Hello,
Clément OUDOT schrieb:
> 2011/2/13 Jan Kohnert <nospam001-lists@yyy.zzz.org>:
> > I have a problem with ppolicy and got stuck finding a solution. I
> > configured slapd using the information from [1] trying to be able to
> > lock users. But anyway, the lock seems to be ignored: As soon as one
> > tries to log in, the pwdLockedTime agument es removed from the entry and
> > I seem to be too blind or dumb to see the reason why.
[config stuff]
> can you tell us the OpenLDAP version you ar running? For example,
> 2.4.11 on Debian is known to have bugs on the password policy overlay.
Running Gentoo here:
b079 /etc/openldap # eix net-nds/openldap
[I] net-nds/openldap
Available versions: 2.3.43-r1 2.4.19-r1 ~2.4.21 2.4.23 {(+)berkdb crypt
-cxx debug experimental gdbm gnutls icu iodbc ipv6 kerberos minimal odbc
overlays perl samba sasl selinux slp smbkrb5passwd ssl syslog tcpd}
Installed versions: 2.4.23(06:58:54 18.11.2010)(berkdb crypt ipv6
overlays perl sasl ssl tcpd -cxx -debug -experimental -gnutls -icu -iodbc -
kerberos -minimal -odbc -samba -selinux -slp -smbkrb5passwd -syslog)
Homepage: http://www.OpenLDAP.org/
Description: LDAP suite of application and development tools
b079 /etc/openldap #
> Then you should try to lock your account by failing authentication
> (use a bad password several times), you should see in your entry
> operational attributes pwdFailureTime and pwdAccountLockedTime.
This one works!
b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy,
dc=zzz, dc=org" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy,
dc=zzz, dc=org" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy,
dc=zzz, dc=org" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy,
dc=zzz, dc=org" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy,
dc=zzz, dc=org" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy,
dc=zzz, dc=org" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy,
dc=zzz, dc=org" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy,
dc=zzz, dc=org" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
b079 /etc/openldap # ldapsearch -x -e ppolicy -b "ou=xxx, dc=yyy, dc=zzz,
dc=org" "(uid=jan)" pwdFailureTime
# extended LDIF
#
# LDAPv3
# base <ou=xxx, dc=yyy, dc=zzz, dc=org> with scope subtree
# filter: (uid=jan)
# requesting: pwdFailureTime
#
# jan, xxx, yyy.zzz.org
dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org
pwdFailureTime: 20110214195244Z
pwdFailureTime: 20110214195246Z
pwdFailureTime: 20110214195247Z
pwdFailureTime: 20110214195249Z
pwdFailureTime: 20110214195250Z
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
b079 /etc/openldap # ldapsearch -x -e ppolicy -b "ou=xxx, dc=yyy, dc=zzz,
dc=org" "(uid=jan)" pwdAccountLockedTime
# extended LDIF
#
# LDAPv3
# base <ou=xxx, dc=yyy, dc=zzz, dc=org> with scope subtree
# filter: (uid=jan)
# requesting: pwdAccountLockedTime
#
# jan, xxx, yyy.zzz.org
dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org
pwdAccountLockedTime: 20110214195250Z
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy,
dc=zzz, dc=org" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
b079 /etc/openldap # ldapsearch -x -e ppolicy -b "ou=xxx, dc=yyy, dc=zzz,
dc=org" "(uid=jan)" pwdFailureTime
# extended LDIF
#
# LDAPv3
# base <ou=xxx, dc=yyy, dc=zzz, dc=org> with scope subtree
# filter: (uid=jan)
# requesting: pwdFailureTime
#
# jan, xxx, yyy.zzz.org
dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org
pwdFailureTime: 20110214195244Z
pwdFailureTime: 20110214195246Z
pwdFailureTime: 20110214195247Z
pwdFailureTime: 20110214195249Z
pwdFailureTime: 20110214195250Z
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
b079 /etc/openldap #
> Try also to use -e ppolicy in ldapsearch or ldapwhoami commands, to
> get messages from paswword policy control.
That one does not seem to generate more precise error messages:
b079 /etc/openldap # ldapsearch -x -s base -e ppolicy -b "cn=default,
ou=policies, dc=yyy, dc=zzz, dc=org"
# extended LDIF
#
# LDAPv3
# base <cn=default, ou=policies, dc=yyy, dc=zzz, dc=org> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# default, policies, yyy.zzz.org
dn: cn=default,ou=policies,dc=yyy,dc=zzz,dc=org
cn: default
sn: dummy value
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAttribute: userPassword
pwdMinAge: 0
pwdMaxAge: 0
pwdInHistory: 0
pwdCheckQuality: 0
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdFailureCountInterval: 1800
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
pwdExpireWarning: 604800
pwdMaxFailure: 5
pwdGraceAuthNLimit: 0
pwdMinLength: 8
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
b079 /etc/openldap # ldapmodify -x -e ppolicy -D "cn=admin, dc=yyy, dc=zzz,
dc=org" -W -f ldif/locked_users.ldif
Enter LDAP Password:
modifying entry "uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org"
b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan"uid: jan
b079 /etc/openldap # ldapwhoami -x -e ppolicy -D "uid=jan, ou=xxx, dc=yyy,
dc=zzz, dc=org" -W
Enter LDAP Password:
dn:uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org
b079 /etc/openldap #
--
MfG Jan
Attachment:
signature.asc
Description: This is a digitally signed message part.