Am Sun, 19 Jan 2014 14:18:56 -0700 schrieb Joshua Schaeffer <[email protected]>:
> I'm trying implement the password policy overlay into my openldap > setup, I'm running a Debian 7 server and installed openldap with the > package manager. > > =================================================== > root@baneling:~# dpkg -l | grep slapd > ii slapd 2.4.31-1+nmu2 amd64 > OpenLDAP server (slapd) > =================================================== > > I currently have my ldap server setup for authentication and > authorization, I'm using libnss-ldapd and libpam-ldapd on my other > machines to search the ldap directory and would like to implement the > password policy provided by the overlay. I believe I've added the > schema, loaded thedynamic module, and added the overlay to my > databasecorrectly, however I'm not sure it's actually working. I've > been mostly followingthis article and the openldap documentation: > > http://www.zytrax.com/books/ldap/ch6/ppolicy.html > http://www.openldap.org/doc/admin24/overlays.html#Password Policies > <http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies> > > Here is my slapd.d config (shortened for brevity): > =================================================== > root@baneling:~# slapcat -b cn=config > [...] > dn: cn=module{1},cn=config > objectClass: olcModuleList > cn: module{1} > structuralObjectClass: olcModuleList > entryUUID: ad917d22-1583-1033-9e53-473d795f568b > creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > createTimestamp: 20140119183138Z > olcModuleLoad: {0}ppolicy.so > olcModulePath: /usr/lib/ldap > entryCSN: 20140119183433.154615Z#000000#000#000000 > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > modifyTimestamp: 20140119183433Z > [...] > dn: cn={4}ppolicy,cn=schema,cn=config > objectClass: olcSchemaConfig > cn: {4}ppolicy > [...] > dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config > objectClass: olcPPolicyConfig > olcOverlay: {0}ppolicy > olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com > olcPPolicyHashCleartext: TRUE > olcPPolicyUseLockout: TRUE > structuralObjectClass: olcPPolicyConfig > entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b > creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > createTimestamp: 20140119194003Z > entryCSN: 20140119194003.774030Z#000000#000#000000 > modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > modifyTimestamp: 20140119194003Z > =================================================== > > And my container for the default policy: > =================================================== > root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b > ou=Policies,dc=harmonywave,dc=com > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > dn: ou=Policies,dc=harmonywave,dc=com > ou: Policies > objectClass: top > objectClass: organizationalUnit > > dn: cn=default,ou=Policies,dc=harmonywave,dc=com > cn: default > objectClass: pwdPolicy > objectClass: person > objectClass: top > pwdAttribute: userPassword > pwdAllowUserChange: TRUE > pwdExpireWarning: 432000 > pwdFailureCountInterval: 1800 > pwdGraceAuthNLimit: 10 > pwdInHistory: 10 > pwdLockout: TRUE > pwdLockoutDuration: 1800 > pwdMaxAge: 7776000 > pwdMaxFailure: 6 > pwdMinAge: 86400 > pwdMinLength: 10 > pwdMustChange: FALSE > pwdSafeModify: TRUE > sn: passwdpolicy > =================================================== > > However, I'm not sure the policy is actually being applied. I thought > it might be because I originally created my user before adding the > schema and overlay, so I deleted the user and recreated it. I'm able > to log into a server using my uid, however if I try to change my > password I get the following: > > =================================================== > jschaeffer@defiler:~$ passwd > (current) LDAP Password: > New password: > Retype new password: > password change failed: Constraint violation > passwd: Authentication token manipulation error > passwd: password unchanged > =================================================== > > I've been entering mycurrent password correctly when it asks and I am > using a complex new password. I also don't see any of the ppolicy > attributes on my user (pwdChangeTime, pwdFailureTime, > pwdGraceUseTime, etc): > > =================================================== > root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com > -W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com > Enter LDAP Password: > dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com > objectClass: top > objectClass: account > objectClass: posixAccount > uid: jschaeffer > cn: Joshua Schaeffer > uidNumber: 3000 > gidNumber: 3000 > homeDirectory: /home/jschaeffer > loginShell: /bin/bash > gecos: Joshua Schaeffer > userPassword:: .... > =================================================== > > I've been searching around for on the web for answers to the passwd > issue, but I've not been able to find anything useful. Does anyone > know how to verify that the ppolicy overlay is actually working? rootdn must change user passwords, but this depends on access rules. ppolicy attributes are operational, thus apply a '+' to the search string, according to RFC-3673. You may obtain further information on ppolicy by reading slapo-ppolicy(5). -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
