Andy Loughran :: Howto: ppolicy & openldap

Howto: ppolicy & openldap

19-10-2007 6:20 pm 23 Comments

Well I couldn't find a congruent howto out on the internet, and being as my LDAP replication post is currently the most-viewed page on the blog this month - I thought I'd do a little bit more technical documentation.

I know that in many cases, 'reading the manual' can be a very annoying way of learning, but I've always read it at least once. With ppolicy & openldap you'll get nowhere without RTFM, so please make sure you leave yourself time to go through it.

http://linux.die.net/man/5/slapo-ppolicy

OpenLDAP is a beast, but it can be a very friendly beast. Like the beast out of Beauty and the Beast, it reacts differently to different people. Were you Belle - then you'll have no problems (notice how Belle reads books) but were you to be Gaston (who uses force & brute strength) the beast isn't going to like you.

Well I'm assuming you already have a working OpenLDAP setup (including user authentication through PAM)- if you haven't then there are some quite good howtos for starting off. If you want advice - please comment rather than send me an email - as then other people will be able to learn from both your questions, and the answers provided (not just by me, but other commentators).

The best thing to do first is to make sure you have decent rpms. See THIS POST for how to get them setup on Centos/RHEL. If you're using another distribution, then make sure their packages applications have a good reputation for working.

ppolicy.la is a module file, and will be installed in /usr/libs/openldap/. It's a good idea to check it's there. The other thing to do is to copy the ppolicy.schema to /etc/openldap/schema/ directory - and make sure that all the attributes you need are uncommented (pwdReset was commented as default, and I didn't realise). It's probably a good idea to read through the schema file too.

In slapd.conf add:

modulepath /usr/lib/openldap
moduleload ppolicy.la

then you need to add the following after the DB section:

overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
ppolicy_use_lockout

Providing you've got the ACLs set correctly in your slapd.conf (too big to consider covering in this howto) that's all the slapd.conf configuration you'll need.

The other file you'll need to edit it /etc/ldap.conf

uncomment pam_lookup_policy yes

that will now allow PAM to lookup the ppolicy from the LDAP directory.

Ah ha! I know what we've forgotten, the actual policy!

Well this bit's probably the easiest bit (technically) though you'll have to work out what policy you'll be implementing yourself.

Create a new .ldif file called ppolicy.ldif (or jabberwocky.ldif if you like, it really doesn't matter) and add the following details:

# default, policies, example.com
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7516800
pwdExpireWarning: 432000
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 1920
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

You'll have different policy options, and by no means am I suggesting the above is a good configuration. Read through the manual and find out the options you want to set. It _may_ be a good enough configuration for you, but I accept no responsibility for it.

Once you've done that run the following

ldapadd -D "cn=Manager,dc=example,dc=com" -W -x -f jabberwocky.ldif (replacing jabberwocky with your choice of ldif name)

You'll be prompted to enter your password - and then hopefully you'll see something along the signs of Success!

Once that's done, run

ldapsearch -D "cn=Manager,dc=example,dc=com" -W -x

which will output the results of what's in the ldap tree (and if you scroll up you should see your brand new ppolicy.

Now you can restart LDAP (notice how we didn't before, just in case users were attempting to authenticate they'd be mightily disrupted).

Hopefully that will restart with no errors. That's that.

The behaviour will rely heavily on your configuration, thereby you can only test your configuration, rather than ppolicy itself.

BE WARNED = THE FOLLOWING SCRIPT WILL FORCE YOU TO CHANGE YOUR PASSWORD ON YOUR NEXT LOGIN. IF YOU DON'T WANT TO DO THIS THEN DON'T RUN THE SCRIPT.

If you want to check it's working then run the following (provided that pwdMustChange is set to true in the defauly policy):

ldapmodify -x -D "cn=Manager,dc=example,dc=com" -W
dn: uid=($user),ou=Users,dc=example,dc=com
changetype: modify
add: pwdReset
pwdReset: TRUE

then press return and it should say success. try and login now with your username ($user) and your old password. It will then log you in and ask you to change it.

