Re: ppolicy not verifying password length (not active !!)

To: Patrick Laimbock <patrick@laimbock.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Subject: Re: ppolicy not verifying password length (not active !!)

From: saurabh ohri <sam_ohri@yahoo.co.in>

Date: Mon, 10 Mar 2014 15:22:02 +0800 (SGT)

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.in; s=s1024; t=1394436122; bh=qyS9jqPq/2ELnWhTrAKSIqxe67hfkq8aXD50rlABjMI=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=Rp77coSktXfA4Xuym7qgeiQU/9DAS9Wu+rjjRQiy2mX5Ny1CfhRFRYAr3oXUuPkT9yY2zU7AQUbu3Fvfp19ZnzBSsBJkrwCDZsR+kEbfqxCQJ21Wivd+42PuEI7Dix3Iyj9DWS45CXke0snQMPgqNYI/HRwKIMS/1TKO5e3m7cA=

Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.in; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=5xblrVbvO+qby0Bj6OwwPDNoF4o0g4psIWo2+NePW1ETosj8kYXdA91DnIeifp0GyBxmDmL141P6M9NVG8RuGuH0Ik8RxaELzJ+9s4xG0JN+gfub7jagTkUJQ0rkwUSkd0DAOMi0LaGAObtuPW7HookNROk7YCejBaoFT+XykDs=;

In-reply-to: <53189FC8.6040702@laimbock.com>

References: <A4F542D25A8F5D4BA49A8F3BAEC8F07E05769631@singan07.inga.pt><CAK_oV4-Osaezsehq7nC_Q1q1XiC0wcfTQNhBu9W68zKtL_=y3g@mail.gmail.com><A4F542D25A8F5D4BA49A8F3BAEC8F07E05769692@singan07.inga.pt> <CAK_oV4_fDYQ82aJoqAkPq-dctTmGxn9OrX25WpUFdZGwp_RbfQ@mail.gmail.com>, <A4F542D25A8F5D4BA49A8F3BAEC8F07E057696F4@singan07.inga.pt> <3c56bedeedab855f4bb89d8624ec7a79@srv1.stroeder.com> <1394078761.97381.YahooMailNeo@web192205.mail.sg3.yahoo.com> <53189FC8.6040702@laimbock.com>

Thanks Patrick. It helped me to very much extend but again getting stuck in pushing password policy on openldap. I got stuck in 2.4.23 and upgraded to 2.4.39. But still it is an issue.

test 1: Changing the password of user without meeting pwdMinLength attribute. But test got failed.

ldappasswd -x -W -D "cn=Manager,dc=example,dc=com" -H ldaps://xxx-xxx-xxx.example.com -s new -a Welcome123 "uid=tuser,ou=Users,dc=example,dc=com"

Enter LDAP Password:

[root@xxx-xxx-xxx openldap]#

Ploicy is as follow:

# Policies, j.cinglevue.com

dn: ou=Policies,dc=j,dc=cinglevue,dc=com

ou: Policies

description: Directory policies.

objectClass: organizationalUnit

# Standard, Policies, j.cinglevue.com

dn: cn=Standard,ou=Policies,dc=j,dc=cinglevue,dc=com

objectClass: top

objectClass: device

objectClass: pwdPolicy

cn: Standard

pwdAttribute: userPassword

pwdMaxAge: 2592000

pwdCheckQuality: 1

pwdMinLength: 8

pwdExpireWarning: 432000

pwdGraceAuthNLimit: 3

pwdLockout: TRUE

pwdLockoutDuration: 1800

pwdMaxFailure: 3

pwdFailureCountInterval: 0

pwdMustChange: TRUE

pwdAllowUserChange: TRUE

pwdSafeModify: TRUE

Not able to found ppolicy.la in my system but copied the same from previous version. Hope that id not effecting.

Regards
sam

On Friday, 7 March 2014 12:48 AM, Patrick Laimbock <patrick@laimbock.com> wrote:

On 06-03-14 05:06, saurabh ohri wrote:
[snip]
>
> really shock to see that there is no proper document for the

Documentation like the Admin Guide, the man pages and the FAQ are all
easily available on openldap.org:

http://www.openldap.org/doc/
http://www.openldap.org/software/man.cgi
http://www.openldap.org/faq/data/cache/1.html

> installation and configuration. 2.4.39 have to be configured from source
> and not rpm so facing hell lot of issue.

Installation instructions are in the OpenLDAP source INSTALL file:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=INSTALL;h=737fee6cd73ff7934981be38b445ca7e427f5ddd;hb=refs/heads/OPENLDAP_REL_ENG_2_4

If you need RPMs, did you Google or search the list archives where it's
mentioned many times?

The LTB Project maintains OpenLDAP RPM packages:
http://tools.ltb-project.org/news/46

And Symas provides OpenLDAP RPM packages and services for the
Enterprise: https://symas.com/products/symas-openldap-directory/

Cheers,
Patrick