[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: replication breaks ppolicy

From:	Buchan Milne <bgmilne@staff.telkomsa.net>
To:	openldap-technical@openldap.org
Cc:	rocke.robertson@pch.gc.ca
Date:	23/08/2011 09:45 AM
Subject:	Re: replication breaks ppolicy

On Tuesday, 23 August 2011 15:12:41 rocke.robertson@pch.gc.ca wrote:
> Good morning all
> After quite a bit of work, I got replication working (thank you all).
> So I forged ahead and deployed the server in our RHEL 5.5 environment.

>RHEL5's openldap packages finally became somewhat usable at RHEL5.4, for
>openldap *2.3*. You may find you want newer (e.g. for

Will look into getting a newer version.

> But
> now I just realized that none of my ppolicy rules work. Also, the Redhat
> clients are configured to use MD5 hash.

>You don't want clients to hash passwords, you can't enforce any password
>quality checks on hashes. Use 'pam_password exop' if you want to enforce
>password quality (or otherwise be able to control password hashing on the

Have tried exop and clear as the documentation suggests is needed. No
aging / history though...

> When I look at the accounts in
> webmin, it shows it being crypt????? I know openldap likes salted SHA,
> I thought I'd do what Redhat wanted, which was MD5.


Because... I guess cause I blindly follow vendor documentation? I do see
folks complaining about this though.

> Password history, aging etc... A search used to show me all of my ppolicy
> objects.
> ldapsearch -v -x -b 'dc=chin,dc=ca' cn=default

> But now returns nothing. Users can reuse passwords, so no history or
> is working. No locking. I had to change ACL's on the provider and
> to get the replication working. Would that cause the problem?

> No.

THen this is good.

> Here is my policy LDIF file I added to the server:
> # policies, chin.com
> dn: ou=policies,dc=chin,dc=ca
> objectClass: organizationalUnit
> objectClass: top
> ou: policies
> # default, policies, chin.com
> dn: cn=default,ou=policies,dc=chin,dc=ca
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> cn: default
> pwdAttribute: userPassword
> pwdInHistory: 6
> pwdCheckQuality: 1
> pwdMinLength: 8
> pwdMaxFailure: 4
> pwdLockout: TRUE
> pwdLockoutDuration: 1920
> pwdGraceAuthNLimit: 0
> pwdFailureCountInterval: 0
> pwdMustChange: TRUE
> pwdAllowUserChange: TRUE
> pwdSafeModify: FALSE
> pwdMaxAge: 10368000
> pwdExpireWarning: 1209600
> pwdMinAge: 86400

>Show some example accounts, requesting the operational attributes ('+'),
>show authentication attempts (see ldapwhoami(1)) and password change
>(see ldappasswd(1)) with the ppolicy control enabled (-e ppolicy).

-bash-3.2$ ldapwhoami -x -D "uid=bigbob,ou=People,dc=chin,dc=ca" -W -e
Enter LDAP Password:
Result: Success (0)

Not a whole hell of a lot of information is produced. I don't know this
command well so I'm not sure, but I think this is a little shy on output?

-bash-3.2$ id
uid=10014(bigbob) gid=100(users) groups=100(users)

-bash-3.2$ ldappasswd -h ldap -x -D cn=admin,dc=chin,dc=ca
"uid=bigbob,ou=People,dc=chin,dc=ca" -W -S -e ppolicy
New password:
Re-enter new password:
Enter LDAP Password:
Result: Success (0)


I can change the password with ldappasswd, and here I am changing it to the
existing password with no errors or complaints. That used to fail.

I'm sorry but I'm not %100 sure what an operations attribute of ('+')is,
but here is an account that was created with the pwdpolicy objectclass. I
used to be able to get all the aging, last changed, lock and history

ldapsearch -v -x -b 'dc=chin,dc=ca' uid=bigbob -e ppolicy

# extended LDIF
# LDAPv3
# base <dc=chin,dc=ca> with scope subtree
# filter: uid=bigbob
# requesting: ALL

# bigbob, People, chin.ca
dn: uid=bigbob,ou=People,dc=chin,dc=ca
pwdAttribute: userPassword
shadowMax: 99999
uid: bigbob
cn: Big Bob
homeDirectory: /homes/bigbob
uidNumber: 10014
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: hostObject
objectClass: pwdPolicy
host: db1.rcip-chin.gc.ca
host: db2.rcip-chin.gc.ca
host: db-cl1.rcip-chin.gc.ca
host: db-cl2.rcip-chin.gc.ca
shadowWarning: 7
gidNumber: 100
gecos: Big Bob
loginShell: /bin/bash

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Buchan, thanks for your help.