Does ppolicy work with this? Im having trouble including an ldif that includes
objectClass: pwdPolicy
Error:
ldap_add: Invalid syntax (21)
additional info: pwdAttribute: value #0 invalid per syntax
It's not included. You can manually add it after starting up the container.
Modified from this source https://tobrunet.ch/articles/openldap-password-policy-overlay/.
Create an ldif file with these contents and apply with ldapmodify. (I use apache directory and just do import in cn=config.)
dn: cn=module,cn=config
cn: module{0}
objectClass: top
objectClass: olcModuleList
olcModuleLoad: ppolicy.la
olcModulePath: /usr/lib/ldap
dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=passwordDefault,ou=policies,dc=ironnet,dc=co
olcPPolicyForwardUpdates: FALSE
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: FALSE
I tried the mentionned solution above, but did not get any "expected" result. So I took a look to the scripts in the source code loading the other modules. ex. memberof
Base on this example, I created my ldif file like this:
# Load ppolicy module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy
dn: olcOverlay={0}ppolicy,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: add
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=pwpolicies,{{ LDAP_BASE_DN }}
olcPPolicyForwardUpdates: FALSE
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: FALSE
Here's the logs I get when starting the docker container:
Processing file /container/service/slapd/assets/config/bootstrap/ldif/101-ppolicy-module.ldif
58dbbf03 conn=1024 fd=14 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
58dbbf03 conn=1024 op=0 BIND dn="" method=163
58dbbf03 conn=1024 op=0 BIND
authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
58dbbf03 conn=1024 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
58dbbf03 conn=1024 op=0 RESULT tag=97 err=0 text=
58dbbf03 conn=1024 op=1 MOD dn="cn=module{0},cn=config"
58dbbf03 conn=1024 op=1 MOD attr=olcModuleLoad
58dbbf03 conn=1024 op=1 RESULT tag=103 err=0 text=
58dbbf03 conn=1024 op=2 ADD dn="olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config"
58dbbf03 conn=1024 op=2 RESULT tag=105 err=0 text=
58dbbf03 conn=1024 op=3 UNBIND
58dbbf03 conn=1024 fd=14 closed
I don't see any errors, from my perspective, it looks like everything is fine.
So I created another ldif file creating my policy:
dn: cn=default,ou=pwpolicies,{{ LDAP_BASE_DN }}
changetype: add
objectClass: pwdPolicy
objectClass: device
objectClass: top
cn: default
pwdAttribute: 2.5.4.35
pwdMaxAge: 2592000
pwdExpireWarning: 3600
#pwdInHistory: 0
#pwdCheckQuality: 0
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 3600
#pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdMinLength: 6
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
This gets me no error either:
58dbbf04 conn=1026 op=20 ADD dn="cn=default,ou=pwpolicies,dc=t3e,dc=com"
58dbbf04 conn=1026 op=20 RESULT tag=105 err=0 text=
58dbbf04 conn=1026 op=21 UNBIND
58dbbf04 conn=1026 fd=14 closed
But, when I open Apache Directory Studio and set an invalid password like "toto", I get no error and the password is saved. I don't understand what I am missing for my policy to be applied?
[EDIT]
I was able to validate that the account will in fact get locked after the time period or after max bad loggin attempt. But still, I don't get why the pwdMinLength is not applied when setting the user password.
Exactly same situation here.
Does the pwdMinLength affect the _hashed_ password length, not the initial password length?
Found here http://www.zytrax.com/books/ldap/ch6/ppolicy.html
pwdMinLength
This attribute controls whether minimum password length checks will be enforced by the server. If the value is 0 (the default) then no password length checks are enforced. If the value is > 0 then it defines the minimum length of the user supplied password. Passwords shorter than this value will be rejected. If the supplied password is hashed no length checks can be carried out and the default actions are defined by pwdCheckQuality - if 0 (default) or 1 accept, if 2 reject).
The password policy also doesn't look to apply to changes made by the root admin account (logical)
I have been struggling with @euphreme solution. I got
ldap_add no such object (32) matched dn dc=xxxx dc=yyyy
I've fixed this by defining OU
dn: ou=pwpolicies,{{ LDAP_BASE_DN }}
changetype: add
objectClass: organizationalUnit
ou: pwpolicies
Hello I am also having issues with this. I have made my own policy and it looks like this
dn: cn=normalPolicy,{mybaseDN}
changetype: add
objectclass: device
objectclass: pwdPolicy
objectclass: top
cn: normalPolicy
pwdCheckQuality: 0
pwdAttribute: 2.5.4.35
pwdInHistory: 2
pwdExpireWarning: 2629746
pwdMinLength: 8
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMaxAge: 7889238
pwdMaxFailure: 3
pwdMinAge: 86400
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
I have it in a policies ou but when i login to phpldapadmin as one of the users and try to change the password, I get an error:

Did i mess up my policy I thought I should be able to change the password.
nvm i found out i set the minimum age for the password too high, i reset it to 5 seconds for my testing and it worked great.
Create your own image and add your config files to /container/service/slapd/assets/config/bootstrap/ldif/custom
Dockerfile
FROM osixia/openldap
ADD ldif /container/service/slapd/assets/config/bootstrap/ldif/custom
ldif/01-pp.ldif
#load password policy module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {0}ppolicy
#configure password policy module
dn: olcOverlay=ppolicy,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: add
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=pwpolicies,{{ LDAP_BASE_DN }}
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
ldif/02-ppcfg.ldif
#load password policy module
dn: ou=pwpolicies,{{ LDAP_BASE_DN }}
objectClass: organizationalUnit
objectClass: top
ou: pwpolicies
dn: cn=default,ou=pwpolicies,{{ LDAP_BASE_DN }}
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdCheckQuality: 1
pwdExpireWarning: 3600
pwdFailureCountInterval: 3600
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinLength: 6
pwdMustChange: FALSE
pwdSafeModify: FALSE
Hey guys, thank you very much that you've provided this how to!
Could you give me a hint how i could also enable CRYPT?
i tried to add another file like this:
dn: cn=config
changetype: modify
add: olcPasswordCryptSaltFormat
olcPasswordCryptSaltFormat: $6$%.16s
-
add: olcPasswordHash
olcPasswordHash: {CRYPT}
but then slapd crashes:
openldap | Add custom bootstrap ldif...
openldap | *** /container/run/startup/slapd failed with status 50
If i execute it from within the container it works as expected...
Most helpful comment
Create your own image and add your config files to /container/service/slapd/assets/config/bootstrap/ldif/custom
Dockerfile
ldif/01-pp.ldif
ldif/02-ppcfg.ldif