Hi,
I am trying to make ppolicy work on openldap 2.4. I have found some good tutorials like this :
http://www.flagword.net/2013/02/open...omment-page-1/

However it does not work for me till now. I need to know where does openldap stores information regarding password like "Last Password Change" so it can decide when to expire a password.
Do we still need to inherit the users from "ShadowAccount" object class ?
Also I need to make exception for some users and never expire their passwords.

Thank you in advance
Vahab

So does this mean that things ARE working for you, and if so...why open this thread???
Again, as with your other thread about openLDAP, did you bother to check the documentation?
http://www.openldap.org/doc/admin24/backends.html

There are several back ends that can be used.
..and back to "did you check the documentation or Google?"
http://www.openldap.org/doc/admin24/overlays.html
http://www.doxer.org/want-your-ldap-...oes-the-howto/

If you want some users to not expire, you create their own policy class and assign them to it. This is a VERY BAD IDEA..non-expiring passwords are INCREDIBLE security holes.

Things are not working for me and I am trying to find out why.

Let me ask my question another way, maybe that's my bad.

After applying the ppolicy overlay, is there any way to see the information regarding each user ? I mean similar numerical values that can be read from /etc/shadow. Can we obtain these values use any ldapsearch command ?

I am not sure if this password policy is completely server side or a client side configuration is required. (pam_lookup_policy yes is ldap.conf ?)

You can list users in the policy group, or list complete user information, which will tell you what policy(s) apply to them. Read the man pages on the relevant LDAP commands.
And back to "read the openLDAP documentation". You can set things up in a variety of ways. Which did you pick?

I followed the steps again and now it is working ! Maybe last time I missed something.
Thank you TB0ne for the follow up.

In my case it does not need "pam_lookup_policy yes" in sssd.conf and it is not necessary to include shadowAccount objectClass.

And for the ones who are reading this, this is my working configuration :

###cn=config
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: ppolicy
olcModulePath: /usr/lib64/openldap


dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=ppolicy,ou=policies,dc=example,dc=com
olcPPolicyUseLockout: TRUE
olcPPolicyHashCleartext: TRUE

######################################################
###dc=example,dc=com
dn: ou=policies,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: policies

dn: cn=ppolicy,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
cn: ppolicy
pwdAttribute: userPassword
pwdInHistory: 8
pwdMinLength: 8
pwdMaxFailure: 3
pwdFailureCountInterval: 1800
pwdCheckQuality: 0
pwdMustChange: TRUE
pwdGraceAuthNLimit: 0
pwdMaxAge: 7776000
pwdExpireWarning: 1209600
pwdLockoutDuration: 900
pwdLockout: TRUE

Does ppolicy work only with the 'ldappasswd' command?
My ppolicy is being enforced when I use the 'ldappasswd' command but not when I use the 'passwd' command.
The 'passwd' command however connects to the LDAP server settings only. Its just that the policy is not enforced.

You need to read the LQ Rules and the "Question Guidelines"; you have:

• Reopened a thread that had been closed for FOUR YEARS
• Hijacked it with your own question
• Not provided ANY useful details that would let us help you

Open your own thread for your own question, and when you do, provide the details (such as what you've done/tried, the version/distro of Linux, etc.). And did you read the man pages on the passwd command, and what it does? Mainly...it is for LOCAL accounts? If you're using LDAP, that's where things are set, obviously.

Please respond to this:
https://www.linuxquestions.org/quest...27-4175633389/

AGAIN, you need to read the LQ Rules; DO NOT CROSS POST things.