Re: Allow users to change ldap password with passwd

["Real, Elizabeth (392K)" <Elizabeth.Real@jpl.nasa.gov>]

Michael,

Thank you for your reply.

I made several attempts to configure slapo-policy but I’m not able to get it to work.

I gathered online documentation and did the following on my openldap 2.4.39 RHEL7 server to enable slapo-ppolicy:

• Loaded the ppolicy schema:

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "cn=ppolicy,cn=schema,cn=config” 

• Created ldif with the module and overlay: ppolicy1.ldif

dn: cn=module,cn=config

objectClass: olcModuleList

cn: module

olcModulepath: /usr/lib64/openldap

olcModuleload: ppolicy.la

dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config

objectClass: olcPPolicyConfig

olcPPolicyDefault: ou=policies,dc=cluster,dc=sec312

• Added the module and overlay:

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy1.ldif 

• Created the module ldif: /etc/openldap/slapd.d/cn=config/cn=module{0}.ldif
• Created the overlay ldif: /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={0}ppolicy.ldif 

• Created a new ou called policies: ou=policies,dc=*****,dc=*****
• Created a password policy: passwordPolicy.ldif
• Loaded the password policy and I get this error:

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif

SASL/EXTERNAL authentication started

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

SASL SSF: 0

adding new entry "ou=policies,dc=*****,dc=*****"

ldap_add: Object class violation (65)

additional info: attribute 'ou' not allowed

• Restarted slapd as well but I get the same error.

Any advice will be greatly appreciated.

Thank you,

Liz

From: Michael Ströder <michael@stroeder.com>
Date: Friday, September 18, 2015 at 9:27 AM
To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Allow users to change ldap password with passwd

Real, Elizabeth (392K) wrote:

This is my setup:

I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent

users with expired accounts to login: ldap_pwd_policy = shadow. This works as

expected.

Use OpenLDAP's slapo-ppolicy instead!

Using shadow account attributes is deprecated since years.

pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd

pam_sss(passwd:chauthtok): Password change failed for user real: 28

(Module is unknown)

Gkr-pam: couldn’t update the login keyring password: no old password was

Entered

This sounds more like PAM and sssd related. So you should sort this out first

- maybe by asking for specific issues on sssd-users mailing list.

In an attempt to allow users to change their ldap password, i edited my ACL on

the ldap server and added 'shadowLastChange':

[..]

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by

Think twice! You should not do that because of security issues!

If you really insist on using shadow account attributes you have to use

slapo-smbk5pwd to let slapd set them internally when receiving a Password

Modify extended operation.

Ciao, Michael.