[ltb-dev] [LDAP Tool Box - Bug #301] can't make check_password work

noreply at lsc-project.org noreply at lsc-project.org
Fri Feb 4 18:34:44 CET 2011


Issue #301 has been updated by Hanxin Wu.

File Makefile added
File check_password.c added
File check_password.conf added
File BAH-ppolicy.ldif added
File BAH-user.ldif added

This is the instruction I followed to install Berkeley and OPenldap:

Install Berkeley DB 4.7.25 with all Latest Patches
Download and extract Berkeley DB 4.7.25 from Oracle into /opt/db-4.7.25 using the following commands: 
cd /opt/ 
wget http://download.oracle.com/berkeley-db/db-4.7.25.tar.gz  
tar zxvf db-4.7.25.tar.gz 
cd db-4.7.25 
Install patch.4.7.25.1-4 using the following commands: 
wget http://download.oracle.com/berkeley-db/patches/db/4.7.25/patch.4.7.25.1 
wget http://download.oracle.com/berkeley-db/patches/db/4.7.25/patch.4.7.25.2 
wget http://download.oracle.com/berkeley-db/patches/db/4.7.25/patch.4.7.25.3 
wget http://download.oracle.com/berkeley-db/patches/db/4.7.25/patch.4.7.25.4 
patch -p0 < patch.4.7.25.1 
patch -p0 < patch.4.7.25.2 
patch -p0 < patch 4.7.25.3 
patch -p0 < patch 4.7.25.4 
Compile and install Berkeley DB 4.7.25 using the following commands: 
cd build_unix/ 
../dist/configure --enable-ppolicy --prefix=/opt/db-4.7.25/db4 
make 
make install 

Install OpenLDAP 2.4.21
Download and extract OpenLDAP 2.4.21 into /opt/openldap-2.4.21 using the following commands: 
cd /opt/ 
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-stable/openldap-stable-20100219.tgz  
tar zxvf openldap-stable-20100219.tgz 
cd openldap-2.4.21 
Compile and install OpenLDAP 2.4.21 using the following commands: 
export CPPFLAGS="-I/opt/db-4.7.25/db4/include" 
export LDFLAGS="-L/opt/db-4.7.25/db4/lib -R/opt/db-4.7.25/db4/lib" 
export LD_LIBRARY_PATH=/opt/db-4.7.25/build_unix/.libs 
./configure --prefix=/opt/openldap --enable-ppolicy=mod --enable-modules=yes --enable-dynamic=yes
if errors 
if you see "configure: error: could not locate libtool ltdl.h", run the following commands to install libtool:
sudo yum install libtool
cp /usr/share/libtool/libltdl/ltdl.h /usr/include/ 
if you see "configure: error: could not locate libtool -lltdl", run the following commands:
cd /usr/share/libtool/libltdl
./configure
make
make install 
if you see "configure: error: Berkeley DB version mismatch", update Berkeley DB 
make depend 
make 
make test (this command is optional and tests the build - replication tests will not pass at this point) 
sudo make install 

Here is the steps I built check_password module
I updated Makefile file to match the path in my environment.
I updated check_password.c to meet my client's requirement.
copied all files to /opt/check_password/
cd /opt/check_password/
make
make install LIBDIR='/opt/openldap/lib'
(no errors)

Here is the configuration I made
updated slapd.conf, ldap.conf, syslog.conf
in slapd.conf, added the following:
......
include      /opt/openldap/etc/openldap/schema/ppolicy.schema
include      /opt/openldap/etc/openldap/schema/BAH.schema
......
modulepath /opt/openldap/libexec/openldap
moduleload ppolicy.so
......
access to dn.subtree="o=BAH" 
        by self write
        by dn.base="mail=pwd_admin at bah.com,ou=users,o=BAH" write
        by users read
        by anonymous auth
......
loglevel 256
logfile  /var/log/openldap.log

in ldap.conf, uncommented
pam_lookup_policy yes

in /etc/syslog.conf, added
local4.*    /var/log/openldap.log

I installed Apache Directory studio to load ldif file

The ldif for users and pploicy are attached.

To enforce password policy to kick in on changes, I created a connection to ldap using pwd_admin account which allows to change password for any users. 

problems:
1) It keeps popping up "Password fails quality checking policy" even though I provide a perfect password, e.g. Q!W at E#R$t5y6u7i8
2) No log info found from check_password module although defined DEBUG in Makefile. I can see lots of info from ppolicy module.
e.g. 
Feb  4 17:07:52 bahldap slapd[17074]: conn=1036 op=13 RESULT tag=103 err=19 text=Password is too young to change
......
Feb  4 17:08:17 bahldap slapd[17074]: conn=1036 op=16 RESULT tag=103 err=19 text=Password fails quality checking policy
3) It seems check_password was not kicked in. It returns failure by default.

Questions
1) How to setup logging for check_password? I added some code in check_password.c, trying to write log info to s file. But never see the file being created. I guess check_password module was never been executed
2) Did you see any problems with ppolicy and user structure? I was wondering whether the ppolicy applies to everyone or not.

If need more info, please let me know.
Thank you very much.

-- H.Wu from Booz Allen

----------------------------------------
Bug #301: can't make check_password work
http://tools.lsc-project.org/issues/301

Author: Hanxin Wu
Status: New
Priority: Normal
Assigned to: 
Category: OpenLDAP check password
Target version: 


I have openldap-2.4.21 installed in the latest Red Hat Linux VM. I was trying to make check_password function work by following the instruction at http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password. But can never make it. If gurus here are willing to help, I would provide detailed info.
Thanks in advance.


-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-dev/attachments/20110204/270c6374/attachment.htm>


More information about the ltb-dev mailing list