Trouble using openldap ppolicy in CentOS 6.3
I need to enforce password policies via ldap, but I am not having any luck.
I can see that when i try to change my password, i do see the following in the slapd log. What am i missing? I'm not sure that it is actually seeing my policy which is populated in cn=default,ou=policies,dc=example,dc=net Apr 8 10:43:28 e-dantest-01 slapd[10543]: conn=1004 op=2 BIND dn="" method=128 Apr 8 10:43:28 e-dantest-01 slapd[10543]: conn=1004 op=2 RESULT tag=97 err=0 text= Apr 8 10:43:28 e-dantest-01 slapd[10543]: conn=1004 op=3 SRCH base="" scope=0 deref=0 filter="(?objectClass=passwordPolicy)" here are the relevant changes that I put in place to make it happen. slapd.conf: ## Up top include /etc/openldap/schema/ppolicy.schema moduleload ppolicy.la # ACL access to attrs=userPassword,pwmResponseSet by dn="uid=root,ou=People,dc=example,dc=net" write by dn="cn=svc_pwm,ou=SVC_Accounts,dc=example,dc=net" write by dn="cn=replica,dc=example,dc=net" read by anonymous auth by self =xw by * none access to * by self write ## remove this. by * read ## after my database bdb section overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=net" ppolicy_use_lockout I've also added "pam_lookup_policy yes" to the following /etc/ldap.conf /etc/openldap/ldap.conf /etc/pam_ldap.conf and the ldif that i used to add the policy dn: ou=policies,dc=example,dc=net ou: policies objectClass: top objectClass: organizationalUnit # default, policies, example.com dn: cn=default,ou=policies,dc=example,dc=net objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMaxAge: 7776002 pwdExpireWarning: 432000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 5 pwdLockout: TRUE pwdLockoutDuration: 900 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE |
All times are GMT -5. The time now is 02:03 PM. |