Hi,
On Mon, 16 Sep 2013, Philip Bubel wrote:
Thanks. I've checked and rechecked the /tmp/ppolicy.ldif for
stray/illegal characters, spaces, etc. I can't find anything. I deleted
and recreated the file, the line, everything I could think of.
just a wild guess. Try removing
policy_default "cn=default,ou=policies,dc=XXXX,dc=test"
from your slapd.conf before you have inserted the policy.
Agree with you on upgrading, that¹s in the plan as well.
Yes 2.4.23 is several years old currently. Once you start using advanced
features you are better of with the latest build.
Greetings
Christian
On 9/16/13 5:09 PM, "Christian Kratzer" <[email protected]> wrote:
Hi,
On Mon, 16 Sep 2013, Philip Bubel wrote:
Running OpenLdap 2.4.23 on Centos 6.4 and we are having truoble
enabling password polices. I've read a number of FAQ's online, plus
spent hours searching for a solution to this problem, although a lot of
folks seem to have the same issue I haven't been able to find a solution
that works for us. I run into trouble running ldapadd to import the new
policy. I end up with the invalid syntax error I've included below,
along with a copy of the .ldif file and my slapd.conf file. I was able
to create the policies OU without issue, I also tried using the OID for
pwdAttribute instead of userPassword.
[root@asu10d schema]# ldapadd -D "cn=Manager,dc=XXXX,dc=test" -W -x -f
/tmp/ppolicy.ldif
Enter LDAP Password:
adding new entry "cn=policy,ou=policies,dc=XXXX,dc=test"
ldap_add: Invalid syntax (21)
additional info: pwdAttribute: value #0 invalid per syntax
Please check you /tmp/ppolicy.ldif that there are now illegal characters
in the line with pwdAttribute:
It looks like this is perhaps borken.
Please also consider updating to the latest openldap 2.4.36 via one of
the openly available rpm.
Greetings
Christian
Contents of policy.ldif
n: cn=policy,ou=policies,dc=XXXX,dc=test
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value
Contents of my slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/pmi.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload ppolicy.la
TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
database config
access to *
by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=XXXX,dc=test" read
by * none
database bdb
suffix "dc=XXXXX,dc=test"
checkpoint 1024 15
rootdn "cn=Manager,dc=XXXX,dc=test"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw hello (Temp password used for testing)
overlay ppolicy
policy_default "cn=default,ou=policies,dc=XXXX,dc=test"
policy_use_lockout
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
--
Christian Kratzer CK Software GmbH
Email: [email protected] Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian
Kratzer
--
Christian Kratzer CK Software GmbH
Email: [email protected] Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
