[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: invalid syntax (21) error while importing password password policy



Hi,

On Mon, 16 Sep 2013, Philip Bubel wrote:

Running OpenLdap 2.4.23 on Centos 6.4 and we are having truoble enabling password polices.  I've read a number of FAQ's online, plus spent hours searching for a solution to this problem, although a lot of folks seem to have the same issue I haven't been able to find a solution that works for us.  I run into trouble running ldapadd to import the new policy.  I end up with the invalid syntax error I've included below, along with a copy of the .ldif file and my slapd.conf file.  I was able to create the policies OU without issue, I also tried using the OID for pwdAttribute instead of userPassword.

[root@asu10d schema]# ldapadd -D "cn=Manager,dc=XXXX,dc=test" -W -x -f /tmp/ppolicy.ldif
Enter LDAP Password:
adding new entry "cn=policy,ou=policies,dc=XXXX,dc=test"
ldap_add: Invalid syntax (21)
additional info: pwdAttribute: value #0 invalid per syntax

Please check you /tmp/ppolicy.ldif that there are now illegal characters in the line with pwdAttribute:

It looks like this is perhaps borken.

Please also consider updating to the latest openldap 2.4.36 via one of the openly available rpm.

Greetings
Christian


Contents of policy.ldif
n: cn=policy,ou=policies,dc=XXXX,dc=test
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value

Contents of my slapd.conf

include         /etc/openldap/schema/corba.schema
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/duaconf.schema
include         /etc/openldap/schema/dyngroup.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/java.schema
include         /etc/openldap/schema/misc.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/openldap.schema
include         /etc/openldap/schema/ppolicy.schema
include         /etc/openldap/schema/collective.schema
include         /etc/openldap/schema/samba.schema
include         /etc/openldap/schema/pmi.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

modulepath /usr/lib64/openldap

moduleload ppolicy.la

TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

database config
access to *
      by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
       by dn.exact="cn=Manager,dc=XXXX,dc=test" read
       by * none

database        bdb
suffix          "dc=XXXXX,dc=test"
checkpoint      1024 15
rootdn          "cn=Manager,dc=XXXX,dc=test"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          hello (Temp password used for testing)

overlay ppolicy
policy_default "cn=default,ou=policies,dc=XXXX,dc=test"
policy_use_lockout

directory       /var/lib/ldap

# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub



--
Christian Kratzer                      CK Software GmbH
Email:   ck@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer