2

I have installed the overlay, set up a default policy, I see in syslog that the policy is being referenced, but it does not seem to be enforced.

Specifically, I have been testing out pwdMinLength of 10. However, I can change the password to anything of 6 characters or longer. I've messed with the slapd config, pam, ldap.conf... I just can't figure it out.

Here is my /etc/pam.d/common-passwd:

password        [success=2 default=ignore]      pam_unix.so obscure sha512
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so
password        requisite                       pam_deny.so
password        required                        pam_permit.so

Here is my overlay:

root@ldap:/etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb# cat olcOverlay\=\{0\}ppolicy.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 e13ac822
dn: olcOverlay={0}ppolicy
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=mydomain,dc=local
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
structuralObjectClass: olcPPolicyConfig
entryUUID: 73ace97c-bd97-1033-89a7-83eeab8cfd47
creatorsName: cn=config
createTimestamp: 20140821155626Z
olcPPolicyHashCleartext: TRUE
entryCSN: 20140822194949.226250Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20140822194949Z

root@ldap:/etc/ldap/slapd.d/cn=config# grep -r pol *
cn=module{0}.ldif:olcModuleLoad: {1}ppolicy
cn=schema/cn={4}ppolicy.ldif:dn: cn={4}ppolicy
cn=schema/cn={4}ppolicy.ldif:cn: {4}ppolicy
cn=schema.ldif: w policy state updates to be forwarded via updateref' SYNTAX OMsBoolean SINGL
olcDatabase={1}hdb/olcOverlay={0}ppolicy.ldif:dn: olcOverlay={0}ppolicy
olcDatabase={1}hdb/olcOverlay={0}ppolicy.ldif:olcOverlay: {0}ppolicy
olcDatabase={1}hdb/olcOverlay={0}ppolicy.ldif:olcPPolicyDefault: cn=default,ou=policies,dc=mydomain,dc=local

Here is the policy:
dn: ou=policies,dc=mydomain,dc=local
objectClass: organizationalUnit
objectClass: top
ou: policies
structuralObjectClass: organizationalUnit
entryUUID: 02bd96f4-b6ac-1033-8430-5db15c0b2efc
creatorsName: cn=admin,dc=mydomain,dc=local
createTimestamp: 20140812203558Z
entryCSN: 20140812203558.385280Z#000000#000#000000
modifiersName: cn=admin,dc=mydomain,dc=local
modifyTimestamp: 20140812203558Z

dn: cn=default,ou=policies,dc=mydomain,dc=local
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdExpireWarning: 1814400
pwdInHistory: 3
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
structuralObjectClass: device
entryUUID: 29977c86-b74c-1033-8432-5db15c0b2efc
creatorsName: cn=admin,dc=mydomain,dc=local
createTimestamp: 20140813154223Z
pwdMinLength: 10
cn: default
pwdCheckQuality: 2
pwdSafeModify: TRUE
entryCSN: 20140822193458.399642Z#000000#000#000000
modifiersName: cn=admin,dc=mydomain,dc=local
modifyTimestamp: 20140822193458Z

I have been around and around on this. Any help would be appreciated

David Foerster
  • 36,890
  • 56
  • 97
  • 151
ltarc3
  • 21

1 Answers1

-2

My ppolicy setup is similar to your configuration and it works for me. I think that it all depends on how you test your password policy.

I have tested it by using:

(user11's password is being changed):

  1. ldappasswd -x -h ubuntu-vostro -D "cn=user11,ou=Users,dc=yourdomain,dc=net" -W -S "cn=user11,ou=Users,dc=yourdomain,dc=net" (note -D "cn=user11...")

  2. phpLdapAdmin, logged in as user11, purged cache, changed password

  3. self-service-password (the php script that is running on the apache2 server), logged in as user11. Make sure that in the config.inc.php you have $who_change_password = "user"; (not "manager").

    It looks like rootdn (manager/admin) bypasses all the password policies so if you use the rootdn (%ADMIN%) account for the user's password changing you will not see your pwdMinLength policy enforced.

You can enable openLDAP monitoring and run this command to make sure that your ppolicy overlay is properly loaded: ldapsearch -x -D dc=yourdomain,dc=net -w -b 'cn=Overlays,cn=Monitor' -s base '(objectClass=)' '' '+

lk7777
  • 277