[Date Prev][Date Next] [Chronological] [Thread] [Top]
replication breaks ppolicy

To: openldap-technical@openldap.org
Subject: replication breaks ppolicy
From: rocke.robertson@pch.gc.ca
Date: Tue, 23 Aug 2011 09:12:41 -0400
Good morning all

After quite a bit of work, I got replication working (thank you all).

So I forged ahead and deployed the server in our RHEL 5.5 environment. But
now I just realized that none of my ppolicy rules work. Also, the Redhat
clients are configured to use MD5 hash. When I look at the accounts in
webmin, it shows it being crypt????? I know openldap likes salted SHA, but
I thought I'd do what Redhat wanted, which was MD5.


Password history, aging etc... A search used to show me all of my ppolicy
objects.

ldapsearch -v -x -b 'dc=chin,dc=ca' cn=default

But now returns nothing. Users can reuse passwords, so no history or aging
is working. No locking. I had to change ACL's on the provider and consumer
to get the replication working. Would that cause the problem?

Here is my policy LDIF file I added to the server:

# policies, chin.com
dn: ou=policies,dc=chin,dc=ca
objectClass: organizationalUnit
objectClass: top
ou: policies

# default, policies, chin.com
dn: cn=default,ou=policies,dc=chin,dc=ca
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 1920
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
pwdMaxAge: 10368000
pwdExpireWarning: 1209600
pwdMinAge: 86400


Provider:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		 		 /etc/openldap/schema/misc.schema
include		 		 /etc/openldap/schema/core.schema
include		 		 /etc/openldap/schema/cosine.schema
include		 		 /etc/openldap/schema/inetorgperson.schema
include		 		 /etc/openldap/schema/nis.schema
include		  		 /etc/openldap/schema/redhat/autofs.schema

include		  		 /etc/openldap/schema/ppolicy.schema


### added for host_attr access, this scheme gives me a host object for
wrappers
include		 		 /usr/share/doc/nss_ldap-253/ldapns.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2 bind_anon_cred

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral		 ldap://root.openldap.org

pidfile		 		 /var/run/openldap/slapd.pid
argsfile		 /var/run/openldap/slapd.args

# note, enabling debbuging info really slows the beast down
#loglevel 128
loglevel 256
#loglevel conns filter


logfile /var/log/slapd.log

# Load dynamic backend modules using this path!!!
modulepath  /usr/lib/openldap

moduleload ppolicy.la
moduleload accesslog.la

# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la

#################################################################

schemacheck     on
lastmod         on

access to attrs=userPassword
  by self write
  by anonymous auth
  by * none

########################################
### ACL for syncrepl.
########################################

#access to attrs=userPassword
#     by self write
#by uid=replicator,ou=people,dc=chin,dc=ca read
#     by anonymous auth
#     by * none

access to attrs=userPassword,shadowLastChange
        by dn="dc=admin,dc=chin,dc=ca" write
        by anonymous auth

access to *
        by dn="dc=admin,dc=chin,dc=ca" write
        by * read


#access to attrs=shadowLastChange
#  by self write
#  by * read

access to *
      by * read

#### WIDE OPEN - For testing only
##NOPE access to * by * write
access to *
		 by * read
# ------------------------------------------------------------------- #
# Access log database instance for replication
# ------------------------------------------------------------------- #

# Accesslog database definitions
database bdb
suffix cn=accesslog
directory /var/lib/db/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart

overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE


# ------------------------------------------------------------------- #
# Primary database instance
# ------------------------------------------------------------------- #

database    bdb
suffix "dc=chin,dc=ca"
rootdn "cn=admin, dc=chin,dc=ca"

# rootpw
rootpw {SSHA}TCYoUVYYYXXXXXbQsitJ3V7zo+c887NC

directory		 /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index entryCSN,entryUUID        eq

# define the default policy
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca"
ppolicy_use_lockout


# syncrepl Provider for primary db
overlay syncprov
syncprov-checkpoint 1000 60

# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00

# Let the replica DN have limitless searches
limits dn.exact="uid=replicator,ou=People,dc=chin,dc=ca"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited


Consumer:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/redhat/autofs.schema
include         /etc/openldap/schema/ppolicy.schema

### added for host_attr access, this scheme gives me a host object for
wrappers
include         /usr/share/doc/nss_ldap-253/ldapns.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2 bind_anon_cred

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

loglevel 256
logfile /var/log/slapd.log

modulepath  /usr/lib/openldap

# ------------------------------------------------------------------- #
# Primary database instance
# ------------------------------------------------------------------- #

database bdb
suffix "dc=chin,dc=ca"
rootdn "cn=admin,dc=chin,dc=ca"

directory       /var/lib/ldap

moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca"
ppolicy_use_lockout

# ------------------------------------------------------------------- #
# Replica configuration instance
# ------------------------------------------------------------------- #

# syncrepl specific indices
index entryUUID eq uniqueMember
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index entryCSN		 		 		 		 eq


# syncrepl directives
syncrepl  rid=0
               provider=ldap://ldap
               bindmethod=simple
               binddn="uid=replicator,ou=people,dc=chin,dc=ca"
               #binddn="cn=admin,dc=chin,dc=ca"
               credentials=xxxxx
               searchbase="dc=chin,dc=ca"
               logbase="cn=accesslog"
               logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
               schemachecking=off
               type=refreshAndPersist
               retry="60 +"
               syncdata=accesslog

     # Refer updates to the master
updateref               ldap://ldap



Any suggestions would be dandy and much appreciated. I'm new to LDAP, as
you can tell.

Thanks
Follow-Ups:
- Re: replication breaks ppolicy
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
Prev by Date: Re: syncrepl broken, and I can't update anything on the server
Next by Date: Re: replication breaks ppolicy
Index(es):
- Chronological
- Thread