[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ppolicy overlay password problem

Hi, Howard

Thank you for the reply.  My client is regular linux (Fedora 4), and I am just using ssh to login.  When I build ldap, I run the test and test022 passwd without problem.  The only difference between test022's user and my reular user is objectClass, test022 uses "interOrgPerson", and my user uses "posixAccount".  Since I need uid, etc for Linux account, I have to use posixAccount.

I also know the problem is on server side.  I run the slapd in debug (-d4).  I can see that if there is no ppolicy overlay configured, I will got password error (49),

==> bdb_bind: dn: uid=tester,ou=People,dc=n2p,dc=com
send_ldap_result: err=49 matched="" text=""

If I put ppolicy overlay in, there is not err send to client.

send_ldap_result: err=0 matched="" text=""



-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com]
Sent: Monday, November 07, 2005 7:20 PM
To: Baoning Pan
Cc: OpenLDAP-software@OpenLDAP.org
Subject: Re: ppolicy overlay password problem

The test022 script in the bundled test suite specifically tests for 
authentication using an incorrect password, and this test works 
correctly in my 2.3.11 build. As such, I do not believe there is any bug 
in OpenLDAP software here. You should check whatever software you're 
using to "login."

Baoning Pan wrote:
> Hi,
> I need help on ppolicy as this is the first time I try to use it for company internal use.  I search the mail listing and web and cannot find same problem.  
> I compiled openldap 2.3.11 on Solaris 8, with bdb.4.3.29 and openssl.0.9.7g.  First I started slapd without ppolicy, and things works fine.  Then, I added ppolicy overlay/schema.  slapd started/loaded fine.  But I get big problem with user password, user can login with "ANY WORD" as its password even though I can see new "pwdFailureTime" entry is added to ldap db for that user.  
> Thanks.
> Here are the ppolicy related entries/ldif for my slapd.conf
> include         /usr/local/openldap/etc/openldap/schema/ppolicy.schema
> overlay         ppolicy
> ppolicy_default "cn=Standard Policy,ou=Policies,dc=n2p,dc=com"
> ppolicy_use_lockout
> dn: ou=Policies,dc=n2p,dc=com
> objectClass: top
> objectClass: organizationalUnit
> ou: Policies
> structuralObjectClass: organizationalUnit
> dn: cn=Standard Policy,ou=Policies,dc=n2p,dc=com
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> cn: Standard Policy
> pwdAttribute: userPassword
> pwdLockoutDuration: 120
> pwdInHistory: 5
> pwdCheckQuality: 2
> pwdExpireWarning: 86400
> pwdMaxAge: 864000
> pwdMinLength: 5
> pwdGraceAuthNLimit: 5
> pwdAllowUserChange: TRUE
> pwdMustChange: FALSE
> pwdMaxFailure: 3
> pwdFailureCountInterval: 120
> pwdSafeModify: FALSE
> structuralObjectClass: device

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/