LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-21-2012, 02:49 PM   #1
transient
LQ Newbie
 
Registered: Aug 2011
Posts: 17

Rep: Reputation: Disabled
Unsure of next steps to implement Password Policy Overlay with OpenLDAP on Ubuntu 10.


I am testing OpenLDAP version 2.4.21 on Ubuntu 10.04. I have successfully installed it following guides here and here. I can authenticate users on a client server I set up for testing.

My next step is to turn on a password policy. This is where things have gotten a bit hazy for me and I'm hoping someone can help suss things out. I followed the steps for converting ppolicy schema to an ldif file and then adding it to the cn=config directory and verified that it shows up there:

Code:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config

dn: cn=module{0},cn=config

dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: cn={4}ppolicy,cn=schema,cn=config

dn: olcDatabase={-1}frontend,cn=config

dn: olcDatabase={0}config,cn=config

dn: olcDatabase={1}hdb,cn=config
I also created a pwdpolicy.ldif file as per the instructions here:
Code:
# add default policy to DIT
# attributes preceded with # indicate the defaults and
# can be omitted
# passwords must be reset every 30 days,
# have a minimum length of 6 and users will
# get a expiry warning starting 1 hour before
# expiry, when the consecutive fail attempts exceed 5
# the count will be locked and can only be reset by an
# administrator, users do not need to supply the old
# password when changing
dn: cn=default,ou=pwpolicies,dc=example,dc=com
objectClass: pwdPolicy
cn: default
pwdMaxAge: 7889231
pwdExpireWarning: 604800
pwdInHistory: 3
#pwdCheckQuality: 0
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
#pwdGraceAuthNLimit: 0
#pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdMinLength: 7
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
So this policy is supposed to implement some basic password policy (expires every 90 days, can't use the last 3 password, you get a 7-day warning that you're password is about to expire), but I can't figure out how to link this policy with...whatever it's supposed to link with. As per http://www.openldap.org/doc/admin24/overlays.html I'm supposed to
Quote:
Instantiate the module in the database where it will be used, after adding the new ppolicy schema and loading the ppolicy module.
I think I've already added the schema, but I can't find anything that clearly details how to accomplish the other two steps. The Zyrtax site does say
Quote:
The ppolicy overlay is invoked for the DIT by the following additions to the configuration file (or using the equivalent olc values if cn=config is active)
but I'm not actually getting what that means. Can anyone shed some light on this in plain, layman's terms?

Thanks.
 
Old 03-22-2012, 03:22 PM   #2
transient
LQ Newbie
 
Registered: Aug 2011
Posts: 17

Original Poster
Rep: Reputation: Disabled
To be more explicit, I guess the examples from the web tutorials show how to do this using the standard slapd.conf configuration, but my setup is using cn=config database for configuring slapd. This is how it installed from the Ubuntu repository (not that I knew there was a difference when I installed it). So, I'm not sure how to edit slapd using cn=config to load the ppolicy module and instantiate it in the database.
 
Old 04-13-2012, 11:51 AM   #3
transient
LQ Newbie
 
Registered: Aug 2011
Posts: 17

Original Poster
Rep: Reputation: Disabled
So, I figured I waited long enough for an answer to this and got nothing. No one helped on the IRC channels either. I'm disappointed in the lack of response but I've come to a workaround. Since I'm only using this for a very small deployment, I went ahead and used the shadowAccount objectClass and defined the attributes for each user individually. It baffles me that all of the documentation I found deals with editing slapd.conf when my understanding is that that's "old school" and the dynamic backend method is the way to go. In fact, I read that future versions of OpenLDAP would not be using slapd.conf at all.

On to the next project.
 
Old 05-24-2012, 05:14 PM   #4
scman64
LQ Newbie
 
Registered: Dec 2011
Posts: 3

Rep: Reputation: Disabled
Exact same problem with SL 6.x

Did the same steps you described with similar results (nothing). Did you get any other feedback? Also was not totally clear on the steps you did in your workaround as I could try that for now. Any help would be greatly appreciated....Thank you for any help you can provide. Been hitting against a brick wall....
 
