[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OLC ppolicy

To: openldap-technical@openldap.org
Subject: Re: OLC ppolicy
From: Abdelhamid Meddeb <abdelhamid@meddeb.net>
Date: Sat, 22 Aug 2015 08:52:50 +0200
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=meddeb.net; s=20140924; h=from:subject:date:message-id:to:mime-version:content-type:in-reply-to: references; bh=x5iI3iJBBljUCbToEE2k+7hlfmTe0Ri2KTEyLFqBK10=; b=QFwzYY/rneGpBvVWOCLfUt0m8T1y4AGwY1PRpo4NgTTUX6FKW23Xuy6CjRTsv1t0rVRZf5TEF57Ql uucUsAJg6rNaed3USDogdwZUkPKH2nTMOJzDQhRO1ULJ7BlFKJrygrvd6S5bSLbdP7jSqZsjf84Xi6 jHQPaxtJOPEjA148=
In-reply-to: <55D5EAC4.1050607@deeplearninganalytics.com>
References: <55D4E1EF.8000001@deeplearninganalytics.com> <20150820165056.376d8430@pink.avci.de> <55D5EAC4.1050607@deeplearninganalytics.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0

Hi,

ppolicy is the right name, however it is invoked two times in yourolcModuleLoad param, keep only one.

According reported configuration, only three params of password policyare defined:


1/ olcPPolicyHashCleartext: TRUE
2/ olcPPolicyUseLockout: FALSE
3/ pwdMinLength: 12

what you should check to test:

1/ Password is hashed (SSHA by default) when it's provided as cleartext
2/ ldap entry never locked after several failed attempt to bind

3/ Password modification rejected with error message when length of newone is less than 12 characters.


That's what "empirically these commands do".

*Important*
Be careful, rootdn bypass passwored policy.

Hope this help

Cheers.


Le 20/08/2015 16:57, Jeremy Trammell - DLA a écrit :

On 08/20/2015 07:50 AM, Dieter Klünter wrote:

Am Wed, 19 Aug 2015 13:07:11 -0700
schrieb Jeremy Trammell - DLA <jtrammell@deeplearninganalytics.com>:

Greetings,

I'm trying to set up a very simple LDAP server using OpenLDAP (via
OLC) and it seems hopeless.  The sticking point is ppolicy.  I have
followed several online guides
(http://www.ryanfrantz.com/posts/openldap-implementing-the-password-policy-overlay/,

https://www.oostergo.net/node/85, to name a few), all of which seem
to essentially detail the same procedure, and have met with no
success. Whilst following those instructions, I receive no error
messages.  All commands complete successfully and do not indicate
failures of any kind.  Looking at the cn=config and target DITs, all
data seems to have been imported as expected.  Despite that fact,
passwd follows a "mystery policy" which bears no resemblance to the
policy that I have specified, and ldappasswd follows "no policy at
all you can do whatever you want". Is there some way for me to
empirically determine what these commands are doing, and why my
policy does nothing?  Thanks in advance...

cn=module{0},cn=config

objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}ppolicy.la
olcModuleLoad: {1}back_hdb
olcModuleLoad: {2}ppolicy
olcModulePath: /usr/lib/ldap

The module names are not correct.
Hint: check /usr/lib/ldap for correct module names.

-Dieter

Okay, so what is the correct module name?  It's listed as ppolicy in
/usr/lib/ldap:

lrwxrwxrwx   1 root root     20 May 25 10:09 ppolicy-2.4.so.2 ->
ppolicy-2.4.so.2.8.3
-rw-r--r--   1 root root  39328 May 25 10:09 ppolicy-2.4.so.2.8.3
-rw-r--r--   1 root root    954 May 25 10:08 ppolicy.la
lrwxrwxrwx   1 root root     20 May 25 10:09 ppolicy.so ->
ppolicy-2.4.so.2.8.3


--
*Abdelhamid Meddeb*
http://www.meddeb.net

Attachment: smime.p7s
Description: Signature cryptographique S/MIME

References:
- OLC ppolicy
  - From: Jeremy Trammell - DLA <jtrammell@deeplearninganalytics.com>
- Re: OLC ppolicy
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: OLC ppolicy
  - From: Jeremy Trammell - DLA <jtrammell@deeplearninganalytics.com>

Prev by Date: Re: Multi-master syncrepl config: excluding olcSaslHost from replication
Next by Date: Re: OLC ppolicy
Index(es):
- Chronological
- Thread