[ltb-dev] [LDAP Tool Box - Bug #301] can't make check_password work

noreply at lsc-project.org noreply at lsc-project.org
Fri Feb 4 18:34:44 CET 2011

Issue #301 has been updated by Hanxin Wu.

File Makefile added
File check_password.c added
File check_password.conf added
File BAH-ppolicy.ldif added
File BAH-user.ldif added

This is the instruction I followed to install Berkeley and OPenldap:

Install Berkeley DB 4.7.25 with all Latest Patches
Download and extract Berkeley DB 4.7.25 from Oracle into /opt/db-4.7.25 using the following commands: 
cd /opt/ 
wget http://download.oracle.com/berkeley-db/db-4.7.25.tar.gz  
tar zxvf db-4.7.25.tar.gz 
cd db-4.7.25 
Install patch. using the following commands: 
wget http://download.oracle.com/berkeley-db/patches/db/4.7.25/patch. 
wget http://download.oracle.com/berkeley-db/patches/db/4.7.25/patch. 
wget http://download.oracle.com/berkeley-db/patches/db/4.7.25/patch. 
wget http://download.oracle.com/berkeley-db/patches/db/4.7.25/patch. 
patch -p0 < patch. 
patch -p0 < patch. 
patch -p0 < patch 
patch -p0 < patch 
Compile and install Berkeley DB 4.7.25 using the following commands: 
cd build_unix/ 
../dist/configure --enable-ppolicy --prefix=/opt/db-4.7.25/db4 
make install 

Install OpenLDAP 2.4.21
Download and extract OpenLDAP 2.4.21 into /opt/openldap-2.4.21 using the following commands: 
cd /opt/ 
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-stable/openldap-stable-20100219.tgz  
tar zxvf openldap-stable-20100219.tgz 
cd openldap-2.4.21 
Compile and install OpenLDAP 2.4.21 using the following commands: 
export CPPFLAGS="-I/opt/db-4.7.25/db4/include" 
export LDFLAGS="-L/opt/db-4.7.25/db4/lib -R/opt/db-4.7.25/db4/lib" 
export LD_LIBRARY_PATH=/opt/db-4.7.25/build_unix/.libs 
./configure --prefix=/opt/openldap --enable-ppolicy=mod --enable-modules=yes --enable-dynamic=yes
if errors 
if you see "configure: error: could not locate libtool ltdl.h", run the following commands to install libtool:
sudo yum install libtool
cp /usr/share/libtool/libltdl/ltdl.h /usr/include/ 
if you see "configure: error: could not locate libtool -lltdl", run the following commands:
cd /usr/share/libtool/libltdl
make install 
if you see "configure: error: Berkeley DB version mismatch", update Berkeley DB 
make depend 
make test (this command is optional and tests the build - replication tests will not pass at this point) 
sudo make install 

Here is the steps I built check_password module
I updated Makefile file to match the path in my environment.
I updated check_password.c to meet my client's requirement.
copied all files to /opt/check_password/
cd /opt/check_password/
make install LIBDIR='/opt/openldap/lib'
(no errors)

Here is the configuration I made
updated slapd.conf, ldap.conf, syslog.conf
in slapd.conf, added the following:
include      /opt/openldap/etc/openldap/schema/ppolicy.schema
include      /opt/openldap/etc/openldap/schema/BAH.schema
modulepath /opt/openldap/libexec/openldap
moduleload ppolicy.so
access to dn.subtree="o=BAH" 
        by self write
        by dn.base="mail=pwd_admin at bah.com,ou=users,o=BAH" write
        by users read
        by anonymous auth
loglevel 256
logfile  /var/log/openldap.log

in ldap.conf, uncommented
pam_lookup_policy yes

in /etc/syslog.conf, added
local4.*    /var/log/openldap.log

I installed Apache Directory studio to load ldif file

The ldif for users and pploicy are attached.

To enforce password policy to kick in on changes, I created a connection to ldap using pwd_admin account which allows to change password for any users. 

1) It keeps popping up "Password fails quality checking policy" even though I provide a perfect password, e.g. Q!W at E#R$t5y6u7i8
2) No log info found from check_password module although defined DEBUG in Makefile. I can see lots of info from ppolicy module.
Feb  4 17:07:52 bahldap slapd[17074]: conn=1036 op=13 RESULT tag=103 err=19 text=Password is too young to change
Feb  4 17:08:17 bahldap slapd[17074]: conn=1036 op=16 RESULT tag=103 err=19 text=Password fails quality checking policy
3) It seems check_password was not kicked in. It returns failure by default.

1) How to setup logging for check_password? I added some code in check_password.c, trying to write log info to s file. But never see the file being created. I guess check_password module was never been executed
2) Did you see any problems with ppolicy and user structure? I was wondering whether the ppolicy applies to everyone or not.

If need more info, please let me know.
Thank you very much.

-- H.Wu from Booz Allen

Bug #301: can't make check_password work

Author: Hanxin Wu
Status: New
Priority: Normal
Assigned to: 
Category: OpenLDAP check password
Target version: 

I have openldap-2.4.21 installed in the latest Red Hat Linux VM. I was trying to make check_password function work by following the instruction at http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password. But can never make it. If gurus here are willing to help, I would provide detailed info.
Thanks in advance.

You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-dev/attachments/20110204/270c6374/attachment.htm>

More information about the ltb-dev mailing list