Openldap with ppolicy
Posted
by
nitins
on Server Fault
See other posts from Server Fault
or by nitins
Published on 2011-11-24T09:15:18Z
Indexed on
2011/11/24
10:02 UTC
Read the original article
Hit count: 406
We have working installation of OpenLDAP version 2.4 which is using shadowAccount attributes. I want to enable ppolicy overlays.
I have gone through the steps provided at OpenLDAP and ppolicy howto. I have made the changes to slapd.conf and imported the password policy.
On restart OpenLDAP is working fine and I can see the password policy when I do a ldapsearch. The user object looks like given below.
# extended LDIF
#
# LDAPv3
# base <dc=xxxxx,dc=in> with scope subtree
# filter: uid=testuser
# requesting: ALL
#
# testuser, People, xxxxxx.in
dn: uid=testuser,ou=People,dc=xxxxx,dc=in
uid: testuser
cn: testuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 90
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 569
gidNumber: 1005
homeDirectory: /data/testuser
userPassword:: xxxxxxxxxxxxx
shadowLastChange: 15079
The password policy is given below.
# default, policies, xxxxxx.in
dn: cn=default,ou=policies,dc=xxxxxx,dc=in
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 0
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
I do not what should be done after this. How can the shadowAccount attributes be replaced with the password policy.
© Server Fault or respective owner
