Discussion:
Allow users to change ldap password with passwd
(too old to reply)
Real, Elizabeth (392K)
2015-09-18 15:58:22 UTC
Permalink
This is my setup:

Server: Openldap 2.4.39 installed on RHEL7
Ldap clients: RHEL7 and RHEL5

I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent users with expired accounts to login: ldap_pwd_policy = shadow. This works as expected.

Now I need to allow users to reset their ldap password after logging in to an ldap client. This is what is logged when a user attempts to reset their password using passwd:

rhel7 ldap client:
# passwd
Changing password for user real
Current password:
New password:
Retype new password:
passwd: Authentication token manipulation error

rhel7 ldap server: /var/log/secure
pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd
pam_sss(passwd:chauthtok): Password change failed for user real: 28
(Module is unknown)
Gkr-pam: couldn’t update the login keyring password: no old password was
Entered

In an attempt to allow users to change their ldap password, i edited my ACL on the ldap server and added 'shadowLastChange':

dn: olcDatabase={2}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn.base="cn=Alien,dc=cluster,dc=sec312" write by anonymous auth by * none
olcAccess: {1}to * by self write by dn.base="cn=Alien,dc=cluster,dc=sec312" write by * read

However that did not work, on the ldap clients I get this on the logs:
pam_unix(sshd:auth): authentication failure
pam_sss(sshd:auth): authentication failure
pam_sss(sshd:auth): received for user reaL 4 (System error)

This is the /etc/pam.d/system-auth file on the rhel7 ldap client:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
~

What other directive do I need to set to allow users to reset their ldap password when they call passwd?

Thank you,
Liz
Michael Ströder
2015-09-18 16:27:10 UTC
Permalink
Post by Real, Elizabeth (392K)
I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent
users with expired accounts to login: ldap_pwd_policy = shadow. This works as
expected.
Use OpenLDAP's slapo-ppolicy instead!
Using shadow account attributes is deprecated since years.
Post by Real, Elizabeth (392K)
pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd
pam_sss(passwd:chauthtok): Password change failed for user real: 28
(Module is unknown)
Gkr-pam: couldn’t update the login keyring password: no old password was
Entered
This sounds more like PAM and sssd related. So you should sort this out first
- maybe by asking for specific issues on sssd-users mailing list.
Post by Real, Elizabeth (392K)
In an attempt to allow users to change their ldap password, i edited my ACL on
[..]
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
Think twice! You should not do that because of security issues!

If you really insist on using shadow account attributes you have to use
slapo-smbk5pwd to let slapd set them internally when receiving a Password
Modify extended operation.

Ciao, Michael.
Real, Elizabeth (392K)
2015-09-24 17:47:56 UTC
Permalink
Michael,

Thank you for your reply.

I made several attempts to configure slapo-policy but I’m not able to get it to work.

I gathered online documentation and did the following on my openldap 2.4.39 RHEL7 server to enable slapo-ppolicy:

* Loaded the ppolicy schema:

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=ppolicy,cn=schema,cn=config”

* Created ldif with the module and overlay: ppolicy1.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: ppolicy.la

dn: olcOverlay=ppolicy,olcDatabase={2}hdb,cn=config
objectClass: olcPPolicyConfig
olcPPolicyDefault: ou=policies,dc=cluster,dc=sec312

* Added the module and overlay:

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f ppolicy1.ldif

*
* Created the module ldif: /etc/openldap/slapd.d/cn=config/cn=module{0}.ldif
* Created the overlay ldif: /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb/olcOverlay={0}ppolicy.ldif

* Created a new ou called policies: ou=policies,dc=*****,dc=*****
* Created a password policy: passwordPolicy.ldif
* Loaded the password policy and I get this error:

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "ou=policies,dc=*****,dc=*****"
ldap_add: Object class violation (65)
additional info: attribute 'ou' not allowed

* Restarted slapd as well but I get the same error.

Any advice will be greatly appreciated.

