Hi Denis, I did following steps in order to get the password policy work, still nothing is working.
1) In my slapd.conf file added below lines: # Password Policy Configuration overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=j,dc=example,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext # ACL Entry for Password Policies access to attrs=userPassword by self write by anonymous auth by * none access to * by self write by * read 2) Loaded the password policy .ldif file into ldap by ldapadd. O/t of password policy .ldif files is: # Creates a Policies OU (Organizational Unit) dn: ou=Policies,dc=j,dc=cinglevue=,dc=com objectClass: organizationalUnit ou: Policies # Creates a Policy object in Policies OU (Organizational Unit) dn: cn=default,ou=Policies,dc=j,dc=cinglevue,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMaxAge: 3888000 pwdExpireWarning: 604800 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 5 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE Regards Sam On Wednesday, 26 February 2014 8:02 PM, Dennis Leeuw <[email protected]> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have a look at the shadow* attributes from the shadowAccount class. Those should help you enforcing password related stuff. For self changes of passwords use an ACL like: access to attrs=userPassword by self write by anonymous auth by * none Greetings, Dennis On 02/26/2014 11:50 AM, Saurabh Ohri wrote: > Thanks Dennis. You ate right the problem is not related to ldap > but was looking for help against it. > > I am able to have successful authentication from ldap on both mac > and windows after trying 50 combinations of configuration 😄 > > But finally it worked and it our effort paid. > > Thanks again and will share the information/ document soon. > > Also it would be of great help if you could share some details on > enforcing password policies like self user password change, force > passed change after first login etc. I did some config but it is > not working even for Linux. > > Thanks Sam > > Sent from my iPhone > >> On 26 Feb 2014, at 4:40 pm, Dennis Leeuw <[email protected]> >> wrote: >> >>>> On 02/26/2014 05:26 AM, saurabh ohri wrote: Hi all, >>>> >>>> I am new to openldap and i manage dto install and configure >>>> the same. My linux client is working well but not able to >>>> authenticate windows and mac clients. >>>> >>>> Have been trying since past 2 days by google and other posts >>>> but still facing issue. Any help would be highly >>>> appreciated. >>>> >>>> Details: using openldap-2.4.23-34 on RHEL6.5 *Client >>>> details:* Mac 10.8.5 -- tried configuring the network account >>>> server but it is showing RED. Error This server is not >>>> responding. Windows 7 – tried installing GINA but it is >>>> giving me invalid credentials error. >>>> >>>> Configuration file on server: Password: # extended LDIF # # >>>> LDAPv3 # base <dc=j,dc=example,dc=com> (default) with scope >>>> subtree # filter: (objectclass=*) # requesting: ALL # >>>> >>>> # j.example.com dn: dc=j,dc=example,dc=com objectClass: top >>>> objectClass: dcObject objectClass: organization o: example >>>> Organization description: example Inc DIT dc: j >>>> >>>> # Users, j.example.com dn: ou=Users,dc=j,dc=example,dc=com >>>> objectClass: organizationalUnit ou: Users >>>> >>>> # Groups, j.example.com dn: ou=Groups,dc=j,dc=example,dc=com >>>> objectClass: organizationalUnit ou: Groups >>>> >>>> # Admins, j.example.com dn: ou=Admins,dc=j,dc=example,dc=com >>>> objectClass: organizationalUnit ou: Admins >>>> >>>> # sohri, Users, j.example.com dn: >>>> uid=sohri,ou=Users,dc=j,dc=example,dc=com uid: sohri cn: >>>> sohri sn: 1 objectClass: top objectClass: posixAccount >>>> objectClass: inetOrgPerson loginShell: /bin/bash >>>> homeDirectory: /home/sohri uidNumber: 15000 gidNumber: 10000 >>>> userPassword:: >>>> e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkcg mail: >>>> [email protected] gecos: Local User >>>> >>>> # tpearce, Users, j.example.com dn: >>>> uid=tpearce,ou=Users,dc=j,dc=example,dc=com uid: tpearce cn: >>>> tpearce sn: 2 objectClass: top objectClass: posixAccount >>>> objectClass: inetOrgPerson loginShell: /bin/bash >>>> homeDirectory: /home/tpearce uidNumber: 15001 gidNumber: >>>> 10000 userPassword:: >>>> e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkc= mail: >>>> [email protected] gecos: local User >>>> >>>> # ldapusers, Groups, j.example.com dn: >>>> cn=ldapusers,ou=Groups,dc=j,dc=example,dc=com objectClass: >>>> posixGroup objectClass: top cn: ldapusers userPassword:: >>>> e2NyeXB0fXg= gidNumber: 10000 memberUid: uid=sohri memberUid: >>>> uid=tpearce >>>> >>>> # search result search: 2 result: 0 Success >>>> >>>> # numResponses: 8 # numEntries: 7 >>>> >>>> >>>> Regards Sam > > Windows is created to work against an Active Directory system, > meaning you have an LDAP authorization and Kerberos > authentication. Connecting Windows to a LDAP for both is > problematic to say the least. The easiest solution is using SAMBA > against LDAP and make the Windows systems login against the SAMBA > server. If you like to make it work with GINA, contact them, and to > understand what is going on you might want to read: > http://pig.made-it.com/win-boot-test.html No guarantees, I did my > best to document what is happening. Hope I did it right. > > Mac OS X did once work against LDAP, I have no idea what the > current state is. On 10.6.5 go to Preferences, Accounts. Click > Login Options go to Account Server and click Join. Select > OpenDirectory utility. Click LDAPv3 and click the edit button. > Click show options, click New, type the address of your ldap > server. Give your account credentias, pick template RFC 2307, set > search base. And your done... > > And finaly: None of your problems is OpenLDAP related since it > works on your Linux machine. > > Greetings, > > Dennis >> >> ------------------------------------------------------------------------------ >> >> >> >> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is >> uitsluitend bestemd voor de geadresseerde. Indien u dit bericht >> onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken >> en de afzender direct te informeren door het bericht te >> retourneren. Het Universitair Medisch Centrum Utrecht is een >> publiekrechtelijke rechtspersoon in de zin van de W.H.W. (Wet >> Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat >> geregistreerd bij de Kamer van Koophandel voor Midden-Nederland >> onder nr. 30244197. >> >> Denk s.v.p aan het milieu voor u deze e-mail afdrukt. >> >> ------------------------------------------------------------------------------ >> >> >> >> This message may contain confidential information and is intended exclusively >> for the addressee. If you receive this message unintentionally, >> please do not use the contents but notify the sender immediately >> by return e-mail. University Medical Center Utrecht is a legal >> person by public law and is registered at the Chamber of Commerce >> for Midden-Nederland under no. 30244197. >> >> Please consider the environment before printing this e-mail. >> - -- ICT Medewerker Divisie Biomedische Genetica UMC Utrecht Heidelberglaan 100 STR2.126 3584 CX Utrecht The Netherlands 06 27744048 intern: 64048 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTDczPAAoJEMVYYpdbQscom+AH/j3irlTH6Fh5hM0yncYXJ8dk 0jhwMdNRTl1TXwGm1Bl+30Vff/WGzGElPtZ9ob/UnhRmHvyhZXihm7WbOv5t9lYv fiKEJUB2zp0jdigIvLPFI7ScGtXuBuSmndiuPVGDkaeELhIHyvTNAXxNnZ0SXal6 PZVNxP0qzMaYAGpO9V5m/GJuvFta/z7M1p5id6NYSzsrzfWbcJJNCkMLoYjIGRBo eoUUFTVRxZLSdnUu5UPrxSj76F537KIx1x5s7OVhlj7mZpI4bCr9Tk/hdd3+TRJS kQpkeKdrCc/A/fKXTaLl2SLu48ELkwdZHLwmc0O8/ZEaECLyIAsDduGfY+wNm4E= =fYo2 -----END PGP SIGNATURE-----
