Login/Register
Openldap: Is that possible to use "userPassword" instead of "2.5.4.35" for pwdAttribute?
Asked Answered
Solved ldapopenldap
I

4

11

I am using Openldap 2.4.11 in Fedora Core 13.

I am trying to create a password policy:

dn: cn=default,ou=policies,dc=estream,dc=com,dc=my
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: default
pwdAttribute: 2.5.4.35
sn: test

If I specify pwdAttriute to "userPassword", I get an error

LDAP: error code 21 - pwdAttribute: value #0 invalid per syntax

Instead, I force to use OID for pwdAttribute:

pwdAttribute: 2.5.4.35

Is that possible to use "userPassword" instead of "2.5.4.35" for pwdAttribute?

I attempt to configure openldap to load module ppolicy.la in cn=config, but it doesn't seems to work too after restart slapd service for few times:

dn: cn=module{0},cn=config
objectClass: olcConfig
objectClass: olcModuleList
objectClass: top
cn: module{0}
olcModuleLoad: {0}/usr/lib64/openldap/ppolicy.la
Incandescence answered 7/4, 2011 at 7:48 Comment(0)
S
5

Instead, I force to use OID for pwdAttribute:

You can specify either an OID or the attribute name, provided both the relevant schema and the ppolicy overlay are loaded.

Why have you got objectClass=person in there? A password policy isn't a person. It's customary to use objectClass=device as the structural class for password policies.

Sami answered 7/4, 2011 at 8:9 Comment(3)
Thanks. I am not aware of objectClass=device. I simply put a structural class for it.Incandescence
I have few OU. Each OU has few persons. Can I assign different password policy to OUs? If yes, how may I do that?Incandescence
No, you have to set it per person.Sami
C
6

EJP's answer is incorrect, in my experience.

I received the same error message running openldap 2.4.29. The password policy overlay allows the use of pwdAttribute: userPassword, but only if the overlay is enabled. Otherwise the value will be rejected with the message above (pwdAttribute: value #0 invalid per syntax).

If your OpenLDAP installation uses dynamic modules, be sure to include

moduleload      ppolicy.la

in your slapd.conf file (or the suitable equivalent in your cn=config database).

Then load the overlay for the appropriate database:

database        bdb
suffix          "o=example.com"
rootdn          "cn=Directory Manager,o=example.com"
rootpw          password
directory       /opt/openldap-2.4.29/var/openldap-data/example.com
overlay         ppolicy

Prior to loading the overlay, I could only supply the OID for pwdAttribute. After rebuilding with --enable-ppolicy and adding the overlay entry, I was able to use ldapmodify to replace pwdAttribute: 2.5.4.35 with pwdAttribute: userPassword.

I did have to refresh the value of pwdAttribute after loading the overlay.

Cleghorn answered 20/3, 2012 at 18:59 Comment(5)
you are right about the pwdAttribute: userPassword. I just tried it right nowBibelot
Well of course it only works if it is enabled. That hardly makes my answer incorrect.Sami
The original answer said that it was necessary to give the OID, which was incorrect. An edit was made a couple of years later to make your answer say the same thing that I'd already pointed out, which is that the overlay allows either OID or name to be specified.Cleghorn
In other words I amended my answer to be correct, and you haven't amended yours to be correct.Sami
The timestamp and edit histories make it clear enough. Nothing about mine is incorrect when you consider the context; at worst it’s dated. I don’t actively maintain old answers in the off chance that someone else corrected their own wrong answers.Cleghorn
S
5

Instead, I force to use OID for pwdAttribute:

You can specify either an OID or the attribute name, provided both the relevant schema and the ppolicy overlay are loaded.

Why have you got objectClass=person in there? A password policy isn't a person. It's customary to use objectClass=device as the structural class for password policies.

Sami answered 7/4, 2011 at 8:9 Comment(3)
Thanks. I am not aware of objectClass=device. I simply put a structural class for it.Incandescence
I have few OU. Each OU has few persons. Can I assign different password policy to OUs? If yes, how may I do that?Incandescence
No, you have to set it per person.Sami
C
2

I just ran into this issue, and solved it differently than the foregoing. I am setting up a new LDAP on CentOS 6.4 (for eventual deployment on RHEL 6.4), and it defaults to the "(cn=config)" configuration scheme, so all the (no doubt excellent) instructions above for modifying slapd.conf don't apply.

In the "(cn=config)" way (also called "slapd.d" on some websites), there are lots of steps to getting overlays to work. The default CentOS 6.4 LDAP I was dealing with included the ppolicy schema, but it wasn't activated.

To get it going, there were many steps:

First, the "ppolicy" module is dynamic, you have to make sure it's included in the list of run-time modules. The default CentOS install didn't have any, so I first had to turn on modules, and then add ppolicy to the list. This LDIF does it:

dn: cn=Module{0},cn=config
objectClass: olcModuleList
cn: Module{0}
olcModuleLoad: ppolicy

If you later want to add more modules, just append additional olcModuleLoad entries to this dn.

Second, you have to turn on the overlay for the database(s) to which you want it to apply. Create another dn, thus:

dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy

These first two steps get done in the "cn=config" domain, i.e. outside the database, by the root user of the machine. Subsequent steps are in "dc=example,dc=com" scope, and so can be done by the rootDN.

The third step is to create a container for your password policies. This might be optional, I'm not sure -- I created a dn like:

dn: ou=pwpolicies,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: pwpolicies

Fourth, create your actual policy -- people who have run into this error already have this, this is the dn with the "pwdAttribute" thing that's getting the syntax error. With the foregoing overlay and module work done right, you can use pwdAttribute: userPassword" without getting a syntax error. My policy was inside the ou container, of course, and I used an objectClass of "device" in addition to "pwdPolicy", as has been suggested elsewhere.

Finally, you can then actually use the policy, of course.

This whole process was made more confusing for me because so much of the documentation out there is about how to set up slapd.conf. I pieced most of this together from the Zytrax "LDAP for Rocket Scientists" book, which covers the module and overlay stuff very well, but has a wrong or obsolete example (missing a structural object class) in their password policy section.

Consumedly answered 21/8, 2013 at 21:8 Comment(1)
Thank you, great answer. I also had to do this: ldapadd -QY EXTERNAL -f /etc/ldap/schema/ppolicy.ldif to load the schema.Moss
E
1

I converted my 2.3 to 2.4 on a new server and I was getting the same error on Red Hat 6.3. I used pwdAttribute: 2.5.4.35 instead and it loaded w/o issue.

Eliason answered 28/12, 2012 at 14:27 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.