[Date Prev][Date Next] [Chronological] [Thread] [Top]
RES: Openldap 2.3.39 Password Policy

To: "'Venkata Janardhana'" <avjana@gmail.com>
Subject: RES: Openldap 2.3.39 Password Policy
From: "Gustavo Mendes de Carvalho" <gmcarvalho@gmail.com>
Date: Thu, 15 May 2008 20:06:05 -0300
Cc: openldap-technical@openldap.org
In-reply-to: <3b1676100805150951h69c25e61i4dc97460d62e8c3a@mail.gmail.com>
References: <3b1676100805150951h69c25e61i4dc97460d62e8c3a@mail.gmail.com>
Thread-index: Aci2q+sYK8NqOdt1QkG6OQcqHEFT0AAMG6jw
Hi Venkata,
 
Check where is your slapd binary. In this directory, you will see a libexec
directory. Inside you can find ppolicy.la module. Execute a pwd command and
put pwd output in your slapd.conf file
 
Here is my slapd.conf file
 
#######################################################################
# Global definitions
#######################################################################
 

include         /usr/local/ldap/servers/slapd/schema/core.schema
include         /usr/local/ldap/servers/slapd/schema/cosine.schema
include         /usr/local/ldap/servers/slapd/schema/inetorgperson.schema
include         /usr/local/ldap/servers/slapd/schema/misc.schema
include         /usr/local/ldap/servers/slapd/schema/nis.schema
include         /usr/local/ldap/servers/slapd/schema/ppolicy.schema
 

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
logfile         /var/log/ldap.log
loglevel        256
 

# Load dynamic backend modules:
 modulepath        /usr/local/libexec/openldap
### moduleload     back_ldap.la
### moduleload     back_passwd.la
 moduleload     accesslog.la
###  moduleload     pcache.la
 moduleload     ppolicy.la
 moduleload     unique.la
 

#######################################################################
# BDB database definitions 
#######################################################################
 
database        bdb
suffix          "c=country"
rootdn          "cn=manager,c=country"
rootpw          {SSHA}password's hash
directory       /usr/local/var/openldap-data/
mode            0600
cachesize       1000000
checkpoint      256 60
 
overlay ppolicy
ppolicy_default "cn=default,ou=policies,o=org,c=country"
 
#######################################################################
# ACL's
#######################################################################
 
access to attrs=userPassword
        by self write
        by anonymous auth
        by dn="cn=manager,c=country" write
        by * read
 
access to *
        by self write
        by dn="cn=manager,c=country" write
        by * read
 

#######################################################################
# Indexes
#######################################################################
 
index   objectClass     eq,pres
index   uid,memberUid   eq,pres,sub
 
 

Another tip is remove your shadow parameters from your user accoount. I
mean, when you create an account, unset shadow properties. Leave all shadow
properties defined in ppolicy options. Check my user output

dn: uid=sdanyluk,ou=orgunit,o=org,c=country
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: person
loginShell: /bin/bash
givenName: Scott
sn: Danyluk
displayName: Scott Danyluk
uid: sdanyluk
homeDirectory: /home/sdanyluk
cn: Scott Danyluk
uidNumber: 14838
userPassword: xxxxxxxxxxxxxxxxxxxxxxx
gidNumber: 25075

 
Regards
 
---
Gustavo Mendes de Carvalho
email: gmcarvalho@gmail.com
 


________________________________

De: Venkata Janardhana [mailto:avjana@gmail.com] 
Enviada em: quinta-feira, 15 de maio de 2008 13:51
Para: jarbas.junior@gmail.com; gmcarvalho@gmail.com
Cc: openldap-technical@openldap.org
Assunto: Openldap 2.3.39 Password Policy,


Hello ,

I see the you had same issue for the openldap 2.3.39 password policy. I am
struggling to get this working like anything. Could you please help me out
in configuring password policy and change the user password.

I have installed openldap 2.3.39  and 


./configure --prefix=/usr/local \
            --libexecdir=/usr/sbin \
            --sysconfdir=/etc \
            --localstatedir=/srv/ldap \
            --disable-debug \
            --enable-dynamic \
            --enable-crypt \
            --enable-modules \
            --enable-rlookups \
            --enable-backends \
            --enable-overlays \
            --disable-sql &&
make depend &&
make
make test
su root -c 'make install


I cannot find 


	modulepath /usr/lib/openldap

	moduleload ppolicy.la

	files.
	
	
	Here is my slapd.conf and ldap search file 
	
	
	

	hese are the following slapd.conf file and ldapsearch output.. 
	
	User can login to the ldap server for the first time and could
change the password
	but cannot login with new password or old password. having hard time
in getting password 
	policy working. COuld you some pls help me out.. whats the wrong..
thanks in advance,
	
	#
	# See slapd.conf(5) for details on configuration options.
	# This file should NOT be world readable.
	#
	include         /usr/local/etc/openldap/schema/core.schema
	include         /usr/local/etc/openldap/schema/cosine.schema
	include         /usr/local/etc/openldap/schema/inetorgperson.schema
	include         /usr/local/etc/openldap/schema/nis.schema
	include         /usr/local/etc/openldap/schema/ppolicy.schema
	
	# Define global ACLs to disable default read access.
	
	# Do not enable referrals until AFTER you have a working directory
	# service AND an understanding of referrals.
	#referral       ldap://root.openldap.org
	
	pidfile         /usr/local/var/run/slapd.pid
	argsfile        /usr/local/var/run/slapd.args
	
	# Load dynamic backend modules:
	# modulepath    /usr/local/libexec/openldap
	# moduleload    back_bdb.la
	# moduleload    back_ldap.la
	# moduleload    back_ldbm.la
	# moduleload    back_passwd.la
	# moduleload    back_shell.la
	
	# Sample security restrictions
	#       Require integrity protection (prevent hijacking)
	#       Require 112-bit (3DES or better) encryption for updates
	#       Require 63-bit encryption for simple bind
	# security ssf=1 update_ssf=112 simple_bind=64
	
	# Sample access control policy:
	#       Root DSE: allow anyone to read it
	#       Subschema (sub)entry DSE: allow anyone to read it
	#       Other DSEs:
	#               Allow self write access
	#               Allow authenticated users read access
	#               Allow anonymous users to authenticate
	#       Directives needed to implement policy:
	# access to dn.base="" by * read
	# access to dn.base="cn=Subschema" by * read
	# access to *
	#       by self write
	#       by users read
	#       by anonymous auth
	#
	# if no access controls are present, the default policy
	# allows anyone and everyone to read anything but restricts
	# updates to rootdn.  (e.g., "access to * by * read")
	#
	# rootdn can always read and write EVERYTHING!
	access to amdexrs=userPassword
	        by self write
	        by * auth
	
	access to *
	        by * read
	
#######################################################################
	# BDB database definitions
	
#######################################################################
	
	database        bdb
	suffix          "dc=sales,dc=amdex,dc=com"
	rootdn          "cn=Manager,dc=sales,dc=amdex,dc=com"
	# Cleartext passwords, especially for the rootdn, should
	# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
	# Use of strong authentication encouraged.
	rootpw          secret
	# The database directory MUST exist prior to running slapd AND
	# should only be accessible by the slapd and slap tools.
	# Mode 700 recommended.
	directory       /usr/local/var/openldap-data
	# Indices to maintain
	index   objectClass     eq
	
	
	----------------------------------------------------------
	
	
	
	[root@testserver06 openldap]# ldapsearch -x -b
'dc=sales,dc=amdex,dc=com' '(objectclass=*)'
	# extended LDIF
	#
	# LDAPv3
	# base <dc=sales,dc=amdex,dc=com> with scope subtree
	# filter: (objectclass=*)
	# requesting: ALL
	#
	
	# sales.amdex.com
	dn: dc=sales,dc=amdex,dc=com
	dc: sales
	objectClass: top
	objectClass: domain
	objectClass: domainRelatedObject
	associatedDomain: sales.amdex.com
	
	# People, sales.amdex.com
	dn: ou=People,dc=sales,dc=amdex,dc=com
	ou: People
	objectClass: top
	objectClass: organizationalUnit
	objectClass: domainRelatedObject
	associatedDomain: sales.amdex.com
	
	# Group, sales.amdex.com
	dn: ou=Group,dc=sales,dc=amdex,dc=com
	ou: Group
	objectClass: top
	objectClass: organizationalUnit
	objectClass: domainRelatedObject
	associatedDomain: sales.amdex.com
	
	# ja5199, Group, sales.amdex.com
	dn: cn=ja5199,ou=Group,dc=sales,dc=amdex,dc=com
	objectClass: posixGroup
	objectClass: top
	cn: ja5199
	gidNumber: 609
	
	# ja5199, People, sales.amdex.com
	dn: uid=ja5199,ou=People,dc=sales,dc=amdex,dc=com
	uid: ja5199
	cn: Jana Avula
	givenName: Jana
	sn: Avula
	mail: ja5199@sales.amdex.com
	objectClass: person
	objectClass: organizationalPerson
	objectClass: inetOrgPerson
	objectClass: posixAccount
	objectClass: top
	objectClass: shadowAccount
	shadowLastChange: 14001
	shadowMax: 99999
	shadowWarning: 7
	loginShell: /bin/bash
	uidNumber: 609
	gidNumber: 609
	homeDirectory: /home/ja5199
	gecos: Jana Avula
	
	# Policies, sales.amdex.com
	dn: ou=Policies,dc=sales,dc=amdex,dc=com
	objectClass: top
	objectClass: organizationalUnit
	ou: Policies
	
	# default, Policies, sales.amdex.com
	dn: cn=default,ou=Policies,dc=sales,dc=amdex,dc=com
	objectClass: top
	objectClass: device
	objectClass: pwdPolicy
	cn: default
	pwdamdexribute: 2.5.4.35
	pwdMaxAge: 15552000
	pwdExpireWarning: 864000
	pwdInHistory: 1
	pwdCheckQuality: 0
	pwdMinLength: 8
	pwdMaxFailure: 4
	pwdLockout: TRUE
	pwdLockoutDuration: 1920
	pwdGraceAuthNLimit: 5
	pwdFailureCountInterval: 0
	pwdMustChange: TRUE
	pwdAllowUserChange: TRUE
	pwdSafeModify: TRUE
	
	# search result
	search: 2
	result: 0 Success
	
	# numResponses: 8
	# numEntries: 7
Prev by Date: Re: openldap and mysql authentication
Next by Date: ldap - adding file from application to ldap
Index(es):
- Chronological
- Thread