Howto: ppolicy & openldap

October 19th, 2007 by andylockran Leave a reply »

Well I couldn’t find a congruent howto out on the internet, and being as my LDAP replication post is currently the most-viewed page on the blog this month – I thought I’d do a little bit more technical documentation.

I know that in many cases, ‘reading the manual’ can be a very annoying way of learning, but I’ve always read it at least once. With ppolicy & openldap you’ll get nowhere without RTFM, so please make sure you leave yourself time to go through it.

http://linux.die.net/man/5/slapo-ppolicy

OpenLDAP is a beast, but it can be a very friendly beast. Like the beast out of Beauty and the Beast, it reacts differently to different people. Were you Belle – then you’ll have no problems (notice how Belle reads books) but were you to be Gaston (who uses force & brute strength) the beast isn’t going to like you.

Well I’m assuming you already have a working OpenLDAP setup (including user authentication through PAM)- if you haven’t then there are some quite good howtos for starting off. If you want advice – please comment rather than send me an email – as then other people will be able to learn from both your questions, and the answers provided (not just by me, but other commentators).

The best thing to do first is to make sure you have decent rpms. See THIS POST for how to get them setup on Centos/RHEL. If you’re using another distribution, then make sure their packages applications have a good reputation for working.

ppolicy.la is a module file, and will be installed in /usr/libs/openldap/. It’s a good idea to check it’s there. The other thing to do is to copy the ppolicy.schema to /etc/openldap/schema/ directory – and make sure that all the attributes you need are uncommented (pwdReset was commented as default, and I didn’t realise). It’s probably a good idea to read through the schema file too.

In slapd.conf add:

modulepath /usr/lib/openldap

moduleload ppolicy.la


then you need to add the following after the DB section:

overlay ppolicy
ppolicy_default “cn=default,ou=policies,dc=example,dc=com”
ppolicy_use_lockout


Providing you’ve got the ACLs set correctly in your slapd.conf (too big to consider covering in this howto) that’s all the slapd.conf configuration you’ll need.

The other file you’ll need to edit it /etc/ldap.conf

uncomment pam_lookup_policy yes


that will now allow PAM to lookup the ppolicy from the LDAP directory.

Ah ha! I know what we’ve forgotten, the actual policy!

Well this bit’s probably the easiest bit (technically) though you’ll have to work out what policy you’ll be implementing yourself.

Create a new .ldif file called ppolicy.ldif (or jabberwocky.ldif if you like, it really doesn’t matter) and add the following details:

# default, policies, example.com
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7516800
pwdExpireWarning: 432000
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 1920
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE


You’ll have different policy options, and by no means am I suggesting the above is a good configuration. Read through the manual and find out the options you want to set. It _may_ be a good enough configuration for you, but I accept no responsibility for it.

Once you’ve done that run the following

ldapadd -D “cn=Manager,dc=example,dc=com” -W -x -f jabberwocky.ldif (replacing jabberwocky with your choice of ldif name)


You’ll be prompted to enter your password – and then hopefully you’ll see something along the signs of Success!

Once that’s done, run

ldapsearch -D “cn=Manager,dc=example,dc=com” -W -x


which will output the results of what’s in the ldap tree (and if you scroll up you should see your brand new ppolicy.

Now you can restart LDAP (notice how we didn’t before, just in case users were attempting to authenticate they’d be mightily disrupted).

Hopefully that will restart with no errors. That’s that.

The behaviour will rely heavily on your configuration, thereby you can only test your configuration, rather than ppolicy itself.

BE WARNED = THE FOLLOWING SCRIPT WILL FORCE YOU TO CHANGE YOUR PASSWORD ON YOUR NEXT LOGIN. IF YOU DON’T WANT TO DO THIS THEN DON’T RUN THE SCRIPT.

If you want to check it’s working then run the following (provided that pwdMustChange is set to true in the defauly policy):

ldapmodify -x -D “cn=Manager,dc=example,dc=com” -W

dn: uid=($user),ou=Users,dc=example,dc=com

changetype: modify

add: pwdReset

pwdReset: TRUE


then press return and it should say success. try and login now with your username ($user) and your old password. It will then log you in and ask you to change it.

Neat.

