CODEWITHSUNDEEP
ldapopenldappassword-policy
Conz
Conz

Reputation: 11

Ppolicy pwdCheckModule not executing

I am using LDAP with a frontend GUI (fusiondirectory) which allows my users to log in and change their passwords and details in a user friendly way. I have set up password policy for my LDAP and added the plugin to fusiondirectory. All seems to be working I can create a policy that requires a password of 10 characters minimum and have tested this and it works so I know that my ppolicy module is loaded and working. The problem I have is I am trying to load a pwdCheckModule called pqchecker which performs quality checks on passwords (e.g. requires an uppercase, lowercase, digit and special character) and this doesn't seem to work.. I have followed install and compile instructions from this source http://techadminblog.com/configure-password-quality-check-openldap/ and have followed it step by step and everything went smoothly. I have also changed permissions on the pqchecker directory and have the correct configuration within the pqparams.dat file (01010101) but it does not seem to be working..

The only thing that appears in my log file is

Sep 21 15:02:49 ldap slapd[14237]: conn=1043 fd=11 ACCEPT from IP=192.168.X.X:33652 (IP=0.0.0.0:389) Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=0 BIND dn="cn=admin,dc=domain" method=128 Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=0 BIND dn="cn=admin,dc=domain" mech=SIMPLE ssf=0 Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=0 RESULT tag=97 err=0 text= Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=1 SRCH base="uid=testuser,ou=people,dc=domain" scope=0 deref=0 filter="(objectClass=*)" Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=1 SRCH attr=pwdPolicySubentry pwdHistory pwdChangedTime userPassword Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=2 SRCH base="cn=passwordpolicy,ou=ppolicies,dc=domain" scope=0 deref=0 filter="(objectClass=*)" Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=2 SRCH attr=pwdAllowUserChange pwdMinLength pwdMinAge pwdSafeModify Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=3 SRCH base="uid=testuser,ou=people,dc=domain" scope=0 deref=0 filter="(objectClass=*)" Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=3 SRCH attr=entryCSN Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 21 15:02:49 ldap slapd[14237]: conn=1043 op=4 UNBIND Sep 21 15:02:49 ldap slapd[14237]: conn=1043 fd=11 closed

Upvotes: 0

Views: 1976

Answers (1)

Abdelhamid MEDDEB
Abdelhamid MEDDEB

Reputation: 230

The instructions in the techadminblog link are good, but pay attention to the following things:

1/ pqchecker.so file must be in the location indicated by the olcModulePath parameter. something like this should provide information about this parameter:

ldapsearch -x -D cn=admin,dc=domain,dc=net -w admin -b cn=config olcModulePath | grep -i module

For Debian and compliant this location is /usr/lib/ldap

2/ The pwdCheckQuality parameter (ppolicy overlay param) must be at value 1 or 2 (any another value deactivate this feature)

3/ Set the olcLogLevel at value: stats

Further informations should be found at those links:

http://www.meddeb.net/pqchecker

http://tutoriels.meddeb.net/openldap-password-policy (in French, but there is 2 articles in English)

Upvotes: 1

Related Questions