[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Setting up user accounts with ppolicy attributes

Hummm... had not used shadowAccount, and removing the ppolicy-specific attributes allows the LDIF file to properly set up the account.



From: "Joshua M. Miller" <joshua@itsecureadmin.com>
To: Jack Emmerichs <beamrider1@hotmail.com>
CC: openldap-software@openldap.org
Subject: Re: Setting up user accounts with ppolicy attributes
Date: Tue, 26 Jun 2007 07:17:53 -0700


I haven't tried setting the pwdChangedTime, but I recently implemented ppolicy and every time a user changes their password, it sets this attribute to the current time, not sure if that was part of your question. On all NEW user entries that I create, the pwdChangedTime is already set so that the password policies apply to those users.

$ ldapsearch -x -H ldaps://host.example.org cn=default

dn: cn=default,ou=Policies,dc=example,dc=org
cn: default
objectClass: pwdPolicy
objectClass: device
pwdMaxAge: 7776000
pwdAttribute: userPassword
pwdMinLength: 8
pwdInHistory: 5
pwdCheckQuality: 1
pwdExpireWarning: 604800
pwdLockout: TRUE
pwdMaxFailure: 3
pwdLockoutDuration: 900
pwdAllowUserChange: TRUE
pwdGraceAuthNLimit: 0

An example of one of my users:

$ ldapsearch -x -H ldaps://host.example.org/ uid=<uid>

dn: cn=First Last,ou=People,dc=example,dc=org
givenName: First
sn: Last
cn: First Last
uid: uid
uidNumber: <uid #>
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
gidNumber: <gid #>
homeDirectory: /home/<uid>
shadowLastChange: 13634

$ ldapsearch -x -H ldaps://host.example.org/ uid=<uid> +

dn: cn=first last,ou=People,dc=example,dc=org
creatorsName: cn=manager,dc=example,dc=org
createTimestamp: 20060501144730Z
structuralObjectClass: inetOrgPerson
entryUUID: 2d89674c-7b0d-102b-8606-4f7ba9469bfa
pwdChangedTime: 20070515203623Z
entryCSN: 20070515203623Z#000001#00#000000
modifiersName: cn=First Last,ou=People,dc=example,dc=org
modifyTimestamp: 20070515203623Z
entryDN: cn=First Last,ou=People,dc=example,dc=org
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

Thanks, -- Joshua M. Miller - RHCE,VCP

Jack Emmerichs wrote:
Looking at the OpenLDAP documentation and the ppolicy.schema file, it appears that I need to include objectClass: pwdPolicy as an auxiliary class (along with posixAccount, which is the basic user account class), and then include attributes for pwdChangedTime, pwdAccountLockedTime, pwdHistory, etc. The ppolicy.schema file indicates that the format in the ldif file should actually be something like:

  pwdChangedTime;pwd-userPassword: 20000103121520Z

for pwdChangedTime. The format for pwdHistory sounds really complex, and the doc indicates that if this attribute is missing, OpenLDAP will not support password history processing, so it sound like I need to get these attributes into the account struture.

Trouble is, if I try to include such values I either get an import failure without error messages, an error that says "no user modification allowed" (even when I'm adding an account), or an indication that I'm using an invalid format.

Get a preview of Live Earth, the hottest event this summer - only on MSN http://liveearth.msn.com?source=msntaglineliveearthhm