LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-08-2013, 11:04 AM   #1
Ratclaws
Member
 
Registered: Sep 2001
Location: New York
Distribution: Slackware 8
Posts: 100

Rep: Reputation: 16
Trouble using openldap ppolicy in CentOS 6.3


I need to enforce password policies via ldap, but I am not having any luck.

I can see that when i try to change my password, i do see the following in the slapd log. What am i missing?

I'm not sure that it is actually seeing my policy which is populated in
cn=default,ou=policies,dc=example,dc=net


Apr 8 10:43:28 e-dantest-01 slapd[10543]: conn=1004 op=2 BIND dn="" method=128
Apr 8 10:43:28 e-dantest-01 slapd[10543]: conn=1004 op=2 RESULT tag=97 err=0 text=
Apr 8 10:43:28 e-dantest-01 slapd[10543]: conn=1004 op=3 SRCH base="" scope=0 deref=0 filter="(?objectClass=passwordPolicy)"


here are the relevant changes that I put in place to make it happen.

slapd.conf:
## Up top
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la

# ACL
access to attrs=userPassword,pwmResponseSet
by dn="uid=root,ou=People,dc=example,dc=net" write
by dn="cn=svc_pwm,ou=SVC_Accounts,dc=example,dc=net" write
by dn="cn=replica,dc=example,dc=net" read
by anonymous auth
by self =xw
by * none

access to *
by self write ## remove this.
by * read


## after my database bdb section
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=net"
ppolicy_use_lockout


I've also added "pam_lookup_policy yes" to the following
/etc/ldap.conf
/etc/openldap/ldap.conf
/etc/pam_ldap.conf


and the ldif that i used to add the policy
dn: ou=policies,dc=example,dc=net
ou: policies
objectClass: top
objectClass: organizationalUnit

# default, policies, example.com
dn: cn=default,ou=policies,dc=example,dc=net
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenLdap wit PPolicy moinshareef Linux - Server 3 12-27-2012 10:51 PM
how to enable or disable users with ppolicy OpenLDAP melive Linux - Server 4 11-16-2012 09:21 AM
[SOLVED] Another question about nfs and openldap in centos 6.3 gaby Linux - Distributions 1 08-24-2012 03:14 PM
OpenLDAP "pwdPolicySubentry" for ppolicy not applying cheetos Linux - Software 1 06-19-2011 06:24 PM
openldap ppolicy in RHEL5 frndrfoe Linux - Server 2 04-01-2010 12:56 PM


All times are GMT -5. The time now is 10:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration