[Date Prev][Date Next] [Chronological] [Thread] [Top]

Implementing PPolicy

I'm trying implement the password policy overlay into my openldap setup, I'm running a Debian 7 server and installed openldap with the package manager.

root@baneling:~# dpkg -l | grep slapd
ii  slapd                            2.4.31-1+nmu2          amd64        OpenLDAP server (slapd)


I currently have my ldap server setup for authentication and authorization, I'm using libnss-ldapd and libpam-ldapd on my other machines to search the ldap directory and would like to implement the password policy provided by the overlay.  I believe I've added the schema, loaded the dynamic module, and added the overlay to my database correctly, however I'm not sure it's actually working.  I've been mostly following this article and the openldap documentation:

http://www.openldap.org/doc/admin24/overlays.html#Password Policies

Here is my slapd.d config (shortened for brevity):

root@baneling:~# slapcat -b cn=config
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
structuralObjectClass: olcModuleList
entryUUID: ad917d22-1583-1033-9e53-473d795f568b
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140119183138Z
olcModuleLoad: {0}ppolicy.so
olcModulePath: /usr/lib/ldap
entryCSN: 20140119183433.154615Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140119183433Z
dn: cn={4}ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}ppolicy
dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=Policies,dc=harmonywave,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
structuralObjectClass: olcPPolicyConfig
entryUUID: 3c8dc8ce-158d-1033-9e57-473d795f568b
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140119194003Z
entryCSN: 20140119194003.774030Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140119194003Z

And my container for the default policy:
root@baneling:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b ou=Policies,dc=harmonywave,dc=com
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
dn: ou=Policies,dc=harmonywave,dc=com
ou: Policies
objectClass: top
objectClass: organizationalUnit

dn: cn=default,ou=Policies,dc=harmonywave,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdExpireWarning: 432000
pwdFailureCountInterval: 1800
pwdGraceAuthNLimit: 10
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxAge: 7776000
pwdMaxFailure: 6
pwdMinAge: 86400
pwdMinLength: 10
pwdMustChange: FALSE
pwdSafeModify: TRUE
sn: passwdpolicy

However, I'm not sure the policy is actually being applied.  I thought it might be because I originally created my user before adding the schema and overlay, so I deleted the user and recreated it.  I'm able to log into a server using my uid, however if I try to change my password I get the following:

jschaeffer@defiler:~$ passwd
(current) LDAP Password:
New password:
Retype new password:
password change failed: Constraint violation
passwd: Authentication token manipulation error
passwd: password unchanged


I've been entering my current password correctly when it asks and I am using a complex new password.  I also don't see any of the ppolicy attributes on my user (pwdChangeTime, pwdFailureTime, pwdGraceUseTime, etc):

root@baneling:~# ldapsearch -LLL -x -D cn=admin,dc=harmonywave,dc=com -W -H ldapi:/// -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com
Enter LDAP Password:
dn: uid=jschaeffer,ou=People,dc=harmonywave,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
uid: jschaeffer
cn: Joshua Schaeffer
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/jschaeffer
loginShell: /bin/bash
gecos: Joshua Schaeffer
userPassword:: ....


I've been searching around for on the web for answers to the passwd issue, but I've not been able to find anything useful.  Does anyone know how to verify that the ppolicy overlay is actually working?