[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Ppolicy does not seem to work
- To: Jan Kohnert <nospam001-lists@jankoh.dyndns.org>
- Subject: Re: Ppolicy does not seem to work
- From: Clément OUDOT <clem.oudot@gmail.com>
- Date: Mon, 14 Feb 2011 10:28:00 +0100
- Cc: openldap-technical@openldap.org
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=9jyjiWGuLyPpuYETesllboW/bOxSN+EOlzON9OlUIs4=; b=iYEPpN6XIXmAmE1dbMgrA+D02/xA3EckSrty5/hXSqnzDesNlzMmhWweJG9Yl/7bd3 i+W5bkRkE5I4UpavH0i+EYjeMJFUEjofd2babzDfZKyn4pcIH4Gb8s/z10SyPjWdzPb6 bmbW9HV4muyE4LRoS0gzSvG5T6H4UdMn+iCxk=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=cNGmEX8yfWzJqw4RK7iBTJTMJSXoiLjKLalY9jYsLETBrBkjTsVOi7TWBVNxitSCp8 WNsoNExCgibckfwWhXMyZWCQPoQR0c9uALLb9E7EYKpZEVdftLs6PP61N1TIN+bIi1RZ v+4S6X+cYQ520Uic3TCtN2yMEJbtyfKAUE9n0=
- In-reply-to: <201102131745.23415.nospam001-lists@jankoh.dyndns.org>
- References: <201102131745.23415.nospam001-lists@jankoh.dyndns.org>
2011/2/13 Jan Kohnert <nospam001-lists@jankoh.dyndns.org>:
> Hi there,
>
> I'm new to this list, so first of all welcome to everyone.
>
> I have a problem with ppolicy and got stuck finding a solution. I configured
> slapd using the information from [1] trying to be able to lock users. But
> anyway, the lock seems to be ignored: As soon as one tries to log in, the
> pwdLockedTime agument es removed from the entry and I seem to be too blind or
> dumb to see the reason why.
>
> Here is what happens (testing my own account):
> b079 /etc/openldap # grep -v "^#" ldif/locked_users.ldif
> dn: uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org
> changetype: modify
> add: pwdAccountLockedTime
> pwdAccountLockedTime: 20110119225403Z
> b079 /etc/openldap # ldapmodify -x -D "cn=admin, dc=yyy, dc=zzz, dc=org" -W -f
> ldif/locked_users.ldif
> Enter LDAP Password:
> modifying entry "uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org"
>
> b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan"
> uid: jan
> b079 /etc/openldap # ldapwhoami -x -D "uid=jan, ou=xxx, dc=yyy, dc=zzz,
> dc=org" -W
> Enter LDAP Password:
> dn:uid=jan,ou=xxx,dc=yyy,dc=zzz,dc=org
> b079 /etc/openldap # slapcat | grep -B 13 Locked | grep "uid: jan"b079
> /etc/openldap #
>
> And here is the relevant configuration;
> b079 /etc/openldap # grep ppolicy slapd.conf
> include /etc/openldap/schema/ppolicy.schema
> moduleload ppolicy.so
> overlay ppolicy
> ppolicy_default "cn=default,ou=policies,dc=yyy,dc=zzz,dc=org"
> b079 /etc/openldap #
>
> b079 /etc/openldap # ldapsearch -x -s base -b "cn=default, ou=policies,
> dc=yyy, dc=zzz, dc=org"
> # extended LDIF
> #
> # LDAPv3
> # base <cn=default, ou=policies, dc=yyy, dc=zzz, dc=org> with scope baseObject
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # default, policies, yyy.zzz.org
> dn: cn=default,ou=policies,dc=yyy,dc=zzz,dc=org
> cn: default
> sn: dummy value
> objectClass: pwdPolicy
> objectClass: person
> objectClass: top
> pwdAttribute: userPassword
> pwdMinAge: 0
> pwdMaxAge: 0
> pwdInHistory: 0
> pwdCheckQuality: 0
> pwdLockout: TRUE
> pwdLockoutDuration: 900
> pwdFailureCountInterval: 1800
> pwdMustChange: FALSE
> pwdAllowUserChange: TRUE
> pwdSafeModify: TRUE
> pwdExpireWarning: 604800
> pwdMaxFailure: 5
> pwdGraceAuthNLimit: 0
> pwdMinLength: 8
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
> b079 /etc/openldap #
>
> Thank a lot in advance!
>
> [1] http://www.openldap.org/lists/openldap-technical/200810/msg00107.html
Hello Jan,
can you tell us the OpenLDAP version you ar running? For example,
2.4.11 on Debian is known to have bugs on the password policy overlay.
Then you should try to lock your account by failing authentication
(use a bad password several times), you should see in your entry
operational attributes pwdFailureTime and pwdAccountLockedTime.
Try also to use -e ppolicy in ldapsearch or ldapwhoami commands, to
get messages from paswword policy control.
Clément.