[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication breaks ppolicy

On Tuesday, 23 August 2011 15:12:41 rocke.robertson@pch.gc.ca wrote:
> Good morning all
> After quite a bit of work, I got replication working (thank you all).
> So I forged ahead and deployed the server in our RHEL 5.5 environment.

RHEL5's openldap packages finally became somewhat usable at RHEL5.4, for 
openldap *2.3*. You may find you want newer (e.g. for 

> But
> now I just realized that none of my ppolicy rules work. Also, the Redhat
> clients are configured to use MD5 hash.

You don't want clients to hash passwords, you can't enforce any password 
quality checks on hashes. Use 'pam_password exop' if you want to enforce 
password quality (or otherwise be able to control password hashing on the 

> When I look at the accounts in
> webmin, it shows it being crypt????? I know openldap likes salted SHA, but
> I thought I'd do what Redhat wanted, which was MD5.


> Password history, aging etc... A search used to show me all of my ppolicy
> objects.
> ldapsearch -v -x -b 'dc=chin,dc=ca' cn=default

> But now returns nothing. Users can reuse passwords, so no history or aging
> is working. No locking. I had to change ACL's on the provider and consumer
> to get the replication working. Would that cause the problem?


> Here is my policy LDIF file I added to the server:
> # policies, chin.com
> dn: ou=policies,dc=chin,dc=ca
> objectClass: organizationalUnit
> objectClass: top
> ou: policies
> # default, policies, chin.com
> dn: cn=default,ou=policies,dc=chin,dc=ca
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> cn: default
> pwdAttribute: userPassword
> pwdInHistory: 6
> pwdCheckQuality: 1
> pwdMinLength: 8
> pwdMaxFailure: 4
> pwdLockout: TRUE
> pwdLockoutDuration: 1920
> pwdGraceAuthNLimit: 0
> pwdFailureCountInterval: 0
> pwdMustChange: TRUE
> pwdAllowUserChange: TRUE
> pwdSafeModify: FALSE
> pwdMaxAge: 10368000
> pwdExpireWarning: 1209600
> pwdMinAge: 86400

Show some example accounts, requesting the operational attributes ('+'), and 
show authentication attempts (see ldapwhoami(1)) and password change attempts 
(see ldappasswd(1)) with the ppolicy control enabled (-e ppolicy).