I'm trying implement the password policy overlay into my openldap
setup, I'm running a Debian 7 server and installed openldap with the
package manager.
===================================================
root@baneling:~# dpkg -l | grep slapd
ii slapd 2.4.31-1+nmu2 amd64
OpenLDAP server (slapd)
===================================================
I currently have my ldap server setup for authentication and
authorization, I'm using libnss-ldapd and libpam-ldapd on my other
machines to search the ldap directory and would like to implement the
password policy provided by the overlay. I believe I've added the
schema, loaded thedynamic module, and added the overlay to my
databasecorrectly, however I'm not sure it's actually working. I've
been mostly followingthis article and the openldap documentation:
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
http://www.openldap.org/doc/admin24/overlays.html#Password Policies
<http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies>
Here is my slapd.d config (shortened for brevity):
===================================================
root@baneling:~# slapcat -b cn=config
[...]
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
structuralObjectClass: olcModuleList
entryUUID: ad917d22-1583-1033-9e53-473d795f568b
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140119183138Z
olcModuleLoad: {0}ppolicy.so
olcModulePath: /usr/lib/ldap
entryCSN: 20140119183433.154615Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140119183433Z
[...]
dn: cn={4}ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}ppolicy
[...]
dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
structuralObjectClass: olcPPolicyConfig
entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140119194003Z
entryCSN: 20140119194003.774030Z#000000#00'+' . I read0#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140119194003Z
===================================================
And my container for the default policy:
===================================================
root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b
ou=Policies,dc=harmonywave,dc=com
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: ou=Policies,dc=harmonywave,dc=com
ou: Policies
objectClass: top
objectClass: organizationalUnit
dn: cn=default,ou=Policies,dc=harmonywave,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdExpireWarning: 432000
pwdFailureCountInterval: 1800
pwdGraceAuthNLimit: 10
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxAge: 7776000
pwdMaxFailure: 6
pwdMinAge: 86400
pwdMinLength: 10
pwdMustChange: FALSE
pwdSafeModify: TRUE
sn: passwdpolicy
===================================================
However, I'm not sure the policy is actually being applied. I thought
it might be because I originally created my user before adding the
schema and overlay, so I deleted the user and recreated it. I'm able
to log into a server using my uid, however if I try to change my
password I get the following:
===================================================
jschaeffer@defiler:~$ passwd
(current) LDAP Password:
New password:
Retype new password:
password change failed: Constraint violation
passwd: Authentication token manipulation error
passwd: password unchanged
===================================================
I've been entering mycurrent password correctly when it asks and I am
using a complex new password. I also don't see any of the ppolicy
attributes on my user (pwdChangeTime, pwdFailureTime,
pwdGraceUseTime, etc):
===================================================
root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com
-W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com
Enter LDAP Password:
dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
uid: jschaeffer
cn: Joshua Schaeffer
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/jschaeffer
loginShell: /bin/bash
gecos: Joshua Schaeffer
userPassword:: ....
===================================================
I've been searching around for on the web for answers to the passwd
issue, but I've not been able to find anything useful. Does anyone
know how to verify that the ppolicy overlay is actually working?