Docker-openldap: pwdPolicy not enabled

Created on 17 Apr 2016  路  9Comments  路  Source: osixia/docker-openldap

Does ppolicy work with this? Im having trouble including an ldif that includes

objectClass: pwdPolicy

Error:
ldap_add: Invalid syntax (21)
additional info: pwdAttribute: value #0 invalid per syntax

OpenLDAP question

Most helpful comment

Create your own image and add your config files to /container/service/slapd/assets/config/bootstrap/ldif/custom

Dockerfile

FROM osixia/openldap
ADD ldif /container/service/slapd/assets/config/bootstrap/ldif/custom

ldif/01-pp.ldif

#load password policy module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {0}ppolicy

#configure password policy module
dn: olcOverlay=ppolicy,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: add
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=pwpolicies,{{ LDAP_BASE_DN }}
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE

ldif/02-ppcfg.ldif

#load password policy module
dn: ou=pwpolicies,{{ LDAP_BASE_DN }}
objectClass: organizationalUnit
objectClass: top
ou: pwpolicies

dn: cn=default,ou=pwpolicies,{{ LDAP_BASE_DN }}
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdCheckQuality: 1
pwdExpireWarning: 3600
pwdFailureCountInterval: 3600
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinLength: 6
pwdMustChange: FALSE
pwdSafeModify: FALSE

All 9 comments

It's not included. You can manually add it after starting up the container.
Modified from this source https://tobrunet.ch/articles/openldap-password-policy-overlay/.

Create an ldif file with these contents and apply with ldapmodify. (I use apache directory and just do import in cn=config.)

dn: cn=module,cn=config
cn: module{0}
objectClass: top
objectClass: olcModuleList
olcModuleLoad: ppolicy.la
olcModulePath: /usr/lib/ldap

dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=passwordDefault,ou=policies,dc=ironnet,dc=co
olcPPolicyForwardUpdates: FALSE
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: FALSE

I tried the mentionned solution above, but did not get any "expected" result. So I took a look to the scripts in the source code loading the other modules. ex. memberof

Base on this example, I created my ldif file like this:

# Load ppolicy module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy

dn: olcOverlay={0}ppolicy,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: add
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=pwpolicies,{{ LDAP_BASE_DN }}
olcPPolicyForwardUpdates: FALSE
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: FALSE

Here's the logs I get when starting the docker container:

Processing file /container/service/slapd/assets/config/bootstrap/ldif/101-ppolicy-module.ldif
58dbbf03 conn=1024 fd=14 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
58dbbf03 conn=1024 op=0 BIND dn="" method=163
58dbbf03 conn=1024 op=0 BIND
authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
58dbbf03 conn=1024 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL sasl_ssf=0 ssf=71
58dbbf03 conn=1024 op=0 RESULT tag=97 err=0 text=
58dbbf03 conn=1024 op=1 MOD dn="cn=module{0},cn=config"
58dbbf03 conn=1024 op=1 MOD attr=olcModuleLoad
58dbbf03 conn=1024 op=1 RESULT tag=103 err=0 text=
58dbbf03 conn=1024 op=2 ADD dn="olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config"
58dbbf03 conn=1024 op=2 RESULT tag=105 err=0 text=
58dbbf03 conn=1024 op=3 UNBIND
58dbbf03 conn=1024 fd=14 closed

I don't see any errors, from my perspective, it looks like everything is fine.
So I created another ldif file creating my policy:

dn: cn=default,ou=pwpolicies,{{ LDAP_BASE_DN }}
changetype: add
objectClass: pwdPolicy
objectClass: device
objectClass: top
cn: default
pwdAttribute: 2.5.4.35
pwdMaxAge: 2592000
pwdExpireWarning: 3600
#pwdInHistory: 0
#pwdCheckQuality: 0
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 3600
#pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdMinLength: 6
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

This gets me no error either:

58dbbf04 conn=1026 op=20 ADD dn="cn=default,ou=pwpolicies,dc=t3e,dc=com"
58dbbf04 conn=1026 op=20 RESULT tag=105 err=0 text=
58dbbf04 conn=1026 op=21 UNBIND
58dbbf04 conn=1026 fd=14 closed

But, when I open Apache Directory Studio and set an invalid password like "toto", I get no error and the password is saved. I don't understand what I am missing for my policy to be applied?

[EDIT]
I was able to validate that the account will in fact get locked after the time period or after max bad loggin attempt. But still, I don't get why the pwdMinLength is not applied when setting the user password.

Exactly same situation here.
Does the pwdMinLength affect the _hashed_ password length, not the initial password length?

Found here http://www.zytrax.com/books/ldap/ch6/ppolicy.html

pwdMinLength

This attribute controls whether minimum password length checks will be enforced by the server. If the value is 0 (the default) then no password length checks are enforced. If the value is > 0 then it defines the minimum length of the user supplied password. Passwords shorter than this value will be rejected. If the supplied password is hashed no length checks can be carried out and the default actions are defined by pwdCheckQuality - if 0 (default) or 1 accept, if 2 reject).

The password policy also doesn't look to apply to changes made by the root admin account (logical)

I have been struggling with @euphreme solution. I got

ldap_add no such object (32) matched dn dc=xxxx dc=yyyy

I've fixed this by defining OU

dn: ou=pwpolicies,{{ LDAP_BASE_DN }}
changetype: add
objectClass: organizationalUnit
ou: pwpolicies

Hello I am also having issues with this. I have made my own policy and it looks like this

dn: cn=normalPolicy,{mybaseDN}
changetype: add
objectclass: device
objectclass: pwdPolicy
objectclass: top
cn: normalPolicy
pwdCheckQuality: 0
pwdAttribute: 2.5.4.35
pwdInHistory: 2
pwdExpireWarning: 2629746
pwdMinLength: 8
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMaxAge: 7889238
pwdMaxFailure: 3
pwdMinAge: 86400
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

I have it in a policies ou but when i login to phpldapadmin as one of the users and try to change the password, I get an error:
image

Did i mess up my policy I thought I should be able to change the password.

nvm i found out i set the minimum age for the password too high, i reset it to 5 seconds for my testing and it worked great.

Create your own image and add your config files to /container/service/slapd/assets/config/bootstrap/ldif/custom

Dockerfile

FROM osixia/openldap
ADD ldif /container/service/slapd/assets/config/bootstrap/ldif/custom

ldif/01-pp.ldif

#load password policy module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {0}ppolicy

#configure password policy module
dn: olcOverlay=ppolicy,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: add
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=pwpolicies,{{ LDAP_BASE_DN }}
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE

ldif/02-ppcfg.ldif

#load password policy module
dn: ou=pwpolicies,{{ LDAP_BASE_DN }}
objectClass: organizationalUnit
objectClass: top
ou: pwpolicies

dn: cn=default,ou=pwpolicies,{{ LDAP_BASE_DN }}
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdCheckQuality: 1
pwdExpireWarning: 3600
pwdFailureCountInterval: 3600
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinLength: 6
pwdMustChange: FALSE
pwdSafeModify: FALSE

Hey guys, thank you very much that you've provided this how to!
Could you give me a hint how i could also enable CRYPT?

i tried to add another file like this:

dn: cn=config
changetype: modify
add: olcPasswordCryptSaltFormat
olcPasswordCryptSaltFormat: $6$%.16s
-
add: olcPasswordHash
olcPasswordHash: {CRYPT}

but then slapd crashes:

openldap              | Add custom bootstrap ldif...
openldap              | *** /container/run/startup/slapd failed with status 50

If i execute it from within the container it works as expected...

Was this page helpful?
0 / 5 - 0 ratings