[Date Prev][Date Next] [Chronological] [Thread] [Top]

toubles using ppolicy to lock account


I'm looking for a solution allowing to lock user accounts stored in
LDAP, whatever kind of client using LDAP for autenticating (the same as
shadowAccount class allows, but only for PAM. Buchan suggested me to try
to use ppolicy overlay.

I'm not really interested in what seems to be the main goal of password
policy: as I'm importing passwords automatically from another LDAP
system, that's not the right place to impose constraints on them. So my
main interest is in operational attribute pwdAccountLockedTime,
described in slapo-ppolicy: if set to 0, the user should not be able to

So, I set up a very minimal default password policy object, as it seems
to be quite mandatory:
dn: cn=default,ou=policies,dc=futurs,dc=inria,dc=fr
cn: default
objectClass: pwdPolicy
objectClass: organizationalRole
pwdAttribute: userPassword
pwdMaxAge: 0
pwdInHistory: 0
pwdCheckQuality: 0

Then I tried to add a pwdAccountLockedTime attribute to a user:
dn: uid=rousse,ou=saclay,ou=futurs,ou=users,dc=futurs,dc=inria,dc=fr
changetype: modify
add: pwdAccountLockedTime
pwdAccountLockedTime: 0

Error: pwdAccountLockedTime: value #0 invalid per syntax

Then I read the schema, additionaly to the man page, and I found
additional (and potentially contradictory information), such as using
something described a subtype to declaring which password attribute is
really affected, and I tried:
dn: uid=rousse,ou=saclay,ou=futurs,ou=users,dc=futurs,dc=inria,dc=fr
changetype: modify
add: pwdAccountLockedTime;pwd-userPassword
pwdAccountLockedTime;pwd-userPassword: 0

Error: additional info: pwdAccountLockedTime;pwd-userPassword:
operational attribute with options undefined

Additionaly, I found the definition of those operational attributes were
commented in the schema file...

So, here is a list of questions I can't find a valid answer for:
1) do you need a policy entry if you're only interested in user entries
operational attributes ?
According to the man page, yes:  If there is  no  specific policy  for
an  entry and no default is given, then no policies will be enforced

2) do you need to add a new class to users account to be able to use
those additional operational attributes, or just loading the overlay is
enough ?
According to examples found in thread
http://www.openldap.org/lists/openldap-software/200706/msg00285.html, no

3) does the definition of those attributes need to exist in the schema
(thus uncommented) or are they defined in the overlay ?

4) which is right between the man page or the schema comment for the
attribute name (pwdAccountLockedTime vs
pwdAccountLockedTime;pwd-userPassword) and the value to lock an account
(0 vs 000001010000Z)
As the comments seems to comes from the RFC directly, I'd rather trust
the man page, but i've been unsucessful with both...

If it matters, i'm using openldap-servers-2.3.27 on mandriva linux 2007.0.
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62