Thank you,
Liz

From: Michael Ströder <***@stroeder.com<mailto:***@stroeder.com>>
Date: Friday, September 18, 2015 at 9:27 AM
To: Elizabeth Real Chavez <***@jpl.nasa.gov<mailto:***@jpl.nasa.gov>>, "openldap-***@openldap.org<mailto:openldap-***@openldap.org>" <openldap-***@openldap.org<mailto:openldap-***@openldap.org>>
Subject: Re: Allow users to change ldap password with passwd

Real, Elizabeth (392K) wrote:
This is my setup:
I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent
users with expired accounts to login: ldap_pwd_policy = shadow. This works as
expected.

Use OpenLDAP's slapo-ppolicy instead!
Using shadow account attributes is deprecated since years.

pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd
pam_sss(passwd:chauthtok): Password change failed for user real: 28
(Module is unknown)
Gkr-pam: couldn’t update the login keyring password: no old password was
Entered

This sounds more like PAM and sssd related. So you should sort this out first
- maybe by asking for specific issues on sssd-users mailing list.

In an attempt to allow users to change their ldap password, i edited my ACL on
the ldap server and added 'shadowLastChange':
[..]
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by

Think twice! You should not do that because of security issues!

If you really insist on using shadow account attributes you have to use
slapo-smbk5pwd to let slapd set them internally when receiving a Password
Modify extended operation.

Ciao, Michael.
Michael Ströder
2015-09-24 17:56:54 UTC
Permalink
Post by Real, Elizabeth (392K)
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "ou=policies,dc=*****,dc=*****"
ldap_add: Object class violation (65)
additional info: attribute 'ou' not allowed
How does passwordPolicy.ldif look like?
What's the set of object classes used?

Ciao, Michael.
Real, Elizabeth (392K)
2015-09-24 18:07:59 UTC
Permalink
This is the passwordPolicy.ldif:

dn: ou=policies,dc=*****,dc=*****
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: policies
sn: policies
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 3600
#pwdFailureCountInterval: 30
#pwdGraceAuthNLimit: 5
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: FALSE


Thank you,
Liz


From: Michael Ströder <***@stroeder.com<mailto:***@stroeder.com>>
Date: Thursday, September 24, 2015 at 10:56 AM
To: Elizabeth Real Chavez <***@jpl.nasa.gov<mailto:***@jpl.nasa.gov>>, "openldap-***@openldap.org<mailto:openldap-***@openldap.org>" <openldap-***@openldap.org<mailto:openldap-***@openldap.org>>
Subject: Re: Allow users to change ldap password with passwd

Real, Elizabeth (392K) wrote:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "ou=policies,dc=*****,dc=*****"
ldap_add: Object class violation (65)
additional info: attribute 'ou' not allowed

How does passwordPolicy.ldif look like?
What's the set of object classes used?

Ciao, Michael.
Michael Ströder
2015-09-24 18:12:20 UTC
Permalink
Post by Real, Elizabeth (392K)
dn: ou=policies,dc=*****,dc=*****
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: policies
sn: policies
If that is what you want to use you cannot use ou for forming the RDN.

Simply use instead
dn: cn=policies,dc=*****,dc=*****
to match your entry.

Ciao, Michael.
Real, Elizabeth (392K)
2015-09-24 18:19:49 UTC
Permalink
I replaced ou with cn, tried loading the ldif and got this message:

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=policies,dc=*****,dc=*****"
ldap_add: Insufficient access (50)
additional info: no write access to parent

Thank you,
Liz

From: Michael Ströder <***@stroeder.com<mailto:***@stroeder.com>>
Date: Thursday, September 24, 2015 at 11:12 AM
To: Elizabeth Real Chavez <***@jpl.nasa.gov<mailto:***@jpl.nasa.gov>>, "openldap-***@openldap.org<mailto:openldap-***@openldap.org>" <openldap-***@openldap.org<mailto:openldap-***@openldap.org>>
Subject: Re: Allow users to change ldap password with passwd

Real, Elizabeth (392K) wrote:
This is the passwordPolicy.ldif:
dn: ou=policies,dc=*****,dc=*****
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: policies
sn: policies

If that is what you want to use you cannot use ou for forming the RDN.

Simply use instead
dn: cn=policies,dc=*****,dc=*****
to match your entry.

Ciao, Michael.
Michael Ströder
2015-09-24 18:42:57 UTC
Permalink
Post by Real, Elizabeth (392K)
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=policies,dc=*****,dc=*****"
ldap_add: Insufficient access (50)
additional info: no write access to parent
I guess you want to use another bind-DN with -D when writing to your normal DB
backend / naming context dc=*****,dc=*****.

And defining -Y and -D together does not make sense. Please consult the man
page and look at various bind methods more closely.

Ciao, Michael.
Real, Elizabeth (392K)
2015-09-28 22:47:13 UTC
Permalink
Michael,

I modified the command and was able to implement the password policy using:
# ldapadd -x -W -D cn=****,dc=****,dc=**** -f passwordPolicy.ldif

Verified the policy was applied:
# ldapsearch -x -D cn=****,dc=****,dc=**** -H ldap:// -b dc=****,dc=**** -W

# real, People, ****.****
dn: uid=real,ou=People,dc=****,dc=****
uid: real
homeDirectory: /home/real
memberUid: real
…
…
# policies, ****.****
dn: cn=policies,dc=cluster,dc=sec312
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn:: cG9saWNpZXMg
sn: policies
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 3600
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: FALSE

# search result
search: 2
result: 0 Success

# numResponses: 598
# numEntries: 597

TEST: I reset the password for user ‘real’ an ldap client using passwd, the password was successfully changed. However, the new user password did not change on the ldap server. It appears that the policy is not updating the ou where my user ‘real’ belongs to.

Maybe it’s got to do with my ldap tree and where I configured my password policy (cn=policies), this is how it is now:

dc=****, dc=****
cn=policies
…
…
ou=People
…
…

Thank you,
Liz


From: Michael Ströder <***@stroeder.com<mailto:***@stroeder.com>>
Date: Thursday, September 24, 2015 at 11:42 AM
To: Elizabeth Real Chavez <***@jpl.nasa.gov<mailto:***@jpl.nasa.gov>>, "openldap-***@openldap.org<mailto:openldap-***@openldap.org>" <openldap-***@openldap.org<mailto:openldap-***@openldap.org>>
Subject: Re: Allow users to change ldap password with passwd

Real, Elizabeth (392K) wrote:
I replaced ou with cn, tried loading the ldif and got this message:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=policies,dc=*****,dc=*****"
ldap_add: Insufficient access (50)
additional info: no write access to parent

I guess you want to use another bind-DN with -D when writing to your normal DB
backend / naming context dc=*****,dc=*****.

And defining -Y and -D together does not make sense. Please consult the man
page and look at various bind methods more closely.

Ciao, Michael.
Michael Ströder
2015-09-29 05:57:57 UTC
Permalink
Elizabeth,

sorry, your wording does not result in any valid interpretation on my side.
Especially you obfuscated too much.

To see what's really going on you should again carefully examine your
configuration, slapd logs and check the command-lines more carefully.

Ciao, Michael.
Post by Real, Elizabeth (392K)
Michael,
# ldapadd -x -W -D cn=****,dc=****,dc=**** -f passwordPolicy.ldif
# ldapsearch -x -D cn=****,dc=****,dc=**** -H ldap:// -b dc=****,dc=**** -W
# real, People, ****.****
dn: uid=real,ou=People,dc=****,dc=****
uid: real
homeDirectory: /home/real
memberUid: real
…
…
# policies, ****.****
dn: cn=policies,dc=cluster,dc=sec312
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn:: cG9saWNpZXMg
sn: policies
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 3600
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: FALSE
# search result
search: 2
result: 0 Success
# numResponses: 598
# numEntries: 597
TEST: I reset the password for user ‘real’ an ldap client using passwd, the password was successfully changed. However, the new user password did not change on the ldap server. It appears that the policy is not updating the ou where my user ‘real’ belongs to.
dc=****, dc=****
cn=policies
…
…
ou=People
…
…
Thank you,
Liz
Date: Thursday, September 24, 2015 at 11:42 AM
Subject: Re: Allow users to change ldap password with passwd
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=policies,dc=*****,dc=*****"
ldap_add: Insufficient access (50)
additional info: no write access to parent
I guess you want to use another bind-DN with -D when writing to your normal DB
backend / naming context dc=*****,dc=*****.
And defining -Y and -D together does not make sense. Please consult the man
page and look at various bind methods more closely.
Ciao, Michael.
--
Michael Ströder Klauprechtstr. 11
Dipl.-Inform. D-76137 Karlsruhe, Germany
Tel.: +49 721 8304316 Mobil: +49 170 2391920
E-Mail: ***@stroeder.com http://www.stroeder.com
Real, Elizabeth (392K)
2015-10-05 20:17:54 UTC
Permalink
I have reinstalled openldap and applied slapo-ppolicy carefully looking at man pages and the configuration.

