Re: pwdCheckModule not allowed on openldap 2.4.40 (ubuntu server 12.04)

To: Guruprasad Kulkarni <gkulkarni@gridcosystems.com>

Subject: Re: pwdCheckModule not allowed on openldap 2.4.40 (ubuntu server 12.04)

From: Clément OUDOT <clem.oudot@gmail.com>

Date: Fri, 14 Nov 2014 09:29:38 +0100

Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DSfKfyYK5uao5WWCSIZviTXGhmh3Mi+Octwyo9vP2/s=; b=W1ysM0esE2h2O6SbQc9Ks5talPAhKZnfXNsYKyjzl7DsHT++nZrjlPiLV7rDdVkSXi eOWsRubsXLD9kMNmPHCzIHk1rerT9dynIFbJkyEE8bCBRDHyMWIyrP+UGeqMbZBSiSxK n02PsMi5sOxkX5YLIrzibwmR4w4BjbyTFBH03duwVjVD1KvmH+dNXboetjKyiCpifQfJ 2KDqQ5ri0lLsBkBR56ThH3M5wg/OsIUYEPP+grmYTZNkbmW8PjRFtTmrdZpyAqr8zrEh FVEL8GtIEYbDNLKw8BiMWtQu+6niNl36rQ/HETeKpKZwKfso5q/oygPr2VNHtZKRklP0 VjvQ==

In-reply-to: <CAB6=W2t_fabgJXB9ZC1yNAycD=u+pvJWhUFpk3QiP7C1_DrWeg@mail.gmail.com>

References: <CAB6=W2t_fabgJXB9ZC1yNAycD=u+pvJWhUFpk3QiP7C1_DrWeg@mail.gmail.com>

2014-11-14 0:31 GMT+01:00 Guruprasad Kulkarni <gkulkarni@gridcosystems.com>:

Hi,

I installed openldap 2.4.40 on ubuntu 12.04LTS

I enabled ppolicy while configuring the installation.
./configure --enable-hdb --enable-ppolicy --enable-syncprov --with-tls

I want to specify a password check module (to check for minimum upper cases, lower cases, digits, etc).

I got the module from http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password

I created a password policy very similar to the one given in the documentation:

dn: cn=default,ou=policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality:
1
pwdCheckModule: check_password.so
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit:
0

pwdInHistory: 5
3
pwdLockout: TRUE
pwdLockoutDuration:
60
0
pwdMaxAge:
1200
pwdMaxFailure:
3
pwdMinAge: 0
pwdMinLength:
8
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value

slapd.conf:

modulepath /usr/local/lib
moduleload check_password.so

While adding this password policy to ldap, I get the error:

ldap_add: Object class violation (65)
attribute info: attribute 'pwdCheckModule' not allowed

The log level is 256 and doesn't say much besides giving the same error.

Let me know where I have gone wrong.

Hi,

you need to add the objectClass pwdPolicyChecker to use the attribute pwdCheckModule.

Clément.