Hello,
First let me thank the gracious folks on this list who have lent their
advice to me on my path towards implementing ppolicy. I'm making
progress; I can reject new passwords based on password history, and
reject weak passwords. However, I'm having a bit of a time trying to
get the lockouts to work. My policy is defined as:
56 cn=Password Policy,ou=Policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: Password Policy
pwdAttribute: userPassword
pwdMaxAge: 3888000
pwdMinLength: 6
pwdExpireWarning: 432000
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
pwdLockout: TRUE
pwdCheckQuality: 1
pwdGraceAuthNLimit: 0
pwdInHistory: 6
pwdLockoutDuration: 60
pwdMaxFailure: 3
However, even after many failure attempts, I see no pwdFailureTime attributes
in the offending user's entry:
dn: uid=testuser,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: testuser
sn: testuser
givenName: testuser
uid: testuser
uidNumber: 1009
gidNumber: 513
homeDirectory: /home/testuser
loginShell: /bin/bash
gecos: System User
structuralObjectClass: inetOrgPerson
entryUUID: 42d5971e-7b49-102c-8aae-af676a6dbed9
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20080229193543Z
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-1484159386-3942804292-94657008-3018
sambaPrimaryGroupSID: S-1-5-21-1484159386-3942804292-94657008-513
sambaLogonScript: logon.bat
sambaProfilePath: \\masterldap.example.com\profiles\testuser
sambaHomePath: \\masterldap.example.com\testuser
sambaHomeDrive: H:
pwdHistory: 20080313194326Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}C2DOwhgHFTc
XmGxRdqlpBUz12eZpRXI4
pwdHistory: 20080313194602Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}AboL9Sp7678
X2KsPv8sMPE5CC2i6c6LY
pwdHistory: 20080313194626Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}7hUqCecYGvd
g5bx1ybw71YQcZShicmFk
pwdHistory: 20080313194852Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}E920Fe1PlYV
Bwjn+rpiOFO8UaiRzZnB6
pwdHistory: 20080313200637Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}hFfD2xFwG/T
s5PVg3CAIf4i6rkpaZnNM
pwdHistory: 20080313200941Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}/GpzR2wV7dy
XITeU+5nBpFyTKdgxQzk4
sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [U]
sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaPwdLastSet: 1205438797
sambaPwdMustChange: 1209326797
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
pwdChangedTime: 20080313200941Z
entryCSN: 20080313200941Z#000000#00#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20080313200941Z
Is the shadowAccount attribute killing me? I'm not really sure. Just for
completeness, the slapd.conf (abridged) looks like:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/ppolicy.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap
database bdb
suffix "dc=example,dc=com"
directory /var/lib/ldap
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}tFEA391Y3ZLHXkQDDk6f0t1ZkJEuMwIj
overlay ppolicy
ppolicy_default "cn=Password Policy,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowMax,sambaPwdLastSet,sambaPwdMustChange
by self write
by * auth
access to *
by * read
moduleload smbk5pwd.la
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
loglevel -1
sasl-secprops none
As always, thank you for your help.
Best Regards,
Ryan
