2

Question: Why am I failing to add the objectclass pwdPolicy to cn=PasswordDefaults?

Background Information

I am new to LDAP and I'm stumbling through various tutorials and other tips online to create a directory that will handle user information for me. I'm trying to create an LDAP server that will contain user information and enforce a password policy. To achieve this, I believe that I need to add the pwdPolicy objectclass to ou=Policies to my LDAP server running 2.4.40. I'm loosely following these tutorials: 

{
  Password Policy tutorial: https://tobrunet.ch/articles/openldap-password-policy-overlay/, 
  Getting started with OpenLDAP and CentOS7: https://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=1, 
  Default and User Specific Password Policy: http://www.zytrax.com/books/ldap/ch6/ppolicy.html
}

I have a directory laid out like this:

-> Root stuff
  -> dc=example,dc=com
    -> cn=Manager (The olcRootDN)
    -> ou=User
       -> *Several entries with objectClasses {posixAccount, shadowAccount, inetOrgPerson}*
    -> ou=Policies (Not sure if this is here because not visible in Apache Directory Studio)
       -> cn=passwordDefault

Here is what I have done to try to use the ppolicy.

Steps 1-3 loosely follow commands from the OpenLDAP with OLC section OpenLDAP Password Policy overlay

Step 1: Load the ppolicy schema into the OLC with this command:

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif

Understanding of Step 1: adds cn={5}ppolicy.ldif to /.../slap.d/cn=config/cn=schema

Step 2: Load the module with this command:

ldapadd -D "cn=config" -W -f addPpolicyOverlay.ldif

contents of addPpolicyOverlay.ldif

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: ppolicy.la

Understanding of Step 2: adds cn=module{0}.ldif to /.../slapd.d/cn=config.

Step 3: Configure the ppolicy overlay with this command: 

ldapadd -D "cn=config" -W -f configurePpolicyOverlay.ldif

contents of configurePpolicyOverlay.ldif

dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=passwordDefault,ou=Policies,dc=example,dc=com
olcPPolicyHashCleartest: FALSE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE

Understanding of Step 3: Makes a database and uses ppolicy overlay. Makes ou=Policies in my domain dc=example,dc=com. I am unable to explore ou=Policies in Apache Directory Studio even though I believe it is exists in dc=example,dc=com

Questions about Step 3: Do I now have a working default password policy?

Step 4: Fails to add the pwdPolicy objectclass to olcOverlay={0}ppolicy with this command: 

ldapmodify -a -D "cn=config" -W -f configureDefaultPpolicy.ldif

Error:ldapmodify: invalid format (line 5) entry: "olcOverlay={0}ppolicy,cn=olcDatabase={2}hdb,cn=config"

contents of configureDefaultPpolicy.ldif

dn: olcOverlay={0}ppolicy,cn=oldDatabase={2}hdb,cn=config]
changetype: modify
olcObjectClasses: pwdPolicy
cn=passwordDefault,ou=Policies,dc=example,dc=com
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdInHistory: 50
pwdMaxFailure: 3
pwdMinLength: 8

Questions about Step 4: http://i.imgur.com/80yPJVG.jpg (Not trusted enough to embed pictures :( )

hededo
  • 55
  • 2
  • 8

1 Answers1

1

Understanding of Step 3: Makes a database and uses ppolicy overlay. Makes ou=Policies in my domain dc=example,dc=com. I am unable to explore ou=Policies in Apache Directory Studio even though I believe it is exists in dc=example,dc=com

It does not create anything in the database dc=example,dc=com, it just set some configuration for the ppolicy overlay used by this database.

Questions about Step 3: Do I now have a working default password policy?

No, as per your tutorial, you have to create these branches in the database dc=example,dc=com to be able to put a ppolicy :

It is not to be put in the cn=config but in the database dc=example,dc=com

dn: ou=Policies,dc=example,dc=com
ou: Policies
objectClass: organizationalUnit

dn: cn=passwordDefault,ou=Policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 0
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 8
pwdInHistory: 5
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE

For the question about step 4, I am not able to see imgur images behind my professional proxy, but the fact you try to import the ppolicy into the cn=config should be the main problem.

Esteban
  • 286
  • 1
  • 7
  • 1
    so I added the ldif above to dc=example,dc=com. Now do my users in ou=user,dc=example,dc=com obey the rules set in ou=Policies,dc=example,dc=com? – hededo May 17 '17 at 00:24
  • I appears to have worked because I have locked out an account. Is there a way to tell if a user has been locked out or needs to change its password? – hededo May 17 '17 at 00:28
  • 1
    @hededo [See this](http://www.zytrax.com/books/ldap/ch6/ppolicy.html#operationalattributes) for more informations about what you can find in the user entry – Esteban May 17 '17 at 06:44
  • @hededo How were you logging in when locking out an account? Did you use ldappasswd binding as a user? Which object class do your user accounts have in the database? – Sergey Shcherbakov Dec 01 '17 at 16:25