[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy configuration

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: ppolicy configuration
From: Igor Shmukler <igor.shmukler@gmail.com>
Date: Mon, 9 Mar 2015 13:10:54 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=CejwncNfuw68HJxtFyiKUUPMMDnW1KwPIqkXAnzWA0s=; b=YZRc640MXT0WCh/L/DZ/+VT0qiPUz0jxOO53e9U95h8W+v96+moIEAHRndk5JuUTZf zsQGeGzjiFm9/NnFzJG7nsIC4N57X1PTmABmzBqHWWiSoki9ShWmP0py42sAdH046I+p wz4kYNzdKCtqTriemFA2mT90XWfYe/c015XhNNGiTRWgUx9zLWEwTyr1HJR1hLsREEjh fGwJp+NS0G0IRiin8LismiPerCFskbbPqkPQtX/WP2SsDQXRDJDcikAf6gVRwRvYqWd7 0UojuKj6bUFaU84I3x9qhzHneaolxISVnsPNXTyI8IYI+FH4VZvBMpWZjqn8y2RkOD4s hNew==

Hello,

I am trying to apply per domain password policy. [At some point, it
seems, these scripts worked for me, but I must have messed something
up either in the setup or the scripts.]

I managed to load ppolicy.la and from lsof(8), I can see it.
Now, I want to be able to turn password policy on each domain.

I have a simple script invoked as: $sudo ldapmodify -Y EXTERNAL -H
ldapi:/// -f ppolicy.ldif
The ppolicy.ldif is:
dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=ppolicy,ou=policies,dc=example,dc=com
olcPPolicyUseLockout: TRUE
olcPPolicyHashCleartext: TRUE

When I try to add the online configuration, I get:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: User Schema load failed for attribute "pwdAttribute".
Error code 17: attribute type undefined

I also have an LDIF for default policy, added as: $ldapadd -x -D
cn=admin,dc=example,dc=com -W -f default_ppolicy.ldif

It contains:
dn: ou=policies,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: policies

dn: cn=ppolicy,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
cn: ppolicy
pwdAttribute: userPassword
pwdInHistory: 8
pwdMinLength: 8
pwdMaxFailure: 3
pwdFailureCountInterval: 1800
pwdCheckQuality: 0
pwdMustChange: TRUE
pwdGraceAuthNLimit: 0
pwdMaxAge: 7776000
pwdExpireWarning: 1209600
pwdLockoutDuration: 900
pwdLockout: TRUE

When I try to add default_ppolicy.ldif, I get:
adding new entry "ou=policies,dc=example,dc=com"
adding new entry "cn=ppolicy,ou=policies,dc=example,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #2 invalid per syntax

It seems that OU=policies is created, but CN=ppolicy is not created.
Is that right? I have four (4) values for objectClass. How can I find
out which one is triggering the error?

Any suggestions where I should start looking?!

Thank you,

Igor Shmukler

Follow-Ups:
- Re: ppolicy configuration
  - From: Michael Ströder <michael@stroeder.com>
- Re: ppolicy configuration
  - From: "Angel L. Mateo" <amateo@um.es>

Prev by Date: Re: ldap_sasl_bind_s question
Next by Date: Re: ppolicy configuration
Index(es):
- Chronological
- Thread