2013/9/10 Jacques Foucry <[email protected]> > Hello experts, > > I tried to enable ppolicy on a test openldap server. > > As I read I first create an OU policies with the default cn > > # LDIF Export for cn=default,ou=policies,dc=**example,dc=com > # Server: My Slave LDAP Server (ldap://localhost) > # Search Scope: base > # Search Filter: (objectClass=*) > # Total Entries: 1 > # > # Generated by phpLDAPadmin > (http://phpldapadmin.**sourceforge.net<http://phpldapadmin.sourceforge.net>) > on September 10, 2013 2:10 pm > # Version: 1.2.0.5 > > version: 1 > > # Entry 1: cn=default,ou=policies,dc=**example,dc=com > dn: cn=default,ou=policies,dc=**example,dc=com > cn: default > objectclass: top > objectclass: device > objectclass: pwdPolicy > objectclass: pwdPolicyChecker > pwdallowuserchange: TRUE > pwdattribute: userPassword > pwdcheckmodule: mmc-check-password.so > pwdcheckquality: 0 > pwdexpirewarning: 600 > pwdfailurecountinterval: 0 > pwdgraceauthnlimit: 5 > pwdinhistory: 5 > pwdlockout: TRUE > pwdlockoutduration: 0 > pwdmaxage: 90 > pwdmaxfailure: 5 > pwdminlength: 8 > pwdmustchange: TRUE > pwdsafemodify: FALSE > > and add it to my base. > > I also added the ppolicy schema, the module load and the overlay > > include /etc/ldap/schema/ppolicy.**schema > > moduleload ppolicy.la > > overlay ppolicy > ppolicy_default "cn=default,ou=policies,dc=**example,dc=com" > ppolicy_hash_cleartext > ppolicy_use_lockout > > In /etc/ldap/ldap.conf I change > pam_lookup_policy yes > > I restarted slapd and change my own client to use my test open ldap > server. And it seems working. > > But suddenly I was not able to do a sudo, change my passwd or login in > another session. > > I checked the log of my server and found > > Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 ENTRY > dn="cn=jacques foucry,ou=people,dc=example,**dc=com" > Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=1 SEARCH RESULT > tag=101 err=0 nentries=1 text= > Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND dn="cn=Jacques > Foucry,ou=People,dc=example,**dc=com" method=128 > Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 BIND dn="cn=Jacques > Foucry,ou=People,dc=example,**dc=com" mech=SIMPLE ssf=0 > Sep 10 16:17:22 ldap-slave slapd[1672]: ppolicy_bind: Entry cn=Jacques > Foucry,ou=People,dc=example,**dc=com has an expired password: 0 grace > logins > Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=2 RESULT tag=97 > err=49 text= > Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND anonymous > mech=implicit ssf=0 > Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 BIND dn="" > method=128 > Sep 10 16:17:22 ldap-slave slapd[1672]: conn=1075 op=3 RESULT tag=97 err=0 > text= > > So I added to my user some attributes. First the OU pwdPolicy (with > userPassord as attribute) then pwdAllowUserChange, pwdGraceAuthNLimit (and > put 7 on it) PwdLockout (false) pwdLockoutDuration (0) pwdMustChange (true) > pwdSafeModify(true). > > I still have the same error. > > So there is something I misunderstood. > > Can some on explain what's wrognand how can I correct it? > >
You configured : pwdmaxage: 90 Means after 90 seconds, your password is expired. Change this to a better value. Clément.
