Symas OpenLDAP Knowledge Base

Configuring PPolicy for OpenLDAP 2.5

Configure PPolicy in OpenLDAP 2.5+

Aug 23, 2022 Categories: ConfigurationTags: #ppolicy

Configure Password Policy in slapd.conf

In the global section add the following to the included schemas:

sudo vi /opt/symas/etc/openldap/slapd.conf

Add the following to the modules list:

moduleload   ppolicy.la

Add the policy overlay within the main database section, preferably below the syncprov and accesslog overlay(s):

overlay      ppolicy
ppolicy_default "cn=passwordDefault,ou=Policies,dc=sample,dc=com"
ppolicy_forward_updates

NOTE: If a consumer will be in your environment, you will need configure the chaining overlay

Restart the slapd service to make the changes take effect

sudo systemctl restart slapd
-or-
sudo service slapd restart

Add Password Policies Group to database.

Create a ppolicy ldif with the content below to add the password policy settings to the database.

sudo vi /opt/symas/etc/openldap/ppolicy.ldif 
dn: ou=Policies,dc=sample,dc=com 
ou: Policies
objectClass: organizationalUnit 

dn: cn=passwordDefault,ou=Policies,dc=sample,dc=com 
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 6
pwdInHistory: 5
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE

dn: cn=passwordSpecial,ou=Policies,dc=sample,dc=com 
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordSpecial
sn: passwordSpecial
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 10
pwdInHistory: 5
pwdMaxFailure: 10
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE

Import the policies using an ldapadd command

ldapadd -x -H ldap://localhost -D dc=sample,dc=com -w secret -f
/opt/symas/etc/openldap/ppolicy.ldif

Apply Policies to Specific Users

Apply the special password policy to Aarika Wolfman with the following LDIF

ldapmodify -x -H ldap://localhost -D dc=sample,dc=com -w secret 
dn: cn=Aarika Wolfman,ou=Peons,dc=sample,dc=com 
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=passwordSpecial,ou=Policies,dc=sample,dc=com

Extra Enter to execute Ctrl+d to terminate

Test the special policy is in force by attempting to change Aarika Wolfman’s password

ldappasswd -x -H ldap://localhost -D "cn=Aarika
Wolfman,ou=Peons,dc=sample,dc=com" -W -S

Set the password to 1234567

Existing password is namfloWaki

This should violate the minimum length setting of the special policy but not the default policy and the command should, therefore, fail.

Force Password Reset

To force reset of password on a user group in LDAP create a passwordReset policy and then add that policy to the users who need their password reset.

Create Password Reset Policy

ldapadd -x -H ldap://localhost -D dc=sample,dc=com -w secret 
dn: cn=passwordReset,ou=Policies,dc=sample,dc=com 
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordReset
sn: passwordReset
pwdAttribute: userPassword
pwdReset: True
pwdMustChange: TRUE

Extra Enter to execute Ctrl+d to terminate

Apply the Password Reset Policy to a User:

ldapmodify -x -H ldap://localhost -D dc=sample,dc=com -w secret 
dn: cn=My User,ou=People,dc=sample,dc=com 
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=passwordReset,ou=Policies,dc=sample,dc=com

Extra Enter to execute Ctrl+d to terminate