If you have problems with openLDAP itself, then the guys in #ldap on irc.freenode.net are very helpful. However, if it’s a problem with another application interfacing with LDAP, please don’t disturb them. LDAP connects with hundreds of applications, so please ask the application developers ahead of the LDAP ones.

Advertisement
  • Hansen Wu

    Hi Andy, I am trying to setup password policy for userPassword attribute in openldap-2.4.21 installed on Linux (current versio). I was checking /use/lib/openldap/ppolicy.la and found out it’s not there. The only .la file in that dir is back_sql.la. Is this a installation problem? How to fix the problem? Could you give some advice?
    Thanks

    • http://zrmt.com andylockran

      What’s your distribution?

  • ninyo

    Hello andy, very helpful guide for me. I have some questions. I can see that with all the steps done some thinks doesn´t work. The only policy that works for me is pwdMaxfailure and pwdLockoutduration. The rest of it didnt work. I have this objectClass for my users:

    posixAccount
    shadowAccount
    inetOrgPerson

    Maybe shadowAccount attributes stay in conflict with the ppolicy stablished. My questions are:

    – i have to add a new object class on the user to use the policies? Maybe pwdPolicy or pwdPolicyChecker (afaik this is only related for pwdCheckquality)
    – am i right thinking on shadowAccount and policies conflict?

    thx!

    • http://zrmt.com andylockran

      Ninyo,

      First off, thanks for the positive feedback. I’ve happily used OpenLDAP ppolicy with shadowAccount objectclass without any kind of conflict – so I don’t think that’s your issue.

      In what way isn’t the policy working? Can you set pwdInHistory and see if you can set your password back to your previous one? The key thing to remeber here is to bind as the user, as the Manager account can override the policy (superuser privileges).

      What authentication service are you using LDAP for?

      • ninyo

        Andy

        thank you for your quick reply! (and sorry for my poor english :s)

        “In what way isn’t the policy working?” Only works allowuserchange, maxfailure and lockout. I tested mustchange, expirewarning, inhistory… none of them works.

        “Can you set pwdInHistory and see if you can set your password back to your previous one?” I can set a previous password; it didnt work. Question here. Where did the passwords get stored? on a user attribute?

        This is my ldap.conf on the clients:

        uri ldap://xx.xx.xx.xx/
        base dc=nodomain
        ldap_version 3
        timelimit 5
        bind_timelimit 5
        bind_policy soft
        pam_lookup_policy yes
        pam_password md5
        use_sasl off
        rootuse_sasl off
        sasl_secprops maxssf=0
        idle_timelimit 3600
        nss_reconnect_tries 1
        nss_reconnect_sleeptime 1
        nss_reconnect_maxsleeptime 8
        nss_reconnect_maxconntries 2
        nss_paged_results yes
        nss_base_passwd ou=people,dc=nodomain
        nss_base_shadow ou=people,dc=nodomain
        nss_base_group ou=group,dc=nodomain

        and my relevant slapd.conf :

        ….
        include /usr/share/openldap2.4/schema/ppolicy.schema
        ….
        moduleload ppolicy.la
        ….
        ppolicy_default “cn=paswPolicy,ou=policies,dc=nodomain”
        ppolicy_use_lockout
        #ppolicy_hash_cleartext

        #ACL
        access to attrs=userPassword
        by self write
        by anonymous auth
        by dn.base=”cn=admin,dc=nodomain” write
        by * none
        access to *
        by self write
        by dn.base=”cn=admin,dc=nodomain” write
        by * read

        Im using ldap to authenticate users logins through PAM. Im working on ubuntu 10.04 for clients and centos 5.2 & ldap 2.4.

        My biggest doubt. I must set pwdPolicy objectclass when i create a user?

        And, i must say that is very difficult to found examples or info about ppolicy except for the man pages…..

        Mercy!!

        • ninyo

          Maybe to get work some of the ppolicy settings is necessary to load a checking module?

          • ninyo

            I love to reply to myself!
            One more question. If i can not get work ppolicy. Can i use the pam_cracklib to supply ppolicy? i dont like this idea, because is a local configuration method and i have to update the configuration on all the clients…..

          • http://zrmt.com andylockran

            I’m not sure on pam_cracklib. I wrote a password checking module using source code I found on the net (Open Source). I will find a link for you if you want it and let you know when I’m back at my desk. Happy Christmas!

