On Tuesday 08 November 2005 16:46, Baoning Pan wrote:
> Hi, Howard
Please quote properly in future.
> Thank you for the reply. My client is regular linux (Fedora 4)
No, your client is pam_ldap. It would be more useful to have the pam_ldap
version you are using. The one supplied with FC4 is 176, so for now I assume
that is what you are using.
> , and I am
> just using ssh to login. When I build ldap, I run the test and test022
> passwd without problem. The only difference between test022's user and my
> reular user is objectClass, test022 uses "interOrgPerson", and my user uses
> "posixAccount". Since I need uid, etc for Linux account, I have to use
> posixAccount.
Well, you would need a structural objectclass as well ... inetOrgPerson is
commonly used for this.
> I also know the problem is on server side.
Depsite the fact that bugs in pam_ldap relating to the password policy were
fixed in pam_ldap-180:
180 Luke Howard <lukeh@padl.com>
* from Peter Marschall <peter@adpm.de>:
manual page installation fix
* fix for BUG#210: use start_tls on referrals if
configured to do so
* when handling new password policy control, only
fall through to account management module if a
policy error was returned (CERT VU#778916)
http://www.kb.cert.org/vuls/id/778916
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2641
pam_ldap was updated in Fedora rawhide, but there was no update for released
versions of FC it seems.
> I run the slapd in debug (-d4).
> I can see that if there is no ppolicy overlay configured, I will got
> password error (49),
>
> ==> bdb_bind: dn: uid=tester,ou=People,dc=n2p,dc=com
> send_ldap_result: err=49 matched="" text=""
>
> If I put ppolicy overlay in, there is not err send to client.
>
> send_ldap_result: err=0 matched="" text=""
But, what operation is this for?
I would suggest upgrading to pam_ldap-180 and seeing if that fixes your
problem.
>
> -----Original Message-----
> From: Howard Chu [mailto:hyc@symas.com]
> Sent: Monday, November 07, 2005 7:20 PM
> To: Baoning Pan
> Cc: OpenLDAP-software@OpenLDAP.org
> Subject: Re: ppolicy overlay password problem
>
>
> The test022 script in the bundled test suite specifically tests for
> authentication using an incorrect password, and this test works
> correctly in my 2.3.11 build. As such, I do not believe there is any bug
> in OpenLDAP software here. You should check whatever software you're
> using to "login."
>
> Baoning Pan wrote:
> > Hi,
> >
> > I need help on ppolicy as this is the first time I try to use it for
> > company internal use. I search the mail listing and web and cannot find
> > same problem.
> >
> > I compiled openldap 2.3.11 on Solaris 8, with bdb.4.3.29 and
> > openssl.0.9.7g. First I started slapd without ppolicy, and things works
> > fine. Then, I added ppolicy overlay/schema. slapd started/loaded fine.
> > But I get big problem with user password, user can login with "ANY WORD"
> > as its password even though I can see new "pwdFailureTime" entry is added
> > to ldap db for that user.
> >
> > Thanks.
> >
> >
> > Here are the ppolicy related entries/ldif for my slapd.conf
> >
> > include /usr/local/openldap/etc/openldap/schema/ppolicy.schema
> > overlay ppolicy
> > ppolicy_default "cn=Standard Policy,ou=Policies,dc=n2p,dc=com"
> > ppolicy_use_lockout
> >
> >
> > dn: ou=Policies,dc=n2p,dc=com
> > objectClass: top
> > objectClass: organizationalUnit
> > ou: Policies
> > structuralObjectClass: organizationalUnit
> >
> > dn: cn=Standard Policy,ou=Policies,dc=n2p,dc=com
> > objectClass: top
> > objectClass: device
> > objectClass: pwdPolicy
> > cn: Standard Policy
> > pwdAttribute: userPassword
> > pwdLockoutDuration: 120
> > pwdInHistory: 5
> > pwdCheckQuality: 2
> > pwdExpireWarning: 86400
> > pwdMaxAge: 864000
> > pwdMinLength: 5
> > pwdGraceAuthNLimit: 5
> > pwdAllowUserChange: TRUE
> > pwdMustChange: FALSE
> > pwdMaxFailure: 3
> > pwdFailureCountInterval: 120
> > pwdSafeModify: FALSE
> > structuralObjectClass: device
--
Buchan Milne
ISP Systems Specialist
B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgp5sSGhfc5kA.pgp
Description: PGP signature