LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Unsure of next steps to implement Password Policy Overlay with OpenLDAP on Ubuntu 10. (http://www.linuxquestions.org/questions/linux-server-73/unsure-of-next-steps-to-implement-password-policy-overlay-with-openldap-on-ubuntu-10-a-935745/)

transient 03-21-2012 03:49 PM

Unsure of next steps to implement Password Policy Overlay with OpenLDAP on Ubuntu 10.
 
I am testing OpenLDAP version 2.4.21 on Ubuntu 10.04. I have successfully installed it following guides here and here. I can authenticate users on a client server I set up for testing.

My next step is to turn on a password policy. This is where things have gotten a bit hazy for me and I'm hoping someone can help suss things out. I followed the steps for converting ppolicy schema to an ldif file and then adding it to the cn=config directory and verified that it shows up there:

Code:

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config

dn: cn=module{0},cn=config

dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: cn={4}ppolicy,cn=schema,cn=config

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config

dn: olcDatabase={1}hdb,cn=config

I also created a pwdpolicy.ldif file as per the instructions here:
Code:

# add default policy to DIT
# attributes preceded with # indicate the defaults and
# can be omitted
# passwords must be reset every 30 days,
# have a minimum length of 6 and users will
# get a expiry warning starting 1 hour before
# expiry, when the consecutive fail attempts exceed 5
# the count will be locked and can only be reset by an
# administrator, users do not need to supply the old
# password when changing
dn: cn=default,ou=pwpolicies,dc=example,dc=com
objectClass: pwdPolicy
cn: default
pwdMaxAge: 7889231
pwdExpireWarning: 604800
pwdInHistory: 3
#pwdCheckQuality: 0
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
#pwdGraceAuthNLimit: 0
#pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdMinLength: 7
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE

So this policy is supposed to implement some basic password policy (expires every 90 days, can't use the last 3 password, you get a 7-day warning that you're password is about to expire), but I can't figure out how to link this policy with...whatever it's supposed to link with. As per http://www.openldap.org/doc/admin24/overlays.html I'm supposed to
Quote:

Instantiate the module in the database where it will be used, after adding the new ppolicy schema and loading the ppolicy module.
I think I've already added the schema, but I can't find anything that clearly details how to accomplish the other two steps. The Zyrtax site does say
Quote:

The ppolicy overlay is invoked for the DIT by the following additions to the configuration file (or using the equivalent olc values if cn=config is active)
but I'm not actually getting what that means. Can anyone shed some light on this in plain, layman's terms?

Thanks.

transient 03-22-2012 04:22 PM

To be more explicit, I guess the examples from the web tutorials show how to do this using the standard slapd.conf configuration, but my setup is using cn=config database for configuring slapd. This is how it installed from the Ubuntu repository (not that I knew there was a difference when I installed it). So, I'm not sure how to edit slapd using cn=config to load the ppolicy module and instantiate it in the database.

transient 04-13-2012 12:51 PM

So, I figured I waited long enough for an answer to this and got nothing. No one helped on the IRC channels either. I'm disappointed in the lack of response but I've come to a workaround. Since I'm only using this for a very small deployment, I went ahead and used the shadowAccount objectClass and defined the attributes for each user individually. It baffles me that all of the documentation I found deals with editing slapd.conf when my understanding is that that's "old school" and the dynamic backend method is the way to go. In fact, I read that future versions of OpenLDAP would not be using slapd.conf at all.

On to the next project.

scman64 05-24-2012 06:14 PM

Exact same problem with SL 6.x
 
Did the same steps you described with similar results (nothing). Did you get any other feedback? Also was not totally clear on the steps you did in your workaround as I could try that for now. Any help would be greatly appreciated....Thank you for any help you can provide. Been hitting against a brick wall....

transient 05-30-2012 01:47 PM

Hi scman64. Sorry to hear you're having the same issues.

I tried to put this project as far out of my mind as possible, since the amount of time I spent on it was ultimately more than it was worth for the end result, but let me see if I remember the workaround. There's a shadowAccount class that has attributes that can be used to set password expiration, minimum and maximum lengths, stuff like that, and I'm pretty sure it's there by default (i.e. no need to add in another schema or anything). So essentially what I did was to edit these values for each individual user. Since I was only doing this to authenticate admins who were logging in to the servers (and not trying to control a bunch of users' access to some sort of file sharing or anything like that) it turned out to be easier and quicker for me to just do this manually.

So, an ldif for that might look like the following:

dn: uid=jdoe,ou=people,dc=my,dc=company
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: jdoe
sn: Doe
givenName: Jane
cn: Jane Doe
displayName: Jane Doe
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: Jane Doe
loginShell: /bin/bash
homeDirectory: /home/jdoe
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 90
shadowLastChange: 10877

shadowMax is the one that tells you how long a password will be valid for. shadowWarning is how many days out users will get a warning that their password is due to expire. There are others, though not well-documented in openLDAP's documentation. I actually found a good guide to the attributes here: http://docs.redhat.com/docs/en-US/Re..._Reference.htm.

For what it's worth I downloaded and installed Apache Directory Studio and after getting it connected found it to be a very quick and easy way to both query and update the database. While I like knowing in theory how to do these things via the shell, the syntax and everything is just so damn confusing that this was really welcome.

scman64 05-30-2012 08:57 PM

Thank you!!
 
Hello. Thank you so very much. Really appreciate your help on this. WIshing you a terrific night...

Quote:

Originally Posted by transient (Post 4691349)
Hi scman64. Sorry to hear you're having the same issues.

I tried to put this project as far out of my mind as possible, since the amount of time I spent on it was ultimately more than it was worth for the end result, but let me see if I remember the workaround. There's a shadowAccount class that has attributes that can be used to set password expiration, minimum and maximum lengths, stuff like that, and I'm pretty sure it's there by default (i.e. no need to add in another schema or anything). So essentially what I did was to edit these values for each individual user. Since I was only doing this to authenticate admins who were logging in to the servers (and not trying to control a bunch of users' access to some sort of file sharing or anything like that) it turned out to be easier and quicker for me to just do this manually.

So, an ldif for that might look like the following:

dn: uid=jdoe,ou=people,dc=my,dc=company
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: jdoe
sn: Doe
givenName: Jane
cn: Jane Doe
displayName: Jane Doe
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: Jane Doe
loginShell: /bin/bash
homeDirectory: /home/jdoe
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 90
shadowLastChange: 10877

shadowMax is the one that tells you how long a password will be valid for. shadowWarning is how many days out users will get a warning that their password is due to expire. There are others, though not well-documented in openLDAP's documentation. I actually found a good guide to the attributes here: http://docs.redhat.com/docs/en-US/Re..._Reference.htm.

For what it's worth I downloaded and installed Apache Directory Studio and after getting it connected found it to be a very quick and easy way to both query and update the database. While I like knowing in theory how to do these things via the shell, the syntax and everything is just so damn confusing that this was really welcome.



All times are GMT -5. The time now is 10:16 PM.