Neat.

If you have problems with openLDAP itself, then the guys in #ldap on irc.freenode.net are very helpful. However, if it's a problem with another application interfacing with LDAP, please don't disturb them. LDAP connects with hundreds of applications, so please ask the application developers ahead of the LDAP ones.

The Suretec Blog

#ldap on Freenode and helping others...

It's nice to see people taking Suretec advice in #ldap:

Don't use Red Hat OpenLDAP RPMs

and actually reading the OpenLDAP docs for once:

Openldap with ppolicy

In the OpenLDAP world, if you listen to the community, Suretec and Symas, you c...

22-10-2007 8:25 pm

[...] in #ldap: Don't use Red Hat OpenLDAP RPMs and actually reading the OpenLDAP docs for once: Openldap with ppolicy In the OpenLDAP world, if you listen to the community, Suretec and Symas, you can't go too far [...]

Rafael

Your slapd.conf file contains:
`ppolicy_default “cn=default,ou=policies,dc=example,dc=com”`

I imagine this is used as the policy for all users since it's defined globally.

If I have several OUs that define users, groups, etc... how would I implement a password policy per user/group?

For my setup, I imagine having:
cn=swa-ppolicy,ou=ppolicies,dc=example,dc=com
and
cn=pse-ppolicy,ou=ppolicies,dc=example,dc=com
and so on... as policies in my directory.

How can I apply these per group or user? Would I add a field to my posix[User|Group] schema?

Thanks!

17-11-2007 1:52 am

Kevin

The "ppolicy overlay" is not enabled in OpenLDAP-servers RPM from RHEL5.
I got "overlay ppolicy not found" error from slapd.conf.

Thanks,
Kevin

14-12-2007 12:06 am

Andy

Kevin - see my post on RHEL5 & openLDAP... if you add Buchan Milnes' repository you'll get an updated version of openldap which will work better for you. It's much better - ask Gavin Henry at Suretec - many links to his company on my site. If you need commercial suport try them or Symas.

14-12-2007 3:54 am

15-12-2007 1:26 am

kevin

Andy,

Your writeup was excellent. I was able to install ppolicy in OpenLDAP in OpenLDAP 2.3.39.
I still have strange problem, some ppolicy attributes are not working, like, pwdMinLength, pwdInHistory.
Any hint?

17-12-2007 10:55 pm

Kevin,

If you look through the schema file, some options may be commented out. You'll have to uncomment them in the schema file for them to work.

It's probably best to research why they are commented in the first place; so if they are, then direct an openldap specific mail to the openldap-users mailing list. (include version number, and OS).

17-12-2007 11:34 pm

vanpeer

Rafael,

Did you get any answer about yours questions ?

30-05-2008 4:00 pm

vanpeer,

I've looked into it further, and you'll find an answer in my latest blog post: http://tinyurl.com/67uja4

There are a couple of shortcoming which I hope to address - but providing you can write some simply ldif scripts, the current method should work reasonably well for small to medium sized implementations.

20-06-2008 6:07 pm

I had to install openldap to a certain version for testing a customer setup so I had to compile it. I couldn't get the right parameters for installing the ppolicy.la I finally used these:

configure --enable-modules=yes --enable-ppolicy=yes --enable-overlays=mod --prefix=/space/banzai-1/openldap-2.3.36

This was on RH5.0

07-10-2008 6:05 pm

I am no openldap guru... When I try and import the ppolicy.ldif I am getting:

ldap_add: Invalid syntax (21)
additional info: objectClass: value #2 invalid per syntax

from my file:
objectClass: top
objectClass: device
objectClass: pwdPolicy

I am assuming it is having a problem with "device". Any ideas?

07-10-2008 6:21 pm

I'd imagine you're missing a schema from your slapd.conf. I'm not currently able to access my openldap instance, but from the top of my head, you need:
core, cosine, inetorgperson, nis, and ppolicy.

Also, double check that values don't start at #0.. therefore #2 being you ppolicy objectClass.