          • ninyo

            Done! I used this http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password . Reinstalled and configured correctly. This people have ldap with the pwdPolicy rpms out of the box. Only have to configure it. I think the problem was:

            – i have to add to the user the objectClass “pwdPolicy” with the attribute “pwdAttribute: userPassword”. As you said before ;)
            – Pam misconfiguration. When reinstalled ldap i can see on logs messages from ppolicy module but this where not applied. Example: messages saying the password has expired but i can log on the system. This page (http://www.vitki.net/book/page/authorization-and-authentication) help me configuring pam correctly.

            i tried to compile the pam_cracklib module, but have some problems compiling.

            Thanks for the help! Feliz navidad!

          • http://zrmt.com andylockran

            pwdCheckQuality needs to be set to 1 to attempt the checking, and to 2 in order to refuse new passwords if they fail the check. 1 Warns, 2 Blocks.

        • http://zrmt.com andylockran

          There are some attributes that are stored with the user attribute that are extended. I can’t remember the pwdInHistory attribute, but you should be able to look it up on the man page for ppolicy.

          The way you search them is `ldapsearch -x +` and that’ll show you all the attributes for the user. Including those attributes stored against a users account. If they’re not present, then that’ll be the issue that we can look at next.

  • Snehal Thx

    Hi Andy, my LDAP server is running fine. Trying to implement password policy. RHEL 5
    But ppolicy.la missing in /usr/lib/openldap. do we have to generate it or it should be there by default after openldap-server rpm installation.

    • http://zrmt.com andylockran

      You should be able to find it someplace on the filesystem, it might not be in the correct location – so just copy it in. 

      Cheers. 

    • Ren_wong

      The openldap-servers-overlays RPM should be installed.

  • noussa

    hi andy,thanks for the guide,
    Unfortunately, it doesn’t work to me :(
    i have two cases:
    1- when user enter his password, the msg of changing password appears but acces is denied (authentification failure)
    2- user can log in without any message or prompt to modify the password
    can you please help me??

  • guest

    Any ideas when adding the ppolice.ldif getting below error:

    ldapadd: Invalid syntax (21)
            additional info: objectClass: value #2 invalid per syntax

    • Armando Pruebas

       In slapd.conf:

      include        /etc/ldap/schema/ppolicy.schema
      .
      .
      .

      database dbd
      suffix ….
      rootdn …
      rootpw
      directory ….

      overlay ppolicy
      ppolicy_default “cn=basicPwdPolicy,dc=test,dc=com”

      • Chao Vo

        i don’t think this problem can resolve such as, beccause the error apper in ppolice.ldif, although i configure such as your guid but appear this error

    • http://zrmt.com/ andylockran

      I believe it may have something to do with your ppolicy.schema – you may need to modify the userPassword field to be a reference to the numeric ID.  It’s been a while now, so please forgive me forgetting the ID.  Do let me know if that helps?

      • jeremyc

        I could really use some assistance in the areas when we call ldapadd,
        my predecessor opted to setup slapd.conf with rootdn “cn=root,dc=company,dc=com”

        I am a ldap newbie,and since my predecessor setup the ldap infrastructure prior to me i have no idea where to really start.  Just know i have a week to implement ppolicy.  

        • http://zrmt.com/ andylockran

          Hey jeremyc,

          Sorry I’ve been so long replying.  Are you still having issues?

  • Ping

    Hi Andy,
    I am trying to implement the ppolicy overlay on openldap2.4 on RHEL6. Problem is I cannot follow your steps because the new version of ldap doesnt have the slapd.conf. everything is in cn=config directory in different files. Would you be kind enough to give us guidance with the new version too please.

    thanks in advance

    Ping

    • http://zrmt.com/ andylockran

      Hey Ping,

      I’d recommend following the guidance below and implementing slapd.conf first, then upgrade to the dynamic config once it’s working. I no longer work actively with OpenLDAP, so I’ve not had an opportunity to rewrite the config in the new format.

      from: http://www.openldap.org/lists/openldap-technical/201205/msg00159.html

      the use of the dynamic config in 2.4 is not compulsory. You can migrate to 2.4 first (be careful for your ACLs, because there are some changes since 2.3!) using a standard slapd.conf and, when everything is working properly, at a later stage convert to dynamic config. This is the approach I suggest; one thing at a time.

      Regards,
      Nick