Geek Answers Handbook

Openldap: Is it possible to use "userPassword" instead of "2.5.4.35" for pwdAttribute?

I am using Openldap 2.4.11 on Fedora Core 13.

I am trying to create a password policy:

dn: cn=default,ou=policies,dc=estream,dc=com,dc=my objectClass: person objectClass: pwdPolicy objectClass: top cn: default pwdAttribute: 2.5.4.35 sn: test

If I point pwdAttriute to "userPassword", I get an error

 LDAP: error code 21 - pwdAttribute: value #0 invalid per syntax

Instead, I force the OID for pwdAttribute:

 pwdAttribute: 2.5.4.35

Is it possible to use "userPassword" instead of "2.5.4.35" for pwdAttribute?

I'm trying to configure openldap to load the ppolicy.la module in cn = config, but it doesn't seem to work as well after restarting the slapd service several times:

 dn: cn=module{0},cn=config objectClass: olcConfig objectClass: olcModuleList objectClass: top cn: module{0} olcModuleLoad: {0}/usr/lib64/openldap/ppolicy.la
+8
ldap openldap
source share
4 answers

Instead, I force the OID for pwdAttribute:

You can specify either the OID or the attribute name if both the corresponding schema and ppolicy overlay are ppolicy .

Why do you have an object objectclass = person? Password policy is not a person. Usually use objectclass = device as a structural class for password policies.

+6
source share

EJP's answer is incorrect, in my experience.

I got the same openldap 2.4.29 error message. Using a password policy allows you to use pwdAttribute: userPassword , but only if the overlay is enabled. Otherwise, the value will be rejected with the message above ( pwdAttribute: value #0 invalid per syntax ).

If your OpenLDAP installation uses dynamic modules, be sure to enable

 moduleload ppolicy.la

in your slapd.conf file (or the corresponding equivalent in the cn=config database).

Then load the overlay for the appropriate database:

 database bdb suffix "o=example.com" rootdn "cn=Directory Manager,o=example.com" rootpw password directory /opt/openldap-2.4.29/var/openldap-data/example.com overlay ppolicy

Before loading the overlay, I could only provide the OID for pwdAttribute . After rebuilding with --enable-ppolicy and adding an overlay entry, I was able to use ldapmodify to replace pwdAttribute: 2.5.4.35 with pwdAttribute: userPassword .

I had to update the pwdAttribute value after loading the overlay.

+6
source share

I just ran into this problem and solved it differently from the previous one. I install the new LDAP on CentOS 6.4 (for possible deployment on RHEL 6.4), and by default it uses the "(cn = config)" configuration scheme, so all (no doubt excellent) instructions for changing slapd.conf don't apply.

The "(cn = config)" method (also called "slapd.d" on some websites) has many steps for getting overlays to work with. In the standard CentOS 6.4 LDAP client I was dealing with, the ppolicy scheme was enabled, but it was not activated.

For this to happen, there were many steps:

Firstly, the "ppolicy" module is dynamic, you have to make sure that it is included in the list of runtime modules. The CentOS installation did not have a default, so I had to turn on the modules first and then add ppolicy to the list. This LDIF does this:

 dn: cn=Module{0},cn=config objectClass: olcModuleList cn: Module{0} olcModuleLoad: ppolicy

If you later want to add additional modules, just add additional olcModuleLoad entries to this dn.

Secondly, you must include an overlay for the base (s) to which you want to apply. Create another dn like this:

 dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config objectClass: olcPPolicyConfig olcOverlay: ppolicy

These first two steps are performed in the cn = config domain, that is, outside the database, by the root user of the machine. The next steps are in the scope of "dc = example, dc = com", and therefore this can be done using rootDN.

The third step is to create a container for your password policies. This may be optional, I'm not sure - I created dn like:

 dn: ou=pwpolicies,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: pwpolicies

Fourth, create your actual policy - people who have encountered this error already have this, this is dn with the thing "pwdAttribute", which receives a syntax error. Of course, my work was inside the ou container, and I used objectClass for the “device” in addition to “pwdPolicy”, as suggested elsewhere.

Finally, you can actually use this policy, of course.

This whole process has become more confusing for me, because most of the documentation on how to configure slapd.conf. I have collected most of this information from Zytrax's book “LDAP for Rocket Scientists,” which covers module and overlays very well, but has an incorrect or outdated example (missing a structural object class) in the password policy section.

+1
source share

I converted my versions 2.3 to 2.4 to a new server and I got the same error in Red Hat 6.3. Instead, I used pwdAttribute: 2.5.4.35 and it booted without problems.

0
source share

More articles:


All Articles