[Date Prev][Date Next] [Chronological] [Thread] [Top]

PPolicy confusion / stumped



Guys,
 
   Thank you in advance for your help.
 
   I am stumped by ppolicy overlay.  I ran the
configure with --enable-ppolicy, the ppolicy test
(test-022, I believe) ran successfully, I built the ou
for Policies and then the ppolicy cn entry (I believe
I did this correctly), but I cannot get ppolicy to
budge on any entry.  It never adds anything (like
pwdHistory) to record entries.
 
   I have included my slapd.conf, the ppolicy entry,
and the last 120 lines of the log.  Additionally, I
have my test user entry where you can see that ppolicy
is not entering any of the elements into the test
user.  I have tried logging (both successfully and
unsuccessfully), changing the password (via
ldappasswd), and by direct editing.  It just doesn't
seem to do anything.

   Can anyone help?
 
_/*--------------------------------- Pwd Policy
----------------------------------------------*/
# Policies, xxxx.com
dn: ou=Policies,dc=xxxx,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Policies
# xxxPPolicy, Policies, xxxx.com
dn: cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com
objectClass: pwdPolicy
objectClass: top
objectClass: device
cn: xxxPPolicy
pwdAttribute: userPassword
pwdMaxAge: 7516800
pwdExpireWarning: 432000
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 1920
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE

_/*---------------------------------- slapd.conf
-------------------------------------------*/
root@certificate-1 [/usr/local/libexec] # cat
../etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration
options.
# This file should NOT be world readable.
#
include        
/usr/local/etc/openldap/schema/core.schema
include        
/usr/local/etc/openldap/schema/cosine.schema
include        
/usr/local/etc/openldap/schema/inetorgperson.schema
include        
/usr/local/etc/openldap/schema/nis.schema
include        
/usr/local/etc/openldap/schema/ppolicy.schema
include        
/usr/local/etc/openldap/schema/xxx-schema/interwoven.schema
include        
/usr/local/etc/openldap/schema/xxx-schema/portal.schema
include        
/usr/local/etc/openldap/schema/xxx-schema/compat.schema
include        
/usr/local/etc/openldap/schema/xxx-schema/solaris.schema

# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a
working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org
pidfile         /usr/local/var/run/slapd.pid
argsfile        /usr/local/var/run/slapd.args
loglevel -1
overlay ppolicy
ppolicy_default
"cn=pwdPolicy,ou=Policies,dc=xxxx,dc=com"
# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la
# Sample security restrictions
#       Require integrity protection (prevent
hijacking)
#       Require 112-bit (3DES or better) encryption
for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read
it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default
policy
# allows anyone and everyone to read anything but
restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database        hdb
suffix          "dc=xxxx,dc=com"
rootdn          "cn=RootAdmin4,dc=xxxx,dc=com"
# Cleartext passwords, especially for the rootdn,
should
# be avoid.  See slappasswd(8) and slapd.conf(5) for
details.
# Use of strong authentication encouraged.
rootpw          secret
# The database directory MUST exist prior to running
slapd AND
# should only be accessible by the slapd and slap
tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq
_/*-------------------------------------- test user
---------------------------------------*/
# testuser, People, xxxx.com
dn: uid=testuser,ou=People,dc=xxxx,dc=com
passwordHistory: a
passwordHistory: b
passwordHistory: c
accountLockedDate: 1082005114
accountLockedBy: uid=rappapoe,ou=People,dc=xxxx,dc=com
ftpHomeDirectory: /home/testuser
objectClass: pwdPolicy
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: interwoven
objectClass: xxxxRecordInfo
objectClass: xxxxUser
objectClass: hostaccount
ou: People
recordCreatedTime: 1082005114
recordCreator: uid=rappapoe,ou=People,dc=xxxx,dc=com
uidNumber: 25282
sambaAccess: xxxnfiles.viacom.com
pwdAttribute: userPassword
uid: testuser
cn: testuser testuser
shadowLastChange: 13353
loginShell: /bin/bash
gidNumber: 500
homeDirectory: /tmp
gecos: testuser testuser
userPassword:: e2NyeXB0fWFiLjZ5RUM4N1NRYWM=
givenName: testuser
sn: testuser
mail: evan.rappaport@xxxx.com
istsrole: Editor
istsrole: Author
istsrole: od-user
istsrole: od-admin
adtsrole: Master
adtsrole: Admin
adtsrole: Editor
adtsrole: Author
adtsrole: od-user
adtsrole: od-admin
devtsrole: Master
devtsrole: Admin
devtsrole: Editor
devtsrole: Author
devtsrole: od-user
devtsrole: od-admin
recordUpdater: uid=rappapoe,ou=People,dc=xxxx,dc=com
recordUpdatedTime: 1153758343
ftpAccess: TRUE
ftpQuota: ftp-1.xxxx.com:512M:512M:::2
host: certificate-1.xxxx.com
 
