[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ppolicy issues

Thank you for your help. I added the pwdPolicySubentry to a user to no avail. I did find this in the logfile though:

Feb 20 09:01:13 ldapserver slapd[6709]: conn=95289 op=4 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password

So it looks like it's trying to do something but cannot. While I'm concerned about password strength, I'm more concerned (at this point) with just having the machine prompt for a password change. I'm running centos 4.6 and openldap 2.3.39. I compiled it with the following:

./configure --enable-crypt --enable-ppolicy --with-tls --prefix=/opt/openldap/

Once again, thanks for any help.

Bryan Payne skrev, on 19-02-2008 22:27:

   I have some issues with ppolicy. It seems it recognizes expiration
   dates (I know this from looking in the logs, but it does not warn
   the user their password is expiring soon), properly locks out
   accounts with too many failed logins but it cannot seem to force a
   password change when pwdReset is set to TRUE, nor does it prevent
   logins when the password has expired. Any help would be greatly
   appreciated. I'll post the things of importance below. Please let me
   know if anything else would help.

   [root@ldapserver ~]# ldapsearch -x -LLL cn=default
   dn: cn=default,ou=policies,dc=example,dc=com
   objectClass: top
   objectClass: device
   objectClass: pwdPolicy
   cn: default
   pwdInHistory: 6
   pwdCheckQuality: 1
   pwdMinLength: 8
   pwdMaxFailure: 4
   pwdLockout: TRUE
   pwdFailureCountInterval: 0
   pwdMustChange: TRUE
   pwdSafeModify: FALSE
   pwdLockoutDuration: 900
   pwdExpireWarning: 432000
   pwdGraceAuthNLimit: 1
   pwdAllowUserChange: TRUE
   pwdMaxAge: 7776000

From slapd.conf
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"

Most of the above looks kosher; my main site is running ppolicy on OpenLDAP 2.3.33 up to 2.3.39 Buchan rpms on Red Hat RHEL5 and all the above work. However:

1: I've found that each posixAccount has to have the operational attribute pwdPolicySubentry. Although this is an operational attribute, it is (the only?) such that is user modifiable. In this (as in many other) respects gq is indispensable as GUI.
2: I've found that extensive use has to be made of pam_ldap to get the best out of ppolicy (for example password strength).
3: It would help if you detailed OS and OL versions, so's one could know whether to contribute help or not.



-- Tony Earnshaw Email: tonni at hetnet dot nl