openldap howto force user to change his password after 3 month

Issues related to configuring your network
Post Reply
rene04
Posts: 29
Joined: 2011/09/27 12:24:59

openldap howto force user to change his password after 3 month

Post by rene04 » 2011/09/28 12:20:53

Hi,

is it possible to force a user in openldap to change his password after a given time? There should also be a message when he logs hin that his password will expire in xxx days.

greetings, rene

rene04
Posts: 29
Joined: 2011/09/27 12:24:59

Re: openldap howto force user to change his password after 3 month

Post by rene04 » 2011/09/28 13:59:42

I have googled a bit and i found overlays. but i dont get it working.

i have added this line to slapd.conf:
[code]
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=xxx,dc=local"
[/code]

the i created a pwpolicies.ldif:
[code]
# add default policy to DIT
# attributes preceded with # indicate the defaults and
# can be omitted
# passwords must be reset every 30 days,
# have a minimum length of 6 and users will
# get a expiry warning starting 1 hour before
# expiry, when the consecutive fail attempts exceed 5
# the count will be locked and can only be reset by an
# administrator, users do not need to supply the old
# password when changing
dn: cn=default,ou=Policies,dc=xxx,dc=local
#objectClass: organizationalUnit
objectClass: pwdPolicy
cn: default
pwdMaxAge: 2592000
pwdExpireWarning: 3600
#pwdInHistory: 0
#pwdCheckQuality: 0
pwdMaxFailure: 5
pwdLockout: TRUE
#pwdLockoutDuration: 0
#pwdGraceAuthNLimit: 0
#pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdMinLength: 6
#pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
[/code]

when i now do a

ldapadd -x -D "cn=manager,dc=nbldap,dc=local" -f pwpolicies.ldif -W

i get:

[code]
adding new entry "cn=default,ou=Policies,dc=xxx,dc=local"
ldap_add: Object class violation (65)
additional info: no structural object class provided
[/code]

what do i do wrong???

greetings, rene

rene04
Posts: 29
Joined: 2011/09/27 12:24:59

Re: openldap howto force user to change his password after 3 month

Post by rene04 » 2011/09/29 13:06:51

Hi,

i have it running now. parts of it. but some parts are still not working. perhaps someone can find the problem.

this is my config:

[code]
# Policies, xxx.local
dn: ou=Policies,dc=nbldap,dc=local
objectClass: top
objectClass: organizationalUnit
ou: Policies

# default, Policies, xxx.local
dn: cn=default,ou=Policies,dc=xx,dc=local
pwdAttribute: userPassword
objectClass: pwdPolicy
objectClass: top
objectClass: person
pwdGraceAuthNLimit: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdFailureCountInterval: 0
pwdMaxFailure: 3
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdMaxAge: 300
pwdInHistory: 2
pwdMinLength: 8
pwdCheckQuality: 1
pwdExpireWarning: 300
sn: dummy value
cn: default
[/code]

as you can see i have created an organizationalUnit Policies and in there i created my default policy. the value 300 is just for testing.

when i login 3 times with a wrong password the account is locked. also i have to use min 8 chars when i change password. this is working. but maxAge und ExpireWarning is not working. Also i cannot find the Operational Attributes anywhere.

seems like i am on a dead end now :-(

greetings, rene

r_hartman
Posts: 711
Joined: 2009/03/23 15:08:11
Location: Netherlands
Contact:

openldap howto force user to change his password after 3 mon

Post by r_hartman » 2011/09/30 06:39:25

Please define 'not working'. What behavior do you observe? Is it always asking you to change the password, is it never asking you that, or what?

Thing is that there are many ways to set up LDAP. I set up a pretty limited one, as I did not need anything complex. No policies.
My setup is based on default schemas core, cosine and inetorgperson and a modified nis schema (added the host attribute, for 'pam_check_host_attr yes').
The inetorgperson.schema has all the attributes for shadowExpire, shadowLastChange, shadowMax, shadowMin, shadowWarning and shadowInactive.
That made controlling these pretty easy.

rene04
Posts: 29
Joined: 2011/09/27 12:24:59

Re: openldap howto force user to change his password after 3 month

Post by rene04 » 2011/09/30 08:16:57

Hi,

not working means that i get no warning mesage in my shell when i login and the password never expires.

greetings, rene

r_hartman
Posts: 711
Joined: 2009/03/23 15:08:11
Location: Netherlands
Contact:

Re: openldap howto force user to change his password after 3 month

Post by r_hartman » 2011/09/30 11:29:15

[quote]
rene04 wrote:
not working means that i get no warning mesage in my shell when i login and the password never expires.[/quote]
How do you go about testing that? I can see that you set your password warning the same as the password lifetime, so agree you should get a warning on signon.
But how do you test expiration? You need to manipulate the last-change-date (shadowLastChange) for that. Can you do that and, if yes, where?

rene04
Posts: 29
Joined: 2011/09/27 12:24:59

Re: openldap howto force user to change his password after 3 month

Post by rene04 » 2011/09/30 12:49:07

i have set it to 5 mins. so i think after 5 mins password should be expired. but i still can login after 5 mins.

can you tell me more about attributes for shadowExpire, shadowLastChange, shadowMax, shadowMin, shadowWarning and shadowInactive and how to use them, perhaps i will try it that way.

rene

r_hartman
Posts: 711
Joined: 2009/03/23 15:08:11
Location: Netherlands
Contact:

Re: openldap howto force user to change his password after 3 month

Post by r_hartman » 2011/10/03 05:25:39

Have a look [url=http://www.hac-maarssen.nl/download/OpenLDAP_LDAPS_Setup_RHEL5.zip]here[/url].
As I said it is a simple setup, but it does everything I want. This is for RHEL5, but you may find it useful.

rene04
Posts: 29
Joined: 2011/09/27 12:24:59

Re: openldap howto force user to change his password after 3 month

Post by rene04 » 2011/10/04 08:20:50

Hi,

shadowAccount attributes are working perfectly, thx. but now i wanna mix those with ppolicies overlay and nothing in ppolicies is working anymore. the only thing that is working there is when i set pwdAllowUserChange: FALSE or TRUE

# default, Policies, nbldap.local
dn: cn=default,ou=Policies,dc=nbldap,dc=local
pwdAttribute: userPassword
objectClass: pwdPolicy
objectClass: top
objectClass: person
pwdGraceAuthNLimit: 0
pwdLockoutDuration: 0
pwdFailureCountInterval: 0
pwdMinLength: 8
sn: dummy value
cn: default
pwdMaxFailure: 3
pwdCheckQuality: 1
pwdAllowUserChange: TRUE
pwdInHistory: 2
pwdLockout: TRUE
pwdMustChange: FALSE

but after 5 or more wrong logins i still can login!!! im going crazy. is there a way to debug or another way to find out why it does not work? acls perhaps?

[code]
access to attrs=shadowLastChange,userPassword
by self write
by * read
by anonymous auth

access to dn.subtree="ou=People,dc=xxx,dc=local"
by * read
by anonymous auth

access to dn.subtree="ou=Group,dc=xxx,dc=local"
by * read
by anonymous auth

access to dn.subtree="ou=addressbook,dc=xxx,dc=local"
by self write
by users read
by anonymous auth

access to *
by * read
by anonymous auth
[/code]

Post Reply