Re: missing ppolicy.la

Hi All,

Please help as password policy implementation policy not working. I tried changing the password of a user and new password was having only 5 characters and it should not allow to change it. I have defined min len as 8 characters.

ldappasswd -x -W -D "cn=Manager,dc=example,dc=com" -H ldaps://xxx.xxx.xxx.example.com -s new -a Welcome123 "uid=tuser,ou=Users,dc=example,dc=com"

Enter LDAP Password:

[root@xxx-xxx-xxx openldap

Please suggest.

Regards
Sam

On Monday, 10 March 2014 1:28 PM, saurabh ohri <sam_ohri@yahoo.co.in> wrote:

Hi All,

It seems it worked fine after deleting the pwdMinAge. Please suggest if i am doing anything wrong.

pwdMinAge: 86400(1 day)

Regards
Sam

On Monday, 10 March 2014 12:51 PM, saurabh ohri <sam_ohri@yahoo.co.in> wrote:

Hi All,

i am getting following error while loading the ppolicy.ldif file.

ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f ppolicy.ldif -H ldaps://xxx.xxx.xxx

Enter LDAP Password:

adding new entry "ou=Policies,dc=example,dc=com"

adding new entry "cn=Standard,ou=Policies,dc=example,dc=com"

ldap_add: Invalid syntax (21)

additional info: pwdMinAge: value #0 invalid per syntax

My ppolicy.ldif file looks like this:

dn: ou=Policies,dc=example,dc=com

ou: Policies

description: Directory policies.

objectclass: organizationalUnit

dn: cn=Standard,ou=Policies,dc=example,dc=com

objectclass: top

cn: Standard

pwdAttribute: 2.5.4.35

pwdMinAge: 86400

# 30 days: 60 sec * 60 min * 24 hr * 30 days

pwdMaxAge: 2592000

pwdCheckQuality: 1

pwdMinLength: 8

# Warn three days in advance

pwdExpireWarning: 432000

pwdGraceAuthNLimit: 3

pwdLockout: TRUE

pwdLockoutDuration: 1800

pwdMaxFailure: 3

pwdFailureCountInterval: 0

pwdMustChange: TRUE

pwdAllowUserChange: TRUE

pwdSafeModify: TRUE

objectclass: device

objectclass: pwdPolicy

I goggled above error and most of them pointed put that either ppolicy.la is not loaded properly or schema is not defined.

I tried location ppolicy.la in my system and was not able to find. I installed the openldap-ltb-2.4.39-2.el6.x86_64 version on RHEL6.5

Not sure if .la file was not included then why slapd.conf did not gave error when i loaded and restarted the ldap. Also is it possible that installation does not copy the .la file.

# Load dynamic backend modules:

modulepath /usr/local/openldap/libexec/openldap

moduleload back_bdb.la

moduleload ppolicy.la

# moduleload back_hdb.la

# moduleload back_ldap.la

Please help!!

Regards
Sam

On Friday, 7 March 2014 3:01 AM, Saurabh Ohri <sam_ohri@yahoo.co.in> wrote:

Thanks. I am also newbee in open ldap. As password policy did not worked in 2.4.23 I installed another instance of 2.4.39. But stuck with SSL in this version ð

Regards

Sam

Sent from my iPhone

On 6 Mar 2014, at 8:12 pm, Rodrigo Coutinho <Rodrigo.Coutinho@ifap.pt> wrote:

Hi,

in this struggle of implementing OpenLdap for the first time, without any knowledge whatsoever, I found this book:

http://tazlambert.files.wordpress.com/2008/05/packtpublishingmasteringopenldapaug20071847191029.pdf

In case of the password policy, I more or less followed it from page 320, onwards.

Hope that helps you.

De: Saurabh Ohri [mailto:sam_ohri@yahoo.co.in]
Enviada: quinta-feira, 6 de MarÃo de 2014 10:17
Para: Rodrigo Coutinho
Cc: <openldap-technical@openldap.org>
Assunto: Re: ppolicy not verifying password length (not active !!)

Could you please share the steps with commands. This probably will help me.

Regards

Sam

Sent from my iPhone

On 6 Mar 2014, at 4:40 pm, Rodrigo Coutinho <Rodrigo.Coutinho@ifap.pt> wrote:

Hi again,

I did create another user, gave it the proper permissions via ACL, and it worked, the policy was enforced when I tried to change another user's password.

Still in shock though, that the root user can mess up the other users data.

Regards

De: saurabh ohri [mailto:sam_ohri@yahoo.co.in]
Enviada: quinta-feira, 6 de MarÃo de 2014 04:06
Para: Michael StrÃder; openldap-technical@openldap.org; Rodrigo Coutinho
Assunto: Re: ppolicy not verifying password length (not active !!)

I Also stuck in this issue. My password policy was not working on openldap 2.4.23 so someone suggested me to upgrade as this is the older version. So i upgraded it to 2.4.39 but struggling to get SSL work for openssl.

really shock to see that there is no proper document for the installation and configuration. 2.4.39 have to be configured from source and not rpm so facing hell lot of issue.

Regards
Sam

On Wednesday, 5 March 2014 8:31 PM, Michael StrÃder <michael@stroeder.com> wrote:

On Wed, 5 Mar 2014 11:33:51 +0000 Rodrigo Coutinho <Rodrigo.Coutinho@ifap.pt>
wrote
> Ok, thank you for the information, but I must confess that I am a bit
> shocked, as that implies I can have a directory full of non compliant
> passwords.
>
> So, that begs the question: How do we prevent this ? What is the
> normal/standard way ?

Mantra to be repeated thousands of times:

Never use rootdn to bind.

> Should one create another user with administrative privileges and use it to
> change passwords when needed ?

Yes.

Ciao, Michael.

A transmissÃo de mensagens por e-mail nÃo Ã absolutamente segura ou livre de erros. A mensagem pode ser intercetada, alterada, perdida, destruÃda, chegar ao destinatÃrio com atraso, ou mesmo com vÃrus, nÃo obstante o IFAP utilizar software anti-vÃrus.
Esta mensagem, incluindo eventuais ficheiros anexos, pode conter informaÃÃo confidencial ou privilegiada e destina-se a uso exclusivo dos seus destinatÃrios. Se nÃo for o destinatÃrio pretendido, informamos que a recebeu por engano, pelo que, qualquer utilizaÃÃo, distribuiÃÃo, reencaminhamento ou outra forma de revelaÃÃo a terceiros, impressÃo ou cÃpia sÃo expressamente proibidos. Se recebeu esta mensagem por engano, por favor contacte imediatamente o remetente por e-mail, e apague de imediato a mensagem do seu sistema informÃtico.
O IFAP declina qualquer responsabilidade por erros ou omissÃes na presente mensagem e eventuais consequÃncias, que resultem das situaÃÃes referidas.