07-10-2008 11:44 pm

Murthy

I have a question ,what modifications need to do in slapd.conf if i need to define a policy for a specific ou or user instead of using the default ppolicy

16-10-2008 3:32 pm

Axel Werner

pwdReset / pwdMustChange does not work like expected.
Hi! Thanks for your posting. i run openldap with ppolicy and use pam_ldap and libnss-ldap too for pam based client authentication and password handling (length, pw changes etc). Ppolicy works fine, pw expires fine (user will be forced to change PW if expired). but the "pwdMustChange" Rule combined with the pwdReset Flag wont work. If i set the pwdReset Flag on an User-Object and the User logs on, he will successfully log on and gets a shell as usual. The only thing is he gets a single additional textline saying „Change After Reset“ - Nothing more! So it seems there is not realy a need for the user to change its PW after an PW reset by his admin. Do You know WHY the User is not forced to change his PW the same way as he is forced on an expired PW ???? Thanks for any Help! Regards Axel

21-01-2009 10:48 am

andylockran

Axel,

That's more of a pam_ldap issue than a OpenLDAP specific one. It's passing the message to the pam system - therefore you need to work out how to get PAM to recognise it. I should imagine something along the lines of checking for the "Change After Reset" string.

If you set password lockouts on .. does this prevent users from logging in at all?

21-01-2009 2:33 pm

R@f

Thanks for that howto, but what are the requirements for that password policy to be applied by the LDAP client?

I mean what should be configured on the client side ?
Do I just need the "pam_lookup_policy" activated with pam_ldap for that?

Regards

29-03-2009 2:40 pm

Does anyone know how to implement password syntax checking for a user defined set of special characters?

The default syntax checking is only for passwords based on usernames or mail addresses etc. I would think this kind of thing would be available in some sort of a plugin. I also have not discovered a way to do centralized dictionary attack checks.

02-04-2009 8:26 pm

LinuxAdmin

Hi Andy. Will this password policy also work for users authenticating again LDAP, or just PAM?

21-05-2009 6:18 pm

Ram krish

Hello,

I have just gone through this article. Its excellent.
Thank you very much.

I would be very glad if you guide me solve an issue with ppolicy. I have been struggling a lot.

I use OpenLDAP 2.4.12 and its running on SUSE 11. This had been installed from OS bundle. But i dont find any modules including pploicy.la file in /usr/lib/openldap/modules directory. My Sysadmin told that lib files might have been linked to slapd.conf and so .la files are not required.
So i was not able to add ppolicy.la in slapd.conf. I created ppolicy.schema file and its loading as expected.
I had constructed the ppolicy as below:

# default, policies, mynetwork.com
dn: cn=default,ou=policies,dc=mynetwork,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthnLimit: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdSafeModify: FALSE
sn: pwdpolicy
pwdCheckQuality: 0
pwdInHistory: 5
pwdMustChange: TRUE
pwdMinLength: 8
pwdMaxAge: 90

I did PAM config on the client. As you told, i include pwdReset attribute. It asked me to change the password at first logon.

But rest of the ppolicy stuffs like, minpasswordlength, history of passwords are not working. According to my ppolicy, it should not accept last passwords.

In the client machine, i used pam_ldap instead of pam_unix. Still its not going trough. Could you please provide me some idea to solve this issue...

Thank you very much.

Best Regards,
Ram

02-07-2009 4:36 pm

I'd love to be able to help you with this problem, but I've given up my job as Systems Administrator, so am currently not up to date with openLDAP + ppolicy.

Hopefully by posting to the blog you'll have alerted someone else on this thread to the problem you're having.

However, looking at your problem, I think you should check through the ppolicy.schema file and check if your attributes are commented out - if so look to see why and see if you can get them enabled.

02-07-2009 10:07 pm

Ram

Thank you very much, Andy. I had a look at the schema files. But i dont see any of them commented out.

06-07-2009 9:16 pm

Sergio

Great article

Thank you

30-10-2009 6:53 pm