How do I then apply this to existing openldap accounts?

Thank you,
Liz

From: Michael Ströder <***@stroeder.com<mailto:***@stroeder.com>>
Date: Monday, September 28, 2015 at 10:57 PM
To: Elizabeth Real Chavez <***@jpl.nasa.gov<mailto:***@jpl.nasa.gov>>, "openldap-***@openldap.org<mailto:openldap-***@openldap.org>" <openldap-***@openldap.org<mailto:openldap-***@openldap.org>>
Subject: Re: Allow users to change ldap password with passwd

Elizabeth,

sorry, your wording does not result in any valid interpretation on my side.
Especially you obfuscated too much.

To see what's really going on you should again carefully examine your
configuration, slapd logs and check the command-lines more carefully.

Ciao, Michael.

Real, Elizabeth (392K) wrote:
Michael,
I modified the command and was able to implement the password policy using:
# ldapadd -x -W -D cn=****,dc=****,dc=**** -f passwordPolicy.ldif
Verified the policy was applied:
# ldapsearch -x -D cn=****,dc=****,dc=**** -H ldap:// -b dc=****,dc=**** -W
# real, People, ****.****
dn: uid=real,ou=People,dc=****,dc=****
uid: real
homeDirectory: /home/real
memberUid: real
…
…
# policies, ****.****
dn: cn=policies,dc=cluster,dc=sec312
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn:: cG9saWNpZXMg
sn: policies
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 3600
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: FALSE
# search result
search: 2
result: 0 Success
# numResponses: 598
# numEntries: 597
TEST: I reset the password for user ‘real’ an ldap client using passwd, the password was successfully changed. However, the new user password did not change on the ldap server. It appears that the policy is not updating the ou where my user ‘real’ belongs to.
Maybe it’s got to do with my ldap tree and where I configured my password policy (cn=policies), this is how it is now:
dc=****, dc=****
cn=policies
…
…
ou=People
…
…
Thank you,
Liz
From: Michael Ströder <***@stroeder.com<mailto:***@stroeder.com><mailto:***@stroeder.com>>
Date: Thursday, September 24, 2015 at 11:42 AM
To: Elizabeth Real Chavez <***@jpl.nasa.gov<mailto:***@jpl.nasa.gov><mailto:***@jpl.nasa.gov>>, "openldap-***@openldap.org<mailto:openldap-***@openldap.org><mailto:openldap-***@openldap.org>" <openldap-***@openldap.org<mailto:openldap-***@openldap.org><mailto:openldap-***@openldap.org>>
Subject: Re: Allow users to change ldap password with passwd
Real, Elizabeth (392K) wrote:
I replaced ou with cn, tried loading the ldif and got this message:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=policies,dc=*****,dc=*****"
ldap_add: Insufficient access (50)
additional info: no write access to parent
I guess you want to use another bind-DN with -D when writing to your normal DB
backend / naming context dc=*****,dc=*****.
And defining -Y and -D together does not make sense. Please consult the man
page and look at various bind methods more closely.
Ciao, Michael.


--
Michael Ströder Klauprechtstr. 11
Dipl.-Inform. D-76137 Karlsruhe, Germany
Tel.: +49 721 8304316 Mobil: +49 170 2391920
E-Mail: ***@stroeder.com<mailto:***@stroeder.com> http://www.stroeder.com
Craig White
2015-10-05 21:41:25 UTC
Permalink
From: openldap-technical [mailto:openldap-technical-***@openldap.org] On Behalf Of Real, Elizabeth (392K)
Sent: Monday, October 05, 2015 1:18 PM
To: Michael Ströder; openldap-***@openldap.org
Subject: Re: Allow users to change ldap password with passwd

I have reinstalled openldap and applied slapo-ppolicy carefully looking at man pages and the configuration.

How do I then apply this to existing openldap accounts?

Thank you,
Liz

You need to have a 'pwdPolicySubentry' attribute assigned to each user and the value for that attribute would have to be a valid DN of the password policy itself.

