[ltb-dev] [LDAP Tool Box - Bug #301] can't make check_password work
noreply at lsc-project.org
noreply at lsc-project.org
Fri Feb 4 18:34:44 CET 2011
Issue #301 has been updated by Hanxin Wu.
File Makefile added
File check_password.c added
File check_password.conf added
File BAH-ppolicy.ldif added
File BAH-user.ldif added
This is the instruction I followed to install Berkeley and OPenldap:
Install Berkeley DB 4.7.25 with all Latest Patches
Download and extract Berkeley DB 4.7.25 from Oracle into /opt/db-4.7.25 using the following commands:
tar zxvf db-4.7.25.tar.gz
Install patch.126.96.36.199-4 using the following commands:
patch -p0 < patch.188.8.131.52
patch -p0 < patch.184.108.40.206
patch -p0 < patch 220.127.116.11
patch -p0 < patch 18.104.22.168
Compile and install Berkeley DB 4.7.25 using the following commands:
../dist/configure --enable-ppolicy --prefix=/opt/db-4.7.25/db4
Install OpenLDAP 2.4.21
Download and extract OpenLDAP 2.4.21 into /opt/openldap-2.4.21 using the following commands:
tar zxvf openldap-stable-20100219.tgz
Compile and install OpenLDAP 2.4.21 using the following commands:
export LDFLAGS="-L/opt/db-4.7.25/db4/lib -R/opt/db-4.7.25/db4/lib"
./configure --prefix=/opt/openldap --enable-ppolicy=mod --enable-modules=yes --enable-dynamic=yes
if you see "configure: error: could not locate libtool ltdl.h", run the following commands to install libtool:
sudo yum install libtool
cp /usr/share/libtool/libltdl/ltdl.h /usr/include/
if you see "configure: error: could not locate libtool -lltdl", run the following commands:
if you see "configure: error: Berkeley DB version mismatch", update Berkeley DB
make test (this command is optional and tests the build - replication tests will not pass at this point)
sudo make install
Here is the steps I built check_password module
I updated Makefile file to match the path in my environment.
I updated check_password.c to meet my client's requirement.
copied all files to /opt/check_password/
make install LIBDIR='/opt/openldap/lib'
Here is the configuration I made
updated slapd.conf, ldap.conf, syslog.conf
in slapd.conf, added the following:
access to dn.subtree="o=BAH"
by self write
by dn.base="mail=pwd_admin at bah.com,ou=users,o=BAH" write
by users read
by anonymous auth
in ldap.conf, uncommented
in /etc/syslog.conf, added
I installed Apache Directory studio to load ldif file
The ldif for users and pploicy are attached.
To enforce password policy to kick in on changes, I created a connection to ldap using pwd_admin account which allows to change password for any users.
1) It keeps popping up "Password fails quality checking policy" even though I provide a perfect password, e.g. Q!W at E#R$t5y6u7i8
2) No log info found from check_password module although defined DEBUG in Makefile. I can see lots of info from ppolicy module.
Feb 4 17:07:52 bahldap slapd: conn=1036 op=13 RESULT tag=103 err=19 text=Password is too young to change
Feb 4 17:08:17 bahldap slapd: conn=1036 op=16 RESULT tag=103 err=19 text=Password fails quality checking policy
3) It seems check_password was not kicked in. It returns failure by default.
1) How to setup logging for check_password? I added some code in check_password.c, trying to write log info to s file. But never see the file being created. I guess check_password module was never been executed
2) Did you see any problems with ppolicy and user structure? I was wondering whether the ppolicy applies to everyone or not.
If need more info, please let me know.
Thank you very much.
-- H.Wu from Booz Allen
Bug #301: can't make check_password work
Author: Hanxin Wu
Category: OpenLDAP check password
I have openldap-2.4.21 installed in the latest Red Hat Linux VM. I was trying to make check_password function work by following the instruction at http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password. But can never make it. If gurus here are willing to help, I would provide detailed info.
Thanks in advance.
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ltb-dev