[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Struggling with ppolicy

On Wednesday 12 March 2008 01:38:52 Ryan Steele wrote:
> Hey folks,
> If this is the wrong list, please let me know and I'd be happy to send
> it to the right one.
> As I've mentioned in a previous post (which hasn't been posted yet, so I
> apologize if you've seen any of this information already) I've got a FC6
> box, with OpenLDAP 2.3.30.  I'm attempting to get ppolicy to work, and I
> can now successfully start OpenLDAP with the ppolicy directive in it:
> ### abridged slapd.conf ###
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/samba.schema
> include /etc/openldap/schema/ppolicy.schema
> modulepath /usr/lib/openldap
> overlay ppolicy
> ppolicy_default "cn=Password Policy,ou=policies,ou=example,ou=com"
> access to
> attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowM
>ax,sambaPwdLastSet,sambaPwdMustChange by self write
> by * auth
> access to *
> by * read
> database bdb
> suffix "dc=example,dc=com"
> rootdn "cn=admin,dc=example,dc=com"
> directory /var/lib/ldap
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid eq,pres,sub
> index nisMapName,nisMapEntry eq,pres,sub
> sasl-secprops none


> However, when I add users, I see no special attributes that show they're
> being regulated by ppolicy (Googling turned up some ldif's that had
> pwdPolicySubentry attributes - should I have that?) Additionally, I can
> enter passwords such as 'a' - single characters, and it doesn't complain
> at all.  In fact, none of the restrictions are being enforced, and I'm
> really scratching my head. 

In all my configs using ppolicy, I have the overlay as a database overlay, not 
a global overlay. Since I require this (my production servers have databases 
that *must* not have ppolicy, and one that must have it), I haven't tested 
with a global overlay. So, move all the ppolicy configuration (not the schema 
or moduleload, just the overlay and ppolicy_default) to the end of your 
config ...