Unsure of next steps to implement Password Policy Overlay with OpenLDAP on Ubuntu 10.
I am testing OpenLDAP version 2.4.21 on Ubuntu 10.04. I have successfully installed it following guides here and here. I can authenticate users on a client server I set up for testing.
My next step is to turn on a password policy. This is where things have gotten a bit hazy for me and I'm hoping someone can help suss things out. I followed the steps for converting ppolicy schema to an ldif file and then adding it to the cn=config directory and verified that it shows up there:
To be more explicit, I guess the examples from the web tutorials show how to do this using the standard slapd.conf configuration, but my setup is using cn=config database for configuring slapd. This is how it installed from the Ubuntu repository (not that I knew there was a difference when I installed it). So, I'm not sure how to edit slapd using cn=config to load the ppolicy module and instantiate it in the database.
So, I figured I waited long enough for an answer to this and got nothing. No one helped on the IRC channels either. I'm disappointed in the lack of response but I've come to a workaround. Since I'm only using this for a very small deployment, I went ahead and used the shadowAccount objectClass and defined the attributes for each user individually. It baffles me that all of the documentation I found deals with editing slapd.conf when my understanding is that that's "old school" and the dynamic backend method is the way to go. In fact, I read that future versions of OpenLDAP would not be using slapd.conf at all.
On to the next project.
Exact same problem with SL 6.x
Did the same steps you described with similar results (nothing). Did you get any other feedback? Also was not totally clear on the steps you did in your workaround as I could try that for now. Any help would be greatly appreciated....Thank you for any help you can provide. Been hitting against a brick wall....
Hi scman64. Sorry to hear you're having the same issues.
I tried to put this project as far out of my mind as possible, since the amount of time I spent on it was ultimately more than it was worth for the end result, but let me see if I remember the workaround. There's a shadowAccount class that has attributes that can be used to set password expiration, minimum and maximum lengths, stuff like that, and I'm pretty sure it's there by default (i.e. no need to add in another schema or anything). So essentially what I did was to edit these values for each individual user. Since I was only doing this to authenticate admins who were logging in to the servers (and not trying to control a bunch of users' access to some sort of file sharing or anything like that) it turned out to be easier and quicker for me to just do this manually.
So, an ldif for that might look like the following:
cn: Jane Doe
displayName: Jane Doe
gecos: Jane Doe
shadowMax is the one that tells you how long a password will be valid for. shadowWarning is how many days out users will get a warning that their password is due to expire. There are others, though not well-documented in openLDAP's documentation. I actually found a good guide to the attributes here: http://docs.redhat.com/docs/en-US/Re..._Reference.htm.
For what it's worth I downloaded and installed Apache Directory Studio and after getting it connected found it to be a very quick and easy way to both query and update the database. While I like knowing in theory how to do these things via the shell, the syntax and everything is just so damn confusing that this was really welcome.
Hello. Thank you so very much. Really appreciate your help on this. WIshing you a terrific night...
|All times are GMT -5. The time now is 10:16 PM.|