[Date Prev][Date Next]
RE: ppolicy overlay password problem
- To: "Howard Chu" <firstname.lastname@example.org>
- Subject: RE: ppolicy overlay password problem
- From: "Baoning Pan" <email@example.com>
- Date: Tue, 8 Nov 2005 09:46:11 -0500
- Cc: <OpenLDAP-software@OpenLDAP.org>
- Content-class: urn:content-classes:message
- Thread-index: AcXj+ivA4Kzyz2wZRTGO/9x1dp8lVQAdz3FQ
- Thread-topic: ppolicy overlay password problem
Thank you for the reply. My client is regular linux (Fedora 4), and I am just using ssh to login. When I build ldap, I run the test and test022 passwd without problem. The only difference between test022's user and my reular user is objectClass, test022 uses "interOrgPerson", and my user uses "posixAccount". Since I need uid, etc for Linux account, I have to use posixAccount.
I also know the problem is on server side. I run the slapd in debug (-d4). I can see that if there is no ppolicy overlay configured, I will got password error (49),
==> bdb_bind: dn: uid=tester,ou=People,dc=n2p,dc=com
send_ldap_result: err=49 matched="" text=""
If I put ppolicy overlay in, there is not err send to client.
send_ldap_result: err=0 matched="" text=""
From: Howard Chu [mailto:firstname.lastname@example.org]
Sent: Monday, November 07, 2005 7:20 PM
To: Baoning Pan
Subject: Re: ppolicy overlay password problem
The test022 script in the bundled test suite specifically tests for
authentication using an incorrect password, and this test works
correctly in my 2.3.11 build. As such, I do not believe there is any bug
in OpenLDAP software here. You should check whatever software you're
using to "login."
Baoning Pan wrote:
> I need help on ppolicy as this is the first time I try to use it for company internal use. I search the mail listing and web and cannot find same problem.
> I compiled openldap 2.3.11 on Solaris 8, with bdb.4.3.29 and openssl.0.9.7g. First I started slapd without ppolicy, and things works fine. Then, I added ppolicy overlay/schema. slapd started/loaded fine. But I get big problem with user password, user can login with "ANY WORD" as its password even though I can see new "pwdFailureTime" entry is added to ldap db for that user.
> Here are the ppolicy related entries/ldif for my slapd.conf
> include /usr/local/openldap/etc/openldap/schema/ppolicy.schema
> overlay ppolicy
> ppolicy_default "cn=Standard Policy,ou=Policies,dc=n2p,dc=com"
> dn: ou=Policies,dc=n2p,dc=com
> objectClass: top
> objectClass: organizationalUnit
> ou: Policies
> structuralObjectClass: organizationalUnit
> dn: cn=Standard Policy,ou=Policies,dc=n2p,dc=com
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> cn: Standard Policy
> pwdAttribute: userPassword
> pwdLockoutDuration: 120
> pwdInHistory: 5
> pwdCheckQuality: 2
> pwdExpireWarning: 86400
> pwdMaxAge: 864000
> pwdMinLength: 5
> pwdGraceAuthNLimit: 5
> pwdAllowUserChange: TRUE
> pwdMustChange: FALSE
> pwdMaxFailure: 3
> pwdFailureCountInterval: 120
> pwdSafeModify: FALSE
> structuralObjectClass: device
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/