Hi All,
I have configured OpenLDAP sucessfully and set following results indicating that the user is loaded on the LDAP database
test5:/ $ cat /etc/passwd | grep admin777
test5:/ $ getent passwd admin777
admin777:x:5011:1000::/:/bin/bash
test5:/ $ id admin777
uid=5011(admin777) gid=1000(users) groups=1000(users)
test5:/ $ ldaplist -l passwd admin777
dn: uid=admin777,ou=People,dc=example,dc=com
shadowMin: 10
sn: sn
userPassword: {SSHA}Uy4yMkk71zNJ6XoAAhoKgjYPzXNnU4r5
loginShell: /bin/bash
uidNumber: 5011
gidNumber: 1000
shadowMax: 30
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: admin777
shadowLastChange: 15166
cn: cn
homeDirectory: /
shadowWarning: 7
test5:/ $
I've also added an overall security policy in the LDAP database
# Policies, example.com
dn: ou=Policies,dc=example,dc=com
pwdFailureCountInterval: 0
pwdMaxFailure: 3
pwdMustChange: TRUE
pwdAttribute: userPassword
pwdMinLength: 3
ou: Policies
pwdSafeModify: FALSE
pwdInHistory: 6
pwdGraceAuthNLimit: 0
pwdCheckQuality: 1
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdLockoutDuration: 1920
cn: default
pwdAllowUserChange: TRUE
pwdExpireWarning: 432000
pwdLockout: TRUE
pwdMaxAge: 7516800
But it seems that this policy is not activated, for example the pwdMinLength: is set to 3, but when the user changes his/her password, it seems that the Solaris policy takes over from the /etc/default/passwd file
test5:/ $ ssh admin777@10.1.1.5
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OR OTHER
APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY
NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT
TO MONITORING AND AUDITING.
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
Password:
Last login: Tue Jul 12 11:14:22 2011 from test5.example.
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sourcing //.profile-EIS.....
test5:/ $ id
uid=5011(admin777) gid=1000(users) groups=1000(users)
test5:/ $ passwd
passwd: Changing password for admin777
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
New Password:
test5:/ $ cat /etc/default/passwd
#ident @(#)passwd.dfl 1.7 04/04/22 SMI
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
MAXWEEKS=13
MINWEEKS=
PASSLENGTH=8
# NAMECHECK enables/disables login name checking.
# The default is to do login name checking.
# Specifying a value of NO will disable login name checking.
#
NAMECHECK=YES
It seems that the Solaris password policy forces the user to use the Solaris policy and ignore the LDAP ppolicy, below is my slapd.conf file
test5:/ $ cat /usr/local/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/DUAConfigProfile.schema
include /usr/local/etc/openldap/schema/solaris.schema
include /usr/local/etc/openldap/schema/java.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
loglevel 256
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload ppolicy.la
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
checkpoint 32 30
cachesize 10000
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw "{SSHA}6FWujVb4YNHJDyniwoWaHTMfXBJBM8u7"
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
index uid,uidNumber,gidNumber,shadowExpire,shadowLastChange eq
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
Any ideas would be highly apprciated
07-12-2011
