• Contact Us
  • Home
  • Installation
  • Configuration

Configuring PPolicy for OpenLDAP 2.4

Learn how to configure PPolicy for SOLD 2.4 in order to enhance security and improve password policies for your system.

Written by Maryanne Normann

Updated at July 27th, 2024

  • Quick Start
  • Installation
    Best Practices Configuration Troubleshooting Design Performance Platform
  • Maintenance
    Releases Upgrade
  • Reference
+ More

Table of Contents

Configure Password Policy in slapd.conf Add Password Policies Group to database. Apply Policies to Specific Users Force Password Reset

Configure Password Policy in slapd.conf

In the global section add the following to the included schemas:

sudo vi /opt/symas/etc/openldap/slapd.conf 
include         `/opt/symas/etc/openldap/schema/ppolicy.schema`. 

Add the following to the modules list:

moduleload   ppolicy.la

Add the following to the MDB section below the maxsize setting:

overlay      ppolicy
ppolicy_default "cn=passwordDefault,ou=Policies,dc=example,dc=com"
ppolicy_forward_updates

Restart solserver to make the changes take effect

sudo service solserver restart

Add Password Policies Group to database.

Create a ppolicy ldif with the content below to add the password policy settings to the database.

sudo vi /opt/symas/etc/openldap/ppolicy.ldif 
dn: ou=Policies,dc=example,dc=com 
ou: Policies
objectClass: organizationalUnit 

dn: cn=passwordDefault,ou=Policies,dc=example,dc=com 
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 6
pwdInHistory: 5
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE

dn: cn=passwordSpecial,ou=Policies,dc=example,dc=com 
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordSpecial
sn: passwordSpecial
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 10
pwdInHistory: 5
pwdMaxFailure: 10
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE

Import the policies using an ldapadd command

ldapadd -x -H ldap://localhost -D dc=example,dc=com -w secret -f
    /opt/symas/etc/openldap/ppolicy.ldif 

Apply Policies to Specific Users

Apply the special password policy to Aarika Wolfman with the following LDIF

ldapmodify -x -H ldap://localhost -D dc=example,dc=com -w secret 
dn: cn=Aarika Wolfman,ou=Peons,dc=example,dc=com 
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=passwordSpecial,ou=Policies,dc=example,dc=com

Extra [enter] to execute, [Ctrl]+[d] to terminate

Test the special policy is in force by attempting to change Aarika Wolfman's password

ldappasswd -x -H ldap://localhost -D "cn=Aarika Wolfman,ou=Peons,dc=example,dc=com" -W -S

Set the password to 1234567

Existing password is namfloWaki

This should violate the minimum length setting of the special policy but not the default policy and the command should, therefore, fail.

Force Password Reset

To force reset of password on a user group in LDAP create a passwordReset policy and then add that policy to the users who need their password reset.

Create Password Reset Policy

ldapadd -x -H ldap://localhost -D dc=example,dc=com -w secret 
dn: cn=passwordReset,ou=Policies,dc=example,dc=com 
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordReset
sn: passwordReset
pwdAttribute: userPassword
pwdReset: True
pwdMustChange: TRUE

Extra [enter] to execute, [Ctrl]+[d] to terminate

Apply the Password Reset Policy to a User:

ldapmodify -x -H ldap://localhost -D dc=example,dc=com -w secret 
dn: cn=My User,ou=People,dc=example,dc=com 
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=passwordReset,ou=Policies,dc=example,dc=com 

Extra [enter] to execute, [Ctrl]+[d] to terminate

Copyright © 2020-2024 Symas Corporation. All rights reserved.
ppolicy customize policy

Was this article helpful?

Yes
No
Give feedback about this article

Related Articles

  • Backup and Restore Process
  • Referrals and Chaining
  • Creating Dynamic Groups
  • Configuring iptables (Opening LDAP Ports)
  • Symas Blog RSS Feed
  • Symas on Facebook
  • Symas on Twitter
  • Symas Blog
  • Symas on LinkedIn
  • Symas YouTube Channel

Copyright © 2023, Symas Corporation. All rights reserved. Privacy Statement (updated July 31, 2023)

Phone:

Main Office: +1.650.963.7601
Fax: +1.650.390.6284

Email:

Sales: sales@symas.com
Support: support@symas.com

Office Hours:

8:00 AM - 5:00 PM ET

Office Location:

Symas Corporation
PO Box 391
Grand Junction, CO 81507 USA

Expand