[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Struggling with ppolicy

To: openldap-software@openldap.org
Subject: Re: Struggling with ppolicy
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Thu, 13 Mar 2008 16:39:59 +0200
Cc: Ryan Steele <rsteele@archer-group.com>
Content-disposition: inline
In-reply-to: <47D7180C.5000905@archer-group.com>
References: <47D7180C.5000905@archer-group.com>
User-agent: KMail/1.9.9

On Wednesday 12 March 2008 01:38:52 Ryan Steele wrote:
> Hey folks,
>
> If this is the wrong list, please let me know and I'd be happy to send
> it to the right one.
>
> As I've mentioned in a previous post (which hasn't been posted yet, so I
> apologize if you've seen any of this information already) I've got a FC6
> box, with OpenLDAP 2.3.30.  I'm attempting to get ppolicy to work, and I
> can now successfully start OpenLDAP with the ppolicy directive in it:
>
> ### abridged slapd.conf ###
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/samba.schema
> include /etc/openldap/schema/ppolicy.schema
>
> modulepath /usr/lib/openldap
>
> overlay ppolicy
> ppolicy_default "cn=Password Policy,ou=policies,ou=example,ou=com"
>
> access to
> attrs=userPassword,sambaNTPassword,sambaLMPassword,shadowLastChange,shadowM
>ax,sambaPwdLastSet,sambaPwdMustChange by self write
> by * auth
> access to *
> by * read
>
> database bdb
> suffix "dc=example,dc=com"
> rootdn "cn=admin,dc=example,dc=com"
> rootpw {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXX
> directory /var/lib/ldap
>
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid eq,pres,sub
> index nisMapName,nisMapEntry eq,pres,sub
> sasl-secprops none

[...]

> However, when I add users, I see no special attributes that show they're
> being regulated by ppolicy (Googling turned up some ldif's that had
> pwdPolicySubentry attributes - should I have that?) Additionally, I can
> enter passwords such as 'a' - single characters, and it doesn't complain
> at all.  In fact, none of the restrictions are being enforced, and I'm
> really scratching my head. 

In all my configs using ppolicy, I have the overlay as a database overlay, not 
a global overlay. Since I require this (my production servers have databases 
that *must* not have ppolicy, and one that must have it), I haven't tested 
with a global overlay. So, move all the ppolicy configuration (not the schema 
or moduleload, just the overlay and ppolicy_default) to the end of your 
config ...


Regards,
Buchan

References:
- Struggling with ppolicy
  - From: Ryan Steele <rsteele@archer-group.com>

Prev by Date: RE: Help with server hang
Next by Date: Re: Struggling with ppolicy
Index(es):
- Chronological
- Thread