Comments on: OpenLDAP How To (Fedora)

By: Artimus

Artimus — Mon, 08 Apr 2013 21:24:06 +0000

I’m trying to get ppolicy setup, but I’m hitting a wall here.
Running CentOS 6.4, OpenLDAP 2.4.23.

I’ve followed a few howtos today which all looked simular to this. However I cannot get LDAP to enforce the policy.

One thing that looks odd to me is how the policy gets looked up. According to the slapd log, the base is empty.

onn=1006 op=3 SRCH base=”" scope=0 deref=0 filter=”(?objectClass=passwordPolicy)”

However If i manually bind as the user and update my passwd with an ldif, it has no problem letting me set my password to 1234.

Any pointers?

By: Sunil Tumma

Sunil Tumma — Tue, 02 Apr 2013 09:11:53 +0000

Thanks for the reply.

Yes this is not possible. User can login into individual domain with their individual credentials.

By: Chris

Chris — Mon, 01 Apr 2013 10:33:08 +0000

Hi Sunil,

Sorry I have no idea about that one and I’d have to Google it. My guess is no, because a user’s account is a part of a tree, and there would need to be some way to mirror parts of the trees, which might be possible but I don’t know.

-c

By: Sunil Tumma

Sunil Tumma — Mon, 01 Apr 2013 07:31:18 +0000

Hi Chris,

Can i configure multiple domains in Openldap. And can i configure the same user can authenticate with multiple domains.

Regards,
Sunil Tumma

By: Chris

Chris — Mon, 11 Mar 2013 07:29:45 +0000

Hi Kenji,

It’s now part of the how to:
http://blog.christophersmart.com/articles/openldap-how-to-fedora/#ppolicy

Hope that helps,
Chris

By: kenji

kenji — Mon, 11 Mar 2013 03:49:55 +0000

Hi there Chris and Sunil. I setup LDAP in Ubuntu 10.04. Everything works fine ubuntu client able to login. But one thing that I’m trying to working out for morethan 2 months now is the passwordPolicy overlay. Its proven that “shadowAccount” is not enough, only shadowExpire attributes works. I really want to work is the “shadowWarning” wherein client will be inform that thier login authentication will soon expire so they have to change thier password. I’ve believe that “ppolicy overlay” is what I needed. I have succesfully add ppolicy in my cn=config. But its seems not working..

@ Sunil can you also sent me a copy of the procedure you made..
@ Chris pls help. thanks

By: Chris

Chris — Fri, 08 Mar 2013 05:37:54 +0000

I’ve added it to the article here:
http://blog.christophersmart.com/articles/openldap-how-to-fedora/#ppolicy

By: Sunil Tumma

Sunil Tumma — Fri, 08 Mar 2013 05:16:07 +0000

Definitely Chris…

By: Chris

Chris — Thu, 07 Mar 2013 09:16:45 +0000

Glad to hear it! Do you want to post how you did it? Then it might help others.

-c

By: Sunil Tumma

Sunil Tumma — Thu, 07 Mar 2013 08:09:23 +0000

Hi Chris,

The password policies problem has been resolved.

Password Policies using overlay has been configured successfully and tested on CentOS client machines. Thanks for the help and procedure provided on this forum.

Still working on Windows authentication via ldap server using pGina client software.

Regards,
Sunil Tumma