[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ppolicy

To: openldap-technical@openldap.org
Subject: Re: Problem with ppolicy
From: Mikael Nehlsen <openldap@nehlsen.se>
Date: Tue, 11 Feb 2014 10:12:48 +0100
In-reply-to: <52F3820C.8080401@nehlsen.se>
References: <52F3820C.8080401@nehlsen.se>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

I did check in the bugtracker and found these 2 bugs:

http://www.openldap.org/its/index.cgi/Incoming?id=7262;expression=ppolicy;page=3;statetype=-1

http://www.openldap.org/its/index.cgi/Incoming?id=7788;expression=ppolicy;page=5;statetype=-1

it feels like those can be the cause of my problem. Is there a way toping a developer to have a look at them it looks like they are quite oldand they have no responses.


/Mikael

On 2014-02-06 13:37, Mikael Nehlsen wrote:

Hello!

I have a problem with the ppolicy module. I have 2 ldaptrees
dc=example,dc=com and o=external and I want to have password policies
(lockout after 5 failed login attempts) and I can see that it works on
dc=example,dc=com but it does not work on o=external.

Both trees save failed login attempts but only the first tree locks
people out o=external just saves more and more failed attempts but
never lockout the user.

I have tried a lot of things and I can not figure out what the problem
is. I hope someone here can help me.

It is 2 replicated ubuntu 10.04 servers with openldap
2.4.21-0ubuntu5.7 and the ppolicy configuration looks like this:

ppolmodule.ldif :

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: ppolicy.la

ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppolmodule.ldif -h
ldap1

ppol.ldif:

dn: ou=policies,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: policies

dn: cn=default,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: 2.5.4.35
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxFailure: 5
pwdMinLength: 6

ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f ~/ppol.ldif
-h ldap1

ppol_external.ldif:

dn: ou=policies,o=external
objectClass: organizationalUnit
objectClass: top
ou: policies

dn: cn=default,ou=policies,o=external
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: 2.5.4.35
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxFailure: 5
pwdMinLength: 6

ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f
~/ppol_external.ldif  -h ldap1

ppoloverlay.ldif:

dn: olcOverlay=ppolicy,olcDatabase={1}bdb,cn=config
olcOverlay: ppolicy
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com

ppoloverlay_external.ldif:

dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config
olcOverlay: ppolicy
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyDefault: cn=default,ou=policies,o=external

ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppoloverlay.ldif
-h ldap1

ldapadd -x -D "cn=admin,cn=config" -w password -f
~/ppoloverlay_external.ldif  -h ldap1


I tried with only one default policy for both trees as well, it made
no difference.

/Mikael

References:
- Problem with ppolicy
  - From: Mikael Nehlsen <openldap@nehlsen.se>

Prev by Date: Re: TLS authentication broken in Ubuntu 12.04
Next by Date: Re: TLS authentication broken in Ubuntu 12.04
Index(es):
- Chronological
- Thread