For example, below is what I used to add password policy recently - fix as needed, YMMV

#!/bin/bash
#
# assign password policy to LDAP users
for USER in `cat users`; do
ldapmodify -x -D cn=rootbinddn,dc=example,dc=com -w $SOME_PASSWORD <<!
dn: uid=$USER,ou=people,dc=example,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=personnelpp,ou=Policies,dc=example,dc=com
!
Done

Craig
Real, Elizabeth (392K)
2015-10-05 22:40:48 UTC
Permalink
Thanks for the tip. I added the pwdPolicySubentry to one user but it did not work, the attribute is not listed for the user.

I read that this attribute has to be enabled in the ppolicy schema?? I looked at my ppolicy schema which is located here: /etc/openldap/slapd.d/cn=config/cn=schema/cn={3}ppolicy.ldif HOWEVER I did not find pwdPolicySubentry.

What version of openldap is your suggestion based of? I’m running v2.4.39.

Thanks,
Liz

From: Craig White <***@skytouchtechnology.com<mailto:***@skytouchtechnology.com>>
Date: Monday, October 5, 2015 at 2:41 PM
To: Elizabeth Real Chavez <***@jpl.nasa.gov<mailto:***@jpl.nasa.gov>>, Michael Ströder <***@stroeder.com<mailto:***@stroeder.com>>, "openldap-***@openldap.org<mailto:openldap-***@openldap.org>" <openldap-***@openldap.org<mailto:openldap-***@openldap.org>>
Subject: RE: Allow users to change ldap password with passwd

From: openldap-technical [mailto:openldap-technical-***@openldap.org] On Behalf Of Real, Elizabeth (392K)
Sent: Monday, October 05, 2015 1:18 PM
To: Michael Ströder; openldap-***@openldap.org<mailto:openldap-***@openldap.org>
Subject: Re: Allow users to change ldap password with passwd

I have reinstalled openldap and applied slapo-ppolicy carefully looking at man pages and the configuration.

How do I then apply this to existing openldap accounts?

Thank you,
Liz

You need to have a ‘pwdPolicySubentry’ attribute assigned to each user and the value for that attribute would have to be a valid DN of the password policy itself.

For example, below is what I used to add password policy recently – fix as needed, YMMV

#!/bin/bash
#
# assign password policy to LDAP users
for USER in `cat users`; do
ldapmodify -x -D cn=rootbinddn,dc=example,dc=com -w $SOME_PASSWORD <<!
dn: uid=$USER,ou=people,dc=example,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=personnelpp,ou=Policies,dc=example,dc=com
!
Done

Craig
Craig White
2015-10-05 22:52:32 UTC
Permalink
From: Real, Elizabeth (392K) [mailto:***@jpl.nasa.gov]
Sent: Monday, October 05, 2015 3:41 PM
To: Craig White; Michael Ströder; openldap-***@openldap.org
Subject: Re: Allow users to change ldap password with passwd

Thanks for the tip. I added the pwdPolicySubentry to one user but it did not work, the attribute is not listed for the user.

I read that this attribute has to be enabled in the ppolicy schema?? I looked at my ppolicy schema which is located here: /etc/openldap/slapd.d/cn=config/cn=schema/cn={3}ppolicy.ldif HOWEVER I did not find pwdPolicySubentry.

What version of openldap is your suggestion based of? I'm running v2.4.39.
You really need to increase your level of LDAP fu.

pwdPolicySubEntry is an operational attribute which won't normally show up.

Google is your friend.

Craig
Ryan Tandy
2015-10-05 22:53:11 UTC
Permalink
You need to have a 'pwdPolicySubentry' attribute assigned to each user >and
the value for that attribute would have to be a valid DN of the >password
policy itself. [...]

Content analysis details: (-2.7 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[209.85.220.44 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: nardis.ca]
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
You need to have a 'pwdPolicySubentry' attribute assigned to each user
and the value for that attribute would have to be a valid DN of the
password policy itself.
Either that, or an appropriate olcPPolicyDefault configured on the
ppolicy overlay instance (as above, value should be the DN of the
default password policy entry). That will be used for any entry that
doesn't have an explicit pwdPolicySubentry.

Loading...