Nevermind, I figured out my problem. I am using LDAP Account Manager (www.ldap-account-manager.org), and trying to use their self-service tool to let people change their own passwords. The problem was that the tool was presenting a pre-SSHA crypted password to the module, which obviously won't fly.
If I change the self-service tool to send PLAIN (but leave the default password storage as SSHA), it goes through the check_password module, and gets stored as an SSHA hash: Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found punctuation character - quality raise 1 Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found upper character - quality raise 2 Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found digit character - quality raise 3 Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Found lower character - quality raise 4 Feb 27 23:25:53 ldap1 slapd[29447]: check_password: Cracklib verification disabled by configuration Sorry for the runaround (but maybe someone else will find it useful), and thanks! -j On 2/27/13 2:10 PM, "Jonathan Disher" <[email protected]> wrote: >So, a couple other things: > ># module{1}, config >dn: cn=module{1},cn=config >objectClass: olcModuleList >cn: module{1} >olcModulePath: /usr/lib/ldap >olcModuleLoad: {0}ppolicy > >root@ldap1:~# ls -l /usr/lib/ldap/check_password.so >-rwxr-xr-x 1 openldap openldap 63970 Feb 27 18:43 >/usr/lib/ldap/check_password.so > >Don't think it's the config file, either: > > > >root@ldap1:~# ls -l /etc/ldap/check_password.conf >-rw-r--r-- 1 openldap openldap 104 Feb 27 18:10 >/etc/ldap/check_password.conf >root@ldap1:~# ls -ld /etc/ldap >drwxr-xr-x 5 root root 4096 Feb 27 18:07 /etc/ldap > >I continue to be stumped :( > > >On 2/27/13 1:14 PM, "Clément OUDOT" <[email protected]> wrote: > >>2013/2/27 Jonathan Disher <[email protected]>: >>> I have an Ubuntu box running OpenLDAP 2.4.28 and the ppolicy overlay >>> configured, and I'm trying to use check_password to validate password >>> complexity. For some reason, it doesn't look like it is even getting >>> executed. When I try to change my password to something that should be >>> valid, I get this (I'm running slapd by hand in d any mode): >>> >>> 512e5428 send_ldap_result: conn=1008 op=2 p=3 >>> 512e5428 send_ldap_result: err=19 matched="" text="Password fails >>>quality >>> checking policy" >>> 512e5428 send_ldap_response: msgid=3 tag=103 err=19 >>> >>> However, I get no logging from check_password.so anywhere, not in >>>syslog, >>> not to the console, even though I compiled it with DDEBUG. >>> >>> My config file is: >>> >>> useCracklib 1 >>> minPoints 3 >>> minUpper 0 >>> minLower 0 >>> minDigit 0 >>> minPunct 0 >>> >>> My password policy is: >>> >>> dn: cn=default,ou=policies,dc=bluekai,dc=com >>> cn: default >>> objectClass: device >>> objectClass: pwdPolicy >>> objectClass: pwdPolicyChecker >>> objectClass: top >>> pwdAllowUserChange: TRUE >>> pwdAttribute: userPassword >>> pwdCheckModule: check_password.so >>> pwdCheckQuality: 2 >>> pwdMustChange: TRUE >>> structuralObjectClass: device >>> pwdSafeModify: FALSE >>> pwdLockout: TRUE >>> pwdLockoutDuration: 3600 >>> pwdMaxFailure: 5 >>> pwdFailureCountInterval: 600 >>> pwdMinLength: 8 >>> >>> One of the passwords I tried to use, fwiw, is 'Pa55w0rd', which should >>>be >>> valid. I also tried to use a bunch of other, longer, more complicated >>> passwords. >>> >>> Any ideas? >> >> >>You should check if check_password.so is executable by OpenLDAP user, >>and check the module_path (or olcModulePatch) OpenLDAP configuration >>parameter. >> >>Clément. > >_______________________________________________ >ltb-users mailing list >[email protected] >http://lists.ltb-project.org/listinfo/ltb-users _______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
