[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with ppolicy

To: openldap-technical@openldap.org
Subject: Problem with ppolicy
From: Mikael Nehlsen <openldap@nehlsen.se>
Date: Thu, 06 Feb 2014 13:37:32 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

Hello!

I have a problem with the ppolicy module. I have 2 ldaptreesdc=example,dc=com and o=external and I want to have password policies(lockout after 5 failed login attempts) and I can see that it works ondc=example,dc=com but it does not work on o=external.

Both trees save failed login attempts but only the first tree lockspeople out o=external just saves more and more failed attempts but neverlockout the user.

I have tried a lot of things and I can not figure out what the problemis. I hope someone here can help me.

It is 2 replicated ubuntu 10.04 servers with openldap 2.4.21-0ubuntu5.7and the ppolicy configuration looks like this:


ppolmodule.ldif :

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: ppolicy.la

ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppolmodule.ldif -h ldap1

ppol.ldif:

dn: ou=policies,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: policies

dn: cn=default,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: 2.5.4.35
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxFailure: 5
pwdMinLength: 6

ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f ~/ppol.ldif-h ldap1


ppol_external.ldif:

dn: ou=policies,o=external
objectClass: organizationalUnit
objectClass: top
ou: policies

dn: cn=default,ou=policies,o=external
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: 2.5.4.35
pwdLockout: TRUE
pwdLockoutDuration: 1800
pwdMaxFailure: 5
pwdMinLength: 6

ldapadd -x -D "cn=admin,dc=example,dc=com" -w password -f~/ppol_external.ldif -h ldap1


ppoloverlay.ldif:

dn: olcOverlay=ppolicy,olcDatabase={1}bdb,cn=config
olcOverlay: ppolicy
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com

ppoloverlay_external.ldif:

dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config
olcOverlay: ppolicy
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyDefault: cn=default,ou=policies,o=external

ldapadd -x -D "cn=admin,cn=config" -w password -f ~/ppoloverlay.ldif -hldap1

ldapadd -x -D "cn=admin,cn=config" -w password -f~/ppoloverlay_external.ldif -h ldap1

I tried with only one default policy for both trees as well, it made nodifference.


/Mikael

Follow-Ups:
- Re: Problem with ppolicy
  - From: Mikael Nehlsen <openldap@nehlsen.se>

Prev by Date: Antw: Re: Slow to add 1 million items
Next by Date: Re: Re: Slow to add 1 million items
Index(es):
- Chronological
- Thread