[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources)

Hello again,
Well I tried the following.

Added the full path of the check_password.so in my slapd.conf under "moduleload".
moduleload  /opt/openldap/etc/openldap/modules/check_password.so

Added the full path to my check_password.so module in my ldif
pwdCheckModule: /opt/openldap/etc/openldap/modules/check_password.so

Recompiled the sources again using the configure used to build the openSUSE package.
CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \
LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \
./configure --prefix=/opt/openldap --with-tls \
--enable-spasswd --enable-crypt --with-gnu-ld \
--enable-ppolicy --enable-modules --enable-dynamic
--enable-aci --enable-bdb --enable-hdb \
--enable-rewrite --enable-ldap=yes --enable-meta=mod \
--enable-monitor=yes --enable-slp --enable-overlays=yes \

Still no luck.  At least within my ldap logs I see the "Password fails quality checking policy" so at least it is hitting the ldap server for password checking.  Any ideas?????  Thanks!!!!

Jose

> I am trying to get my solaris 10 openldap 2.4.21 server to use my check_password.so module using the ppolicy overlay.  When I try to change a user's
> password from a linux client, I get the following error message.
> 
> passwd ldapuser
> Changing password for ldapuser.
> Enter login(LDAP) password:
> New Password:
> Reenter New Password:
> LDAP password information update failed: Constraint violation
> Password fails quality checking policy
> passwd: Permission denied
> 
> 
> Within
> my logs, I do not see any error messages from my check_password.so
> module.  I created the directory /opt/openldap/etc/openldap/modules and
> placed my module in that directory and I added the modulepath in my
> slapd.conf.
> 
> Is there something I missed?   Is this a PAM thing? I know this setup works on a OpenSUSE 11.2 openldap server.  Help.
> 
> I included part of my slapd.conf, openldap configure, check_password.c source, makefile and ldd of my check_password.so. 
> 
> Thanks!!!!
> 
> Jose Torres
> 
> 
> openldap configure
> ******************
> 
> CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \
> LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \
> ./configure --prefix=/opt/openldap --with-tls \
> --enable-spasswd --enable-crypt --with-gnu-ld \
> --enable-ppolicy --enable-modules --enable-dynamic
> 
> 
> slapd.conf:
> **********
> 
> include         /opt/openldap/etc/openldap/schema/ppolicy.schema
> 
> # Add password policies.
> modulepath /opt/openldap/etc/openldap/modules
> overlay ppolicy
> ppolicy_default "cn=default,ou=policies,dc=caci,dc=ymp,dc=com"
> ppolicy_use_lockout
> 
> I tried ppolicy_clear_txt I still have the same problem.
> 
> check_password.c:
> ****************
> 
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <ctype.h>
> #include "portable.h"
> #include "slap.h"
> 
> int init_module()
> {
>     return 0;
> }
> 
> int check_password(char *pPasswd, char **ppErrStr, Entry *pEntry)
> {
>    char error=0;
>    char retmsg[255];
>    char *message,*buffer,*token;
>    const char special[] ="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~";
>    const char number[] ="1234567890";
>    const char CAPS[] ="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
> 
>    error = 0;
> 
> 
>    if (strstr( pPasswd, " ") != NULL)
>    {
>       error = 1;
>       strcpy(retmsg , "******** CHECKPW: Password contains SPACES! ********");
>    }
> 
>    buffer = strdup(pPasswd);
>    token = strtok(buffer,special);
>    if ( !(strcmp(token,pPasswd)) || (token == NULL) )
>    {
>       error = 1;
>       strcpy(retmsg , "******** CHECKPW: Password does not contain any special c
> haracters! ********");
>    }
> 
>    buffer = strdup(pPasswd);
>    token = strtok(buffer,number);
> 
>    if ( !(strcmp(token,pPasswd)) || (token == NULL) )
>    {
>       error = 1;
>       strcpy(retmsg , "******** CHECKPW: Password does not contain any numbers!
> ********");
>    }
> 
>    buffer = strdup(pPasswd);
>    token = strtok(buffer,number);
> 
>    if ( !(strcmp(token,pPasswd)) || (token == NULL) )
>    {
>       error = 1;
>                strcpy(retmsg , "******** CHECKPW: Password does not contain any CAPITAL L
> ETTERS! ********");
>    }
> 
>    if (error)
>    {
>       /* Allocate  */
>       message = (char *)malloc(sizeof(char) * (strlen(retmsg)+1));
>       /* Copy the contents of the string. */
>       strcpy(message, retmsg);
>       *ppErrStr=message;
>    }
>    return error;
> }
> 
> Makefile:
> *********
> 
> check_password.so: check_password.o
>         gcc -L/opt/openldap/lib -lldap -shared -o check_password.so check_passwo
> rd.o
> check_password.o: check_password.c
>         gcc -fpic -I../../include -I. -c check_password.c
> clean:
>         rm check_password.so check_password.o
> 
> 
> It seems to find the right libraries.
> 
> $ ldd modules/check_password.so
>         libldap-2.4.so.2 =>      /opt/openldap/lib/libldap-2.4.so.2
>         libgcc_s.so.1 =>         /usr/sfw/lib/libgcc_s.so.1
>         liblber-2.4.so.2 =>      /opt/openldap/lib/liblber-2.4.so.2
>         libresolv.so.2 =>        /usr/lib/libresolv.so.2
>         libgen.so.1 =>   /usr/lib/libgen.so.1
>         libnsl.so.1 =>   /usr/lib/libnsl.so.1
>         libsocket.so.1 =>        /usr/lib/libsocket.so.1
>         libsasl.so.1 =>  /usr/lib/libsasl.so.1
>         libssl.so.0.9.7 =>       /usr/sfw/lib/libssl.so.0.9.7
>         libcrypto.so.0.9.7 =>    /usr/sfw/lib/libcrypto.so.0.9.7
>         libc.so.1 =>     /usr/lib/libc.so.1
>         libmp.so.2 =>    /usr/lib/libmp.so.2
>         libmd.so.1 =>    /usr/lib/libmd.so.1
>         libscf.so.1 =>   /usr/lib/libscf.so.1
>         libdoor.so.1 =>  /usr/lib/libdoor.so.1
>         libuutil.so.1 =>         /usr/lib/libuutil.so.1
>         libssl_extra.so.0.9.7 =>         /usr/sfw/lib/libssl_extra.so.0.9.7
>         libcrypto_extra.so.0.9.7 =>      /usr/sfw/lib/libcrypto_extra.so.0.9.7
>         libm.so.2 =>     /usr/lib/libm.so.2