Symas OpenLDAP Knowledge Base

Configure PPolicy

Configure Password Policy in slapd.conf

In the global section add the following to the included schemas:

    sudo vi /opt/symas/etc/openldap/slapd.conf 
    include         `/opt/symas/etc/openldap/schema/ppolicy.schema`. 

Add the following to the modules list:

    moduleload   ppolicy.la

Add the following to the MDB section below the maxsize setting:

    overlay      ppolicy
    ppolicy_default "cn=passwordDefault,ou=Policies,dc=example,dc=com"
    ppolicy_forward_updates

Restart solserver to make the changes take effect

    sudo service solserver restart

Add Password Policies Group to database.

Create a ppolicy ldif with the content below to add the password policy settings to the database.

    sudo vi /opt/symas/etc/openldap/ppolicy.ldif 
    dn: ou=Policies,dc=example,dc=com 
    ou: Policies
    objectClass: organizationalUnit 
    
    dn: cn=passwordDefault,ou=Policies,dc=example,dc=com 
    objectClass: pwdPolicy
    objectClass: person
    objectClass: top
    cn: passwordDefault
    sn: passwordDefault
    pwdAttribute: userPassword
    pwdCheckQuality: 1
    pwdMinAge: 0
    pwdMaxAge: 0
    pwdMinLength: 6
    pwdInHistory: 5
    pwdMaxFailure: 3
    pwdFailureCountInterval: 0
    pwdLockout: TRUE
    pwdLockoutDuration: 0
    pwdAllowUserChange: TRUE
    pwdExpireWarning: 0
    pwdGraceAuthNLimit: 0
    pwdMustChange: FALSE
    pwdSafeModify: FALSE
    
    dn: cn=passwordSpecial,ou=Policies,dc=example,dc=com 
    objectClass: pwdPolicy
    objectClass: person
    objectClass: top
    cn: passwordSpecial
    sn: passwordSpecial
    pwdAttribute: userPassword
    pwdCheckQuality: 1
    pwdMinAge: 0
    pwdMaxAge: 0
    pwdMinLength: 10
    pwdInHistory: 5
    pwdMaxFailure: 10
    pwdFailureCountInterval: 0
    pwdLockout: TRUE
    pwdLockoutDuration: 0
    pwdAllowUserChange: TRUE
    pwdExpireWarning: 0
    pwdGraceAuthNLimit: 0
    pwdMustChange: FALSE
    pwdSafeModify: FALSE

Import the policies using an ldapadd command

    ldapadd -x -H ldap://localhost -D dc=example,dc=com -w secret -f
    /opt/symas/etc/openldap/ppolicy.ldif 

Apply Policies to Specific Users

Apply the special password policy to Aarika Wolfman with the following LDIF

    ldapmodify -x -H ldap://localhost -D dc=example,dc=com -w secret 
    dn: cn=Aarika Wolfman,ou=Peons,dc=example,dc=com 
    changetype: modify
    add: pwdPolicySubentry
    pwdPolicySubentry: cn=passwordSpecial,ou=Policies,dc=example,dc=com

Extra Enter to execute Ctrl+d to terminate

Test the special policy is in force by attempting to change Aarika Wolfman’s password

    ldappasswd -x -H ldap://localhost -D "cn=Aarika
    Wolfman,ou=Peons,dc=example,dc=com" -W -S

Set the password to 1234567

Existing password is namfloWaki

This should violate the minimum length setting of the special policy but not the default policy and the command should, therefore, fail.

Force Password Reset

To force reset of password on a user group in LDAP create a passwordReset policy and then add that policy to the users who need their password reset.

Create Password Reset Policy

    ldapadd -x -H ldap://localhost -D dc=example,dc=com -w secret 
    dn: cn=passwordReset,ou=Policies,dc=example,dc=com 
    objectClass: pwdPolicy
    objectClass: person
    objectClass: top
    cn: passwordReset
    sn: passwordReset
    pwdAttribute: userPassword
    pwdReset: True
    pwdMustChange: TRUE

Extra Enter to execute Ctrl+d to terminate

Apply the Password Reset Policy to a User:

    ldapmodify -x -H ldap://localhost -D dc=example,dc=com -w secret 
    dn: cn=My User,ou=People,dc=example,dc=com 
    changetype: modify
    add: pwdPolicySubentry
    pwdPolicySubentry: cn=passwordReset,ou=Policies,dc=example,dc=com 

Extra Enter to execute Ctrl+d to terminate