Re: [Ltb-users] policy never executing check_password

Wed, 27 Feb 2013 14:11:00 -0800 

So, a couple other things:

# module{1}, config
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}ppolicy

root@ldap1:~# ls -l /usr/lib/ldap/check_password.so
-rwxr-xr-x 1 openldap openldap 63970 Feb 27 18:43
/usr/lib/ldap/check_password.so

Don't think it's the config file, either:



root@ldap1:~# ls -l /etc/ldap/check_password.conf
-rw-r--r-- 1 openldap openldap 104 Feb 27 18:10
/etc/ldap/check_password.conf
root@ldap1:~# ls -ld /etc/ldap
drwxr-xr-x 5 root root 4096 Feb 27 18:07 /etc/ldap

I continue to be stumped :(


On 2/27/13 1:14 PM, "Clément OUDOT" <[email protected]> wrote:

>2013/2/27 Jonathan Disher <[email protected]>:
>> I have an Ubuntu box running OpenLDAP 2.4.28 and the ppolicy overlay
>> configured, and I'm trying to use check_password to validate password
>> complexity.  For some reason, it doesn't look like it is even getting
>> executed.  When I try to change my password to something that should be
>> valid, I get this (I'm running slapd by hand in ­d any mode):
>>
>> 512e5428 send_ldap_result: conn=1008 op=2 p=3
>> 512e5428 send_ldap_result: err=19 matched="" text="Password fails
>>quality
>> checking policy"
>> 512e5428 send_ldap_response: msgid=3 tag=103 err=19
>>
>> However, I get no logging from check_password.so anywhere, not in
>>syslog,
>> not to the console, even though I compiled it with ­DDEBUG.
>>
>> My config file is:
>>
>> useCracklib 1
>> minPoints 3
>> minUpper 0
>> minLower 0
>> minDigit 0
>> minPunct 0
>>
>> My password policy is:
>>
>> dn: cn=default,ou=policies,dc=bluekai,dc=com
>> cn: default
>> objectClass: device
>> objectClass: pwdPolicy
>> objectClass: pwdPolicyChecker
>> objectClass: top
>> pwdAllowUserChange: TRUE
>> pwdAttribute: userPassword
>> pwdCheckModule: check_password.so
>> pwdCheckQuality: 2
>> pwdMustChange: TRUE
>> structuralObjectClass: device
>> pwdSafeModify: FALSE
>> pwdLockout: TRUE
>> pwdLockoutDuration: 3600
>> pwdMaxFailure: 5
>> pwdFailureCountInterval: 600
>> pwdMinLength: 8
>>
>> One of the passwords I tried to use, fwiw, is 'Pa55w0rd', which should
>>be
>> valid.  I also tried to use a bunch of other, longer, more complicated
>> passwords.
>>
>> Any ideas?
>
>
>You should check if check_password.so is executable by OpenLDAP user,
>and check the module_path (or olcModulePatch) OpenLDAP configuration
>parameter.
>
>Clément.

_______________________________________________
ltb-users mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-users

Reply via email to