On Thu, Sep 2, 2010 at 1:46 PM, Buchan Milne
<bgmilne@staff.telkomsa.net> wrote:
On Wednesday, 1 September 2010 08:44:33 Meghanand Acharekar wrote:
> Hello,
>
> I have configured openldap server on RHEL 5.4
> I also want to enforce strong password policies for my ldap users.
Have you enabled and configured the ppolicy overlay for OpenLDAP ? If you are
only enforcing LDAP passwords via PAM, changing passwords via another
mechanism will bypass these controls. So, you should consider using ppolicy
instead ...
I'm trying now setup using ppolicy overlay.
But still password policy setup is not working for me.
Following is my sldap.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/ppolicy.schema
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib/openldap
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=example,dc=com" write
by * none
access to attrs=shadowLastChange
by self write
by * read
access to *
by self write
by dn.base="cn=Manager,dc=example,dc=com" write
by * read
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}PFuRVNvUeozTxo/djZ2RcCNKuBCmarJb
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
overlay ppolicy
ppolicy_default "cn=policies,dc=example,dc=com"
ppolicy_use_lockout
ppolicy.ldif
dn: cn=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: policies
pwdAttribute: userPassword
pwdMaxAge: 7516800
pwdExpireWarning: 432000
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 1920
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
Have you tested password changes with the ldappasswd tool ?
> for which i configured pam module on each ldap client in following way.
>
> (/etc/pam.d/system-auth)
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_tally.so deny=5 unlock_time=300
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1
> ucredit=-1 ocredit=-1 lcredit=0 minlen=8 \
> reject_username
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok remember=5
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
> session optional pam_mkhomedir.so skel=/etc/skel umask=0066
>
> I am having following problems with my configuration.
>
> 1. Although configured password history (pam_unix.so remember =5) is not
> working for ldap users, while other password policies
> (pam_cracklib,pam_tally) are working fine.
> 2. I also observed that I can't change/set any users password as root user
> (using passwd username).
server should not be able to change passwords of all users in LDAP.
Use ldappasswd (please see the man page regarding options you need to provide
to make it work) or another LDAP-based tool (smbldap-passwd etc. or a web-
based interface) to change/reset user's passwords.
Agreed.
> Following is my ldap client configuration file (ldap.conf).
>
> base dc=mycomp,dc=com
> bind_timelimit 120
> idle_timelimit 3600
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
> ,gdm pam_check_host_attr
> pam_password md5
If you want to implement any password quality checks on the LDAP side, you
need to use:
pam_password exop
This also changed
instead. If you use 'pam_password md5', the LDAP server will only ever see the
hash, so will not be able to test password length etc. If you only want
password quality checks on the clients, your configuration will work, but users
may be able to bypass your quality checks by using ldappasswd (or any LDAP
client).
> ssl no
> timelimit 120
> tls_cacertdir /etc/openldap/cacerts
> uri ldap://
10.0.119.36
>
> For further troubleshooting I observer my /var/log/secure file while
> changing ldap user's passwod.
>
> passwd: pam_unix(passwd:chauthtok): user "username" does not exist in
> /etc/passwd
>
> but #getent passwd show me the username.
LDAP.
What do the logs on the LDAP server show? Can you show the prompts you get
from running 'passwd' ? You should be prompted for the LDAP password before
being prompted for the new password:
[bgmilne@xymon ~]$ passwd
Changing password for user bgmilne.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information changed for bgmilne
passwd: all authentication tokens updated successfully.
[bgmilne@xymon ~]$
Correct.
Regards,
Buchan
One more thing I would like to clarify.