thedynamic module, and added the overlay to my 
> databasecorrectly, however I'm not sure it's actually working. I've
> been mostly followingthis article and the openldap documentation:
> 
> http://www.zytrax.com/books/ldap/ch6/ppolicy.html
> http://www.openldap.org/doc/admin24/overlays.html#Password Policies 
> <http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies>
> 
> Here is my slapd.d config (shortened for brevity):
> ===================================================
> root@baneling:~# slapcat -b cn=config
> [...]
> dn: cn=module{1},cn=config
> objectClass: olcModuleList
> cn: module{1}
> structuralObjectClass: olcModuleList
> entryUUID: ad917d22-1583-1033-9e53-473d795f568b
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20140119183138Z
> olcModuleLoad: {0}ppolicy.so
> olcModulePath: /usr/lib/ldap
> entryCSN: 20140119183433.154615Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20140119183433Z
> [...]
> dn: cn={4}ppolicy,cn=schema,cn=config
> objectClass: olcSchemaConfig
> cn: {4}ppolicy
> [...]
> dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
> objectClass: olcPPolicyConfig
> olcOverlay: {0}ppolicy
> olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com
> olcPPolicyHashCleartext: TRUE
> olcPPolicyUseLockout: TRUE
> structuralObjectClass: olcPPolicyConfig
> entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b
> creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> createTimestamp: 20140119194003Z
> entryCSN: 20140119194003.774030Z#000000#000#000000
> modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifyTimestamp: 20140119194003Z
> ===================================================
> 
> And my container for the default policy:
> ===================================================
> root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 
> ou=Policies,dc=harmonywave,dc=com
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn: ou=Policies,dc=harmonywave,dc=com
> ou: Policies
> objectClass: top
> objectClass: organizationalUnit
> 
> dn: cn=default,ou=Policies,dc=harmonywave,dc=com
> cn: default
> objectClass: pwdPolicy
> objectClass: person
> objectClass: top
> pwdAttribute: userPassword
> pwdAllowUserChange: TRUE
> pwdExpireWarning: 432000
> pwdFailureCountInterval: 1800
> pwdGraceAuthNLimit: 10
> pwdInHistory: 10
> pwdLockout: TRUE
> pwdLockoutDuration: 1800
> pwdMaxAge: 7776000
> pwdMaxFailure: 6
> pwdMinAge: 86400
> pwdMinLength: 10
> pwdMustChange: FALSE
> pwdSafeModify: TRUE
> sn: passwdpolicy
> ===================================================
> 
> However, I'm not sure the policy is actually being applied. I thought
> it might be because I originally created my user before adding the
> schema and overlay, so I deleted the user and recreated it.  I'm able
> to log into a server using my uid, however if I try to change my
> password I get the following:
> 
> ===================================================
> jschaeffer@defiler:~$ passwd
> (current) LDAP Password:
> New password:
> Retype new password:
> password change failed: Constraint violation
> passwd: Authentication token manipulation error
> passwd: password unchanged
> ===================================================
> 
> I've been entering mycurrent password correctly when it asks and I am 
> using a complex new password.  I also don't see any of the ppolicy 
> attributes on my user (pwdChangeTime, pwdFailureTime,
> pwdGraceUseTime, etc):
> 
> ===================================================
> root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com
> -W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com
> Enter LDAP Password:
> dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> uid: jschaeffer
> cn: Joshua Schaeffer
> uidNumber: 3000
> gidNumber: 3000
> homeDirectory: /home/jschaeffer
> loginShell: /bin/bash
> gecos: Joshua Schaeffer
> userPassword:: ....
> ===================================================
> 
> I've been searching around for on the web for answers to the passwd 
> issue, but I've not been able to find anything useful. Does anyone
> know how to verify that the ppolicy overlay is actually working?

rootdn must change user passwords, but this depends on access rules.
ppolicy attributes are operational, thus apply a '+' to the search
string, according to RFC-3673. You may obtain further information on
ppolicy by reading slapo-ppolicy(5).

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53Â37'09,95"N
10Â08'02,42"E