Old 05-30-2012, 12:47 PM   #5
transient
LQ Newbie
 
Registered: Aug 2011
Posts: 17

Original Poster
Rep: Reputation: Disabled
Hi scman64. Sorry to hear you're having the same issues.

I tried to put this project as far out of my mind as possible, since the amount of time I spent on it was ultimately more than it was worth for the end result, but let me see if I remember the workaround. There's a shadowAccount class that has attributes that can be used to set password expiration, minimum and maximum lengths, stuff like that, and I'm pretty sure it's there by default (i.e. no need to add in another schema or anything). So essentially what I did was to edit these values for each individual user. Since I was only doing this to authenticate admins who were logging in to the servers (and not trying to control a bunch of users' access to some sort of file sharing or anything like that) it turned out to be easier and quicker for me to just do this manually.

So, an ldif for that might look like the following:

dn: uid=jdoe,ou=people,dc=my,dc=company
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: jdoe
sn: Doe
givenName: Jane
cn: Jane Doe
displayName: Jane Doe
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: Jane Doe
loginShell: /bin/bash
homeDirectory: /home/jdoe
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 90
shadowLastChange: 10877

shadowMax is the one that tells you how long a password will be valid for. shadowWarning is how many days out users will get a warning that their password is due to expire. There are others, though not well-documented in openLDAP's documentation. I actually found a good guide to the attributes here: http://docs.redhat.com/docs/en-US/Re..._Reference.htm.

For what it's worth I downloaded and installed Apache Directory Studio and after getting it connected found it to be a very quick and easy way to both query and update the database. While I like knowing in theory how to do these things via the shell, the syntax and everything is just so damn confusing that this was really welcome.
 
1 members found this post helpful.
Old 05-30-2012, 07:57 PM   #6
scman64
LQ Newbie
 
Registered: Dec 2011
Posts: 3

Rep: Reputation: Disabled
Thank you!!

Hello. Thank you so very much. Really appreciate your help on this. WIshing you a terrific night...

Quote:
Originally Posted by transient View Post
Hi scman64. Sorry to hear you're having the same issues.

I tried to put this project as far out of my mind as possible, since the amount of time I spent on it was ultimately more than it was worth for the end result, but let me see if I remember the workaround. There's a shadowAccount class that has attributes that can be used to set password expiration, minimum and maximum lengths, stuff like that, and I'm pretty sure it's there by default (i.e. no need to add in another schema or anything). So essentially what I did was to edit these values for each individual user. Since I was only doing this to authenticate admins who were logging in to the servers (and not trying to control a bunch of users' access to some sort of file sharing or anything like that) it turned out to be easier and quicker for me to just do this manually.

So, an ldif for that might look like the following:

dn: uid=jdoe,ou=people,dc=my,dc=company
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: jdoe
sn: Doe
givenName: Jane
cn: Jane Doe
displayName: Jane Doe
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: Jane Doe
loginShell: /bin/bash
homeDirectory: /home/jdoe
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 90
shadowLastChange: 10877

shadowMax is the one that tells you how long a password will be valid for. shadowWarning is how many days out users will get a warning that their password is due to expire. There are others, though not well-documented in openLDAP's documentation. I actually found a good guide to the attributes here: http://docs.redhat.com/docs/en-US/Re..._Reference.htm.

For what it's worth I downloaded and installed Apache Directory Studio and after getting it connected found it to be a very quick and easy way to both query and update the database. While I like knowing in theory how to do these things via the shell, the syntax and everything is just so damn confusing that this was really welcome.
 
  


Reply

Tags
ldap, openldap, password, schema, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How will you implement account lockout policy in linux? sulekha Ubuntu 3 02-10-2012 07:33 PM
Openldap Password Policy evocage Linux - Server 0 02-04-2012 04:31 AM
Samba PDC + Openldap password policy guna_pmk Linux - Server 5 01-09-2012 03:27 AM
Debian OpenLDAP 2.4.11 - back_relay Overlay difficulties with 'ldapwhoami' operation subcon42 Linux - Server 0 07-05-2009 12:25 AM
Openldap 2.3 to implement group policy unixashoke Linux - Server 1 04-28-2008 09:01 AM


All times are GMT -5. The time now is 10:39 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration