[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: how implement pwdpolicy
Rahima Shaheen wrote:
Hi,
I am very new to open ldap. I can run slap an add edit new entry. Now I
want to implement pwdpolicy. I tried it several times. I like to
describe what I said.
1. run slapd without modifying anything.
2. create an ou=policies. Script as following
dn: ou=policies,dc=my-domain,dc=com
objectClass: organizationalUnit
objectClass: top
ou: policies
3. write policy.schema.
4. include policy.schema; but overlay is not added. run slapd
again. In the core.schema attributetype userpassword was comment out
5. Now I want to create policy.ldif. Script
dn: cn=default,ou=policies,dc=my-domain,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
#sn: 'dummy value' objectClass: organizationalUnit
It gives an error "Invalid syntax (21) pwdAttribute: value #0 invalid
per syntax. Why it gives such error? My assumption is ppolicy.schema
attribute is not created successfully. Another point in core.schema
attributeType; userPassword is comment out. If I uncomment it. slapd -d
1 gives an duplicate attribute type. Give a solution please.
Now my question is
a. how I am sure that my PPolicy.schema is created? I don't have
any ppolicy.la
b. what does do policy.la.
Other people have answered these questions (ppolicy.schema is simply
included in your slapd.conf file and ppolicy.la is a wrappered library).
You include the ppolicy.schema file by using a directive such as:
include /etc/openldap/schema/ppolicy.schema
in your slapd.conf file. You also bring in the actual executable bit
of ppolicy code via:
moduleload ppolicy.la
in your slapd.conf file. Finally, you have to add something like:
# Password policy enforcement...
# Set up password policies via the "ppolicy" overlay.
# Unless otherwise specified by a "pwdPolicySubentry"
# attribute in a user's entry, they will use the policy
# defined in the "ppolicy_default" entry here.
# We force "Invalid Credentials" errors on locked accounts
# and we store the passwords in LDAP in cleartext to satisfy
# SASL.
overlay ppolicy
ppolicy_default "cn=DefaultPassword,ou=Policies,dc=mycompany,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
in slapd.conf to set up how ppolicy works.
Now, as to how to set up the database itself, here is an LDIF file I use
to seed my database by feeding it to slapcat:
-------------------------- CUT HERE ----------------------------------
# ROOT OF LDAP TREE
# Set up the root of the tree...
dn: dc=mycompany,dc=com
dc: mycompany
objectClass: top
objectClass: domain
# ORGANIZATIONAL UNITS
# This ou is used for the actual user IDs...
dn: ou=People,dc=mycompany,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# This ou is for the user group IDs...
dn: ou=Group,dc=mycompany,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# This ou is for password policies and the like...
dn: ou=Policies,dc=mycompany,dc=com
ou: Policies
objectClass: top
objectClass: organizationalUnit
# PASSWORD POLICIES
# This one is the default policy that all users get EXCEPT for the
# "special" folk (such as "sysman")...
dn: cn=DefaultPassword,ou=Policies,dc=mycompany,dc=com
cn: DefaultPassword
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: userPassword
pwdMinAge: 86400
pwdMaxAge: 7776000
pwdExpireWarning: 604800
pwdGraceAuthnLimit: 3
pwdMinLength: 10
pwdCheckQuality: 2
pwdCheckModule: check_password.so
pwdMaxFailure: 6
pwdLockout: TRUE
pwdLockoutDuration: 180
pwdFailureCountInterval: 120
pwdInHistory: 4
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdSafeModify: FALSE
# This one is the special policy that users whose passwords should
# NOT expire get (such as "sysman")...
dn: cn=NoExpirePassword,ou=Policies,dc=mycompany,dc=com
cn: NoExpirePassword
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdMinAge: 0
pwdMaxAge: 0
pwdExpireWarning: 0
pwdGraceAuthnLimit: 3
pwdMinLength: 10
pwdCheckQuality: 2
pwdMaxFailure: 3
pwdLockoutDuration: 180
pwdFailureCountInterval: 120
pwdInHistory: 4
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdSafeModify: TRUE
# LDAP MAIN AUTHORITY
# This group is for "sysman", the absolute authority for the LDAP
# database...
dn: cn=sysman,ou=Group,dc=mycompany,dc=com
objectClass: posixGroup
objectClass: top
cn: sysman
userPassword: Y0uR3@llyD0n+w@n++0kn0w!
gidNumber: 500
# This is sysman's user ID...
dn: uid=sysman,ou=People,dc=mycompany,dc=com
uid: sysman
cn: LDAP System Manager
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 1
shadowMax: 90
shadowWarning: 7
shadowLastChange: 13945
loginShell: /bin/bash
gecos: LDAP System Manager
homeDirectory: /home/sysman
uidNumber: 500
gidNumber: 500
userPassword: Y0uR3@llyD0n+w@n++0kn0w!
pwdPolicySubentry: cn=NoExpirePassword,ou=Policies,dc=mycompany,dc=com
-------------------------- CUT HERE ----------------------------------
Note that the "pwdCheckModule: check_password.so" bits are specifying
a password checking module I wrote. If you want your own, you'll have
to write it, compile it as a sharable library and put the binary in the
libexec directory where slapd can get at it (typically
/usr/local/libexec/openldap).
Note also that we were using cleartext passwords to satisfy some old
SASL stuff inherent in our architecture. I don't like that, but I'm
stuck with it. You'll need to change the "userPassword:" entries to
reflect your encryption scheme (something along the lines of
"userPassword: {sha1} encryptedstring" if you use SHA1 encryption).
----------------------------------------------------------------------
- Rick Stevens, Unix Geek rps2@socal.rr.com -
- -
- Lottery: A tax on people who are bad at math. -
----------------------------------------------------------------------