_/*-------------------------------------- LDAP log
----------------------------------------*/
root@certificate-1 [/usr/local/libexec] # tail -n 120
/var/log/ldap
Jul 27 12:32:32 certificate-1 slapd[20894]: <=
test_filter 5
Jul 27 12:32:32 certificate-1 slapd[20894]:
hdb_search: 1 does not match filter
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
test_filter
Jul 27 12:32:32 certificate-1 slapd[20894]:    
SUBSTRINGS
Jul 27 12:32:32 certificate-1 slapd[20894]: begin
test_substrings_filter
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: search access to
"cn=RootAdmin3,dc=xxxx,dc=com" "cn" requested
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: backend default search access granted
to "(anonymous)"
Jul 27 12:32:32 certificate-1 slapd[20894]: end
test_substrings_filter 5
Jul 27 12:32:32 certificate-1 slapd[20894]: <=
test_filter 5
Jul 27 12:32:32 certificate-1 slapd[20894]:
hdb_search: 2 does not match filter
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
test_filter
Jul 27 12:32:32 certificate-1 slapd[20894]:    
SUBSTRINGS
Jul 27 12:32:32 certificate-1 slapd[20894]: begin
test_substrings_filter
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: search access to
"ou=People,dc=xxxx,dc=com" "cn" requested
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: backend default search access granted
to "(anonymous)"
Jul 27 12:32:32 certificate-1 slapd[20894]: end
test_substrings_filter 5
Jul 27 12:32:32 certificate-1 slapd[20894]: <=
test_filter 5
Jul 27 12:32:32 certificate-1 slapd[20894]:
hdb_search: 11 does not match filter
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
test_filter
Jul 27 12:32:32 certificate-1 slapd[20894]:    
SUBSTRINGS
Jul 27 12:32:32 certificate-1 slapd[20894]: begin
test_substrings_filter
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: search access to
"uid=test-campells,ou=People,dc=xxxx,dc=com" "cn"
requested
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: backend default search access granted
to "(anonymous)"
Jul 27 12:32:32 certificate-1 slapd[20894]: end
test_substrings_filter 5
Jul 27 12:32:32 certificate-1 slapd[20894]: <=
test_filter 5
Jul 27 12:32:32 certificate-1 slapd[20894]:
hdb_search: 18 does not match filter
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
test_filter
Jul 27 12:32:32 certificate-1 slapd[20894]:    
SUBSTRINGS
Jul 27 12:32:32 certificate-1 slapd[20894]: begin
test_substrings_filter
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: search access to
"ou=Policies,dc=xxxx,dc=com" "cn" requested
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: backend default search access granted
to "(anonymous)"
Jul 27 12:32:32 certificate-1 slapd[20894]: end
test_substrings_filter 5
Jul 27 12:32:32 certificate-1 slapd[20894]: <=
test_filter 5
Jul 27 12:32:32 certificate-1 slapd[20894]:
hdb_search: 21 does not match filter
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
test_filter
Jul 27 12:32:32 certificate-1 slapd[20894]:    
SUBSTRINGS
Jul 27 12:32:32 certificate-1 slapd[20894]: begin
test_substrings_filter
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: search access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com" "cn"
requested
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: backend default search access granted
to "(anonymous)"
Jul 27 12:32:32 certificate-1 slapd[20894]: <=
test_filter 6
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
send_search_entry: conn 3
dn="cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com" "entry"
requested
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"objectClass" requested
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com" "cn"
requested
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:32 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdAttribute" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com" "pwdMaxAge"
requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdExpireWarning" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdInHistory" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdCheckQuality" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdMinLength" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdMaxFailure" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdLockout" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdLockoutDuration" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdGraceAuthNLimit" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdFailureCountInterval" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdMustChange" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdAllowUserChange" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: read access to
"cn=xxxPPolicy,ou=Policies,dc=xxxx,dc=com"
"pwdSafeModify" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default read access granted to
"(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: conn=3
op=1 ENTRY
dn="cn=xxxppolicy,ou=policies,dc=xxxx,dc=com"
Jul 27 12:32:33 certificate-1 slapd[20894]: <=
send_search_entry: conn 3 exit.
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
test_filter
Jul 27 12:32:33 certificate-1 slapd[20894]:    
SUBSTRINGS
Jul 27 12:32:33 certificate-1 slapd[20894]: begin
test_substrings_filter
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: search access to
"uid=testuser,ou=People,dc=xxxx,dc=com" "cn" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default search access granted
to "(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: end
test_substrings_filter 5
Jul 27 12:32:33 certificate-1 slapd[20894]: <=
test_filter 5
Jul 27 12:32:33 certificate-1 slapd[20894]:
hdb_search: 23 does not match filter
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
test_filter
Jul 27 12:32:33 certificate-1 slapd[20894]:    
SUBSTRINGS
Jul 27 12:32:33 certificate-1 slapd[20894]: begin
test_substrings_filter
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: search access to
"uid=rappapoe,ou=People,dc=xxxx,dc=com" "cn" requested
Jul 27 12:32:33 certificate-1 slapd[20894]: =>
access_allowed: backend default search access granted
to "(anonymous)"
Jul 27 12:32:33 certificate-1 slapd[20894]: end
test_substrings_filter 5
Jul 27 12:32:33 certificate-1 slapd[20894]: <=
test_filter 5
Jul 27 12:32:33 certificate-1 slapd[20894]:
hdb_search: 24 does not match filter
Jul 27 12:32:33 certificate-1 slapd[20894]:
send_ldap_result: conn=3 op=1 p=3
Jul 27 12:32:33 certificate-1 slapd[20894]:
send_ldap_result: err=0 matched="" text=""
Jul 27 12:32:33 certificate-1 slapd[20894]:
send_ldap_response: msgid=2 tag=101 err=0
Jul 27 12:32:33 certificate-1 slapd[20894]: conn=3
op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 27 12:32:33 certificate-1 slapd[20894]: daemon:
activity on 1 descriptor
Jul 27 12:32:33 certificate-1 slapd[20894]: daemon:
activity on:
Jul 27 12:32:33 certificate-1 slapd[20894]:  11r
Jul 27 12:32:33 certificate-1 slapd[20894]:
Jul 27 12:32:33 certificate-1 slapd[20894]: daemon:
read active on 11
Jul 27 12:32:33 certificate-1 slapd[20894]:
connection_get(11)
Jul 27 12:32:34 certificate-1 slapd[20894]:
connection_get(11): got connid=3
Jul 27 12:32:34 certificate-1 slapd[20894]:
connection_read(11): checking for input on id=3
Jul 27 12:32:34 certificate-1 slapd[20894]:
ber_get_next on fd 11 failed errno=0 (Success)
Jul 27 12:32:34 certificate-1 slapd[20894]: do_unbind
Jul 27 12:32:34 certificate-1 slapd[20894]: conn=3
op=2 UNBIND
Jul 27 12:32:34 certificate-1 slapd[20894]:
connection_read(11): input error=-2 id=3, closing.
Jul 27 12:32:34 certificate-1 slapd[20894]:
connection_closing: readying conn=3 sd=11 for close
Jul 27 12:32:34 certificate-1 slapd[20894]:
connection_close: deferring conn=3 sd=11
Jul 27 12:32:34 certificate-1 slapd[20894]: daemon:
select: listen=7 active_threads=0 tvp=NULL
Jul 27 12:32:34 certificate-1 slapd[20894]:
connection_resched: attempting closing conn=3 sd=11
Jul 27 12:32:34 certificate-1 slapd[20894]:
connection_close: conn=3 sd=11
Jul 27 12:32:34 certificate-1 slapd[20894]: daemon:
activity on 1 descriptor
Jul 27 12:32:34 certificate-1 slapd[20894]: daemon:
removing 11
Jul 27 12:32:34 certificate-1 slapd[20894]: conn=3
fd=11 closed
Jul 27 12:32:34 certificate-1 slapd[20894]: daemon:
activity on:
Jul 27 12:32:34 certificate-1 slapd[20894]:
Jul 27 12:32:34 certificate-1 slapd[20894]: daemon:
select: listen=7 active_threads=0 tvp=NULL