[Date Prev][Date Next]
ppolicy overlay doesn't apply
- To: firstname.lastname@example.org
- Subject: ppolicy overlay doesn't apply
- From: Cosmin Ciuraru <email@example.com>
- Date: Thu, 12 Apr 2012 09:07:39 +0300
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=+B9mU9X4niB5fwrN3VHfsN0QI5ZI9A3RZdKIW0eGPjs=; b=OsOeaxf0UQeShG3D8ZSf8KkJw+KoEja25E6siEhJlv9Vx7H3fs/HwdR4cp5AflzMaI 9tYhBoo784RJfJSe3y2P46qBoMs6U7tw2XjCWXmuaV+W6TnNa+Rmiwqml+JSyWJmuiMJ p9GyDNZ5t+LJvwAwzvZewQgsVtfQEPn97IhHIJWvwn86u+IO8lFvIIKqEdTPqFB2L/Ha ZAoEmzBYw0K9VOaG18eko/IrCXZhMhz9nPxHBpQ8n7jlFhe5tPKsxDuG2EnqvGiw74B4 zh7jnxyJAh9uWLA0xz5cmnGJpj7N3sI1/69/e8D97zhmXPwS4QY0SuuTN3dkU3uZPQmy rPrA==
I am trying to use the ppolicy overlay with openldap, version 2.4.20, installed on a SLES 11 SP1 x64, as a package. I have made the following settings in the openldap.conf:
- included the ppolicy.schema
- overlay ppolicy
- ppolicy_default "cn=pwd,ou=Policies,o=...."
I saw that a"'moduleload ppolicy.la
" is also required, but I cannot find the library in /usr/lib/openldap/modules (which is empty). I have compiled the source with --enable-ppolicy=mod/yes with --enable-modules=yes, to see if it would generate the library ppolicy.la
, but just generated the slapd binary, so, as it gives no error for the config file, I suppose that the ppolicy part is embedded in the slapd.
When I try to change the password for a user in LDAP, the policy doesn't apply. The clients run on the same OS, but different machines, with pam_ldap-184 and nss-ldap-262. If I open the yast2-ldap-client, I can see that it finds the password policy, but it doesn't get applied. If I follow the requests to the LDAP server, I can see that the client issues a request with the filter objectClass=passwordPolicy, which comes from the pam_ldap, which is written to use the Netscape password policy schema. But in my LDAP I use the pwdPolicy schema, which is a more recent one. I know that the password doesn't get applied because I set the checkQuality attribute to 0 and I expect to let me use whatever password I like. The client has the pam_lookup_policy set to yes.
Can you please point out what I am missing?