[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Setting up user accounts with ppolicy attributes

Ah, thanks. I had seen the comments about these fields not being user changable, I just didn't think that setting up a new user was the same as the user (or even an admin) trying to "change" these values. Thanks for the clarification. It's also good to know that you have to change the password before things become effective on existing accounts.


From: Buchan Milne <bgmilne@staff.telkomsa.net>
To: openldap-software@openldap.org
CC: "Jack Emmerichs" <beamrider1@hotmail.com>
Subject: Re: Setting up user accounts with ppolicy attributes
Date: Wed, 27 Jun 2007 10:53:44 +0200

On Monday, 25 June 2007, Jack Emmerichs wrote:
> I've been working with OpenLDAP 2.3.30 to set up ppolicy processing. I
> think I have the policies set up correctly in the DLAP database using the
> following ppolicy.ldif file:
> dn: ou=policies, dc=my-domain,dc=com
> ou: policies
> objectClass: top
> objectClass: organizationalUnit
> dn: cn=default,ou=policies,dc=my-domain,dc=com
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> cn: default
> pwdAttribute: userPassword
> # 30 day password limit (2592000 seconds) with an even longer expire
> warning for testing.
> pwdExpireWarning: 2592001
> pwdMaxAge: 2592000
> pwdInHistory: 3
> pwdCheckQuality: 1
> pwdMinLength: 6
> pwdAllowUserChange: TRUE
> # Items not currently used.
> pwdMinAge: 0
> pwdGraceAuthnLimit: 0
> pwdLockout: FALSE
> pwdLockoutDuration: 0
> pwdMaxFailure: 0
> pwdFailureCountInterval: 0
> pwdMustChange: FALSE
> pwdSafeModify: FALSE
> and the following entries in the slapd.conf file:
> # password policy
> overlay ppolicy
> ppolicy_default "cn=default,ou=policies,dc=my-domain,dc=com"
> However, I'm having trouble creating user accounts.

You shouldn't be creating accounts with attributes that should be maintained
by the server itself, just as you don't (can't) add them with creatorsName,
createTimestamp etc.

> Looking at the OpenLDAP documentation and the ppolicy.schema file, it
> appears that I need to include objectClass: pwdPolicy as an auxiliary class
> (along with posixAccount, which is the basic user account class), and then
> include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory,
> etc. The ppolicy.schema file indicates that the format in the ldif file
> should actually be something like:
> pwdChangedTime;pwd-userPassword: 20000103121520Z
> for pwdChangedTime. The format for pwdHistory sounds really complex, and
> the doc indicates that if this attribute is missing, OpenLDAP will not
> support password history processing, so it sound like I need to get these
> attributes into the account struture.

The exact text is:

"If pwdChangedTime does not exist, the user's password will not expire."

That doesn't mean you must add it manually. However, it means that if you
created accounts before you implemented ppolicy, you need to have those
passwords changed, so that OpenLDAP adds the attribute.

> Trouble is, if I try to include such values I either get an import failure
> without error messages, an error that says "no user modification allowed"
> (even when I'm adding an account), or an indication that I'm using an
> invalid format.

Note that the description for this attribute (and a few others) appears in the
section of slapo-ppolicy(5) called "OPERATIONAL ATTRIBUTES". At the top of
that section you will see:

"Most of these attributes are not intended to be
changed directly by users; they are there to track user activity.  They
have  been  detailed  here  so  that  administrators and users can both
understand the workings of the ppolicy module."

Regards, Buchan

Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader

<< attach3 >>

Need a break? Find your escape route with Live Search Maps. http://maps.live.com/default.aspx?ss=Restaurants~Hotels~Amusement%20Park&cp=33.832922~-117.915659&style=r&lvl=13&tilt=-90&dir=0&alt=-1000&scene=1118863&encType=1&FORM=MGAC01