[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Implementing PPolicy

To: openldap-technical@openldap.org
Subject: Re: Implementing PPolicy
From: Dieter KlÃnter <dieter@dkluenter.de>
Date: Tue, 21 Jan 2014 14:54:24 +0100
In-reply-to: <52DDE008.3010105@gmail.com>
Organization: AVCI
References: <52DC4140.7010600@gmail.com> <20140120085336.11926ef0@violet.avci.de> <52DDE008.3010105@gmail.com>

Am Mon, 20 Jan 2014 19:48:40 -0700
schrieb Joshua Schaeffer <jschaeffer0922@gmail.com>:

> Thanks for the explanation that really helped, I didn't know about
> the '+'and was able to see some ppolicy operational attributes on my
> uid.  I read the slapo-ppolicy manual page and that also helped
> clarified a few things.  You stated user's being able to change their
> own password depended on access rights.  These are the access rights
> I have in my database.  Are these correct to allow user's to change
> their password:
> 
> ===================================================
> root@baneling:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b 
> olcDatabase={1}hdb,cn=config olcAccess
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> # extended LDIF
> #
> # LDAPv3
> # base <olcDatabase={1}hdb,cn=config> with scope subtree
> # filter: (objectclass=*)
> # requesting: olcAccess
> #
> 
> # {1}hdb, config
> dn: olcDatabase={1}hdb,cn=config
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by 
> anonymou
>   s auth by dn="cn=admin,dc=harmonywave,dc=com" write by * none
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to * by self write by
> dn="cn=admin,dc=harmonywave,dc=com" write
>   by * read
> 
> # {0}ppolicy, {1}hdb, config
> dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 3
> # numEntries: 2
> ===================================================
> 
> I've been fiddling with my setup to see if I can't get it to work.  I 
> read that you need to tell PAM on the client server to do a lookup
> for password policies using 'pam_lookup_policy yes' in the 
> /etc/pam_ldap.conf file.  I was using libpam-ldapd instead of 
> libpam-ldap which doesn't use the pam_ldap.conf file for its 
> configuration (I shares its config file with libnss-ldapd which is
> the /etc/nslcd.conf file).  I uninstalled libpam-ldapd and installed 
> libpam-ldap instead, adjusted the config file, and I appears to be 
> getting a little further.  Now when I try to change my password on a 
> client server I get the following:
> 
> ===================================================
> jschaeffer@defiler:~$ passwd
> Enter login(LDAP) password:
> New password:
> Re-enter new password:
> LDAP password information update failed: Insufficient access
> Must supply old password to be changed as well as new one
> passwd: Permission denied
> passwd: password unchanged
> ===================================================
> 
> I'm not sure why it wouldn't recognized that I did enter my previous 
> password before I attempted to change it.
[...]

Run slapd(8) in debuging mode with -d acl

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://dkluenter.de
GPG Key ID: E9ED159B
53Â37'09,95"N
10Â08'02,42"E

References:
- Implementing PPolicy
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>
- Re: Implementing PPolicy
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: Implementing PPolicy
  - From: Joshua Schaeffer <jschaeffer0922@gmail.com>

Prev by Date: re: sudoCommand" limitation
Next by Date: Adding attributes to cn=config
Index(es):
- Chronological
- Thread