2014-02-25 18:47 GMT+01:00 G.Pitman <[email protected]>: > Hello, >
Hi, > I have a new RHEL 6.5 "basic install" server on which I have installed: > > Feb 24 16:29:28 Installed: berkeleydb-ltb-4.6.21.NC-4.el6.patch4.x86_64 > Feb 24 16:29:28 Installed: libtool-ltdl-2.2.6-15.5.el6.x86_64 > Feb 24 16:29:31 Installed: openldap-ltb-2.4.39-2.el6.x86_64 > Feb 24 16:29:31 Installed: openldap-ltb-check-password-1.1-8.el6.x86_64 > Feb 25 08:32:02 Installed: openldap-clients-2.4.23-34.el6_5.1.x86_64 > Feb 25 10:11:53 Installed: > openldap-ltb-contrib-overlays-2.4.39-2.el6.x86_64 > Feb 25 10:11:56 Installed: openldap-ltb-debuginfo-2.4.39-2.el6.x86_64 > > I was able to get my database copied over using > /usr/local/openldap/sbin/slapadd and got my configuration matching our old > server. This new server seems to be acting just as the old server did and > the test policies are working. > > I copied check_password.so from > /usr/local/openldap/lib64/check_password.so to > /usr/local/openldap/libexec/openldap where my slapd.conf is told to look > for modules. It has 755 mode bits. > > Why? You should rather configure modulepath to include /usr/local/openldap/lib64/ This is my test policy; > > # extended LDIF > # > # LDAPv3 > # base <ou=Policies,dc=test,dc=com> with scope subtree > # filter: cn=test > # requesting: ALL > # > > # test, Policies, test.com > dn: cn=test,ou=Policies,dc=test,dc=com > cn: test > objectClass: pwdPolicy > objectClass: person > objectClass: top > objectClass: pwdPolicyChecker > pwdAllowUserChange: TRUE > pwdAttribute: userPassword > pwdFailureCountInterval: 300 > pwdGraceAuthNLimit: 3 > pwdLockout: TRUE > pwdLockoutDuration: 300 > pwdMaxFailure: 5 > pwdMinAge: 0 > pwdMustChange: TRUE > pwdSafeModify: FALSE > sn: dummy value > pwdCheckQuality: 0 > pwdInHistory: 0 > pwdExpireWarning: 36000 > pwdMaxAge: 0 > pwdMinLength: 8 > pwdCheckModule: check_password.so > > and my test user is assigned to this policy: > > # gpitman2, People, test.com > dn: uid=gpitman2,ou=People,dc=test,dc=com > pwdPolicySubentry: cn=test,ou=Policies,dc=test,dc=com > structuralObjectClass: inetOrgPerson > entryUUID: dad5e8e4-3271-1033-964e-4fa41b17c517 > creatorsName: cn=Manager,dc=test,dc=com > createTimestamp: 20140225140707Z > pwdChangedTime: 20140225170348Z > entryCSN: 20140225170348.395103Z#000000#000#000000 > modifiersName: uid=gpitman2,ou=People,dc=test,dc=com > modifyTimestamp: 20140225170348Z > entryDN: uid=gpitman2,ou=People,dc=test,dc=com > subschemaSubentry: cn=Subschema > hasSubordinates: FALSE > > /usr/local/openldap/etc/openldap/check_password.conf contains: > minPoints 3 > useCracklib 1 > minUpper 1 > minLower 1 > minDigit 1 > minPunct 1 > > I am not seeing anything regarding the check_policy.so module in the logs > with loglevel set to -1 and I am able to set weak passwords. > > > also looks like cracklib is installed > cracklib.x86_64 2.8.16-4.el6 > @anaconda-RedHatEnterpriseLinux-201111171049.x86_64/6.2 > cracklib-dicts.x86_64 2.8.16-4.el6 > @anaconda-RedHatEnterpriseLinux-201111171049.x86_64/6.2 > > > Any advice would be great! > Check pwdCheckQuality parameter documentation. If you set it to 0, no check is done. Clément.
_______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
