Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been trying to configure openldap to use ppolicy overlay but non of the procedures found online have worked. I tried tens of problems discussed in the forums but to no avail. So I would be so grateful if someone can check my configuration and pin the problem.
I'm using the olc (cn=config) configuration on debian jessie. Openldap version is 2.4.40
here is the ldapsearch of -b cn=config excluded the schemas contents of (core, cosine, inetorgperson and ppolicy)
When I created the user test, none of the default password policy attributes got attached to it. I haven't been forced to change the password after the first login even when I added the pwdReset to the user test, I only got denied from logging-in.
PS: I created an admin account, cn=boss,ou=people,dc=home,dc=me, in the DIT with the appropriate permissions, and created the user test as that user. I've read many threads and all stated that OpenLDAP manager account, bypasses all overlays.
I tried these configuration on Ubuntu, Debian and CentOS and none of them worked. Any help please!
After I added pwdpolicysubentry to the newly created users and send pwdReset to them, users got denied from logging-in and here is what it is shown in the journalctl
Code:
[5e18f8] <authc="poor"> ldap_result() failed: Insufficient access: Operations are restricted to bind/unbind/abandon/StartTLS/modify password
Feb 13 19:17:47 debian-jessie nslcd[614]: [5e18f8] <authc="poor"> uid=poor,ou=people,dc=home,dc=me: Insufficient access
Feb 13 19:17:47 debian-jessie nslcd[614]: [5e18f8] <authc="poor"> uid=poor,ou=people,dc=home,dc=me: Password must be changed
Feb 13 19:17:47 debian-jessie sshd[2496]: pam_ldap(sshd:auth): Authentication failure; user=poor
Feb 13 19:17:49 debian-jessie sshd[2496]: Failed password for poor from 192.168.5.7 port 45534 ssh2
So, it worked but can't get the user to change the password himself/herself. I think I'm getting so close to get it to work properly and hope that someone would help me do it.
Unfortunately there is no straight way to make the Password Policy Overlay meet my requirements which one of them is to force a user to change his/her password on the first login.
But, now, I'm able to do so by combining the ppolicy overlay with shadowAccount object class using its shadowLastChange attribute and make it equal to zero (Both shadowAccount object class and shadowLastChange attribute are added to the user account). The ppolicy will handle the rest. (I tried shadowAccount by its own and it didn't work).
This work around, if I may say, worked on Debian only. Even CentOS client systems didn't comply to the ppolicy forced by the LDAP server on Debian. Debian and Ubuntu clients worked.
pwdReset attribute: This attribute does lock the account and does require the password to be changed but it can only be done through the command ldappasswd and not at login. The value of this attribute overrides the setting of pwdMustChange.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.