Configuring PPolicy for OpenLDAP 2.4
Learn how to configure PPolicy for SOLD 2.4 in order to enhance security and improve password policies for your system.
Updated at July 27th, 2024
Table of Contents
Configure Password Policy in slapd.conf
In the global section add the following to the included schemas:
sudo vi /opt/symas/etc/openldap/slapd.conf
include `/opt/symas/etc/openldap/schema/ppolicy.schema`. Add the following to the modules list:
moduleload ppolicy.laAdd the following to the MDB section below the maxsize setting:
overlay ppolicy
ppolicy_default "cn=passwordDefault,ou=Policies,dc=example,dc=com"
ppolicy_forward_updatesRestart solserver to make the changes take effect
sudo service solserver restartAdd Password Policies Group to database.
Create a ppolicy ldif with the content below to add the password policy settings to the database.
sudo vi /opt/symas/etc/openldap/ppolicy.ldif
dn: ou=Policies,dc=example,dc=com
ou: Policies
objectClass: organizationalUnit
dn: cn=passwordDefault,ou=Policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 6
pwdInHistory: 5
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE
dn: cn=passwordSpecial,ou=Policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordSpecial
sn: passwordSpecial
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 10
pwdInHistory: 5
pwdMaxFailure: 10
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSEImport the policies using an ldapadd command
ldapadd -x -H ldap://localhost -D dc=example,dc=com -w secret -f
/opt/symas/etc/openldap/ppolicy.ldif Apply Policies to Specific Users
Apply the special password policy to Aarika Wolfman with the following LDIF
ldapmodify -x -H ldap://localhost -D dc=example,dc=com -w secret
dn: cn=Aarika Wolfman,ou=Peons,dc=example,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=passwordSpecial,ou=Policies,dc=example,dc=comExtra [enter] to execute, [Ctrl]+[d] to terminate
Test the special policy is in force by attempting to change Aarika Wolfman's password
ldappasswd -x -H ldap://localhost -D "cn=Aarika Wolfman,ou=Peons,dc=example,dc=com" -W -SSet the password to 1234567
Existing password is namfloWaki
This should violate the minimum length setting of the special policy but not the default policy and the command should, therefore, fail.
Force Password Reset
To force reset of password on a user group in LDAP create a passwordReset policy and then add that policy to the users who need their password reset.
Create Password Reset Policy
ldapadd -x -H ldap://localhost -D dc=example,dc=com -w secret
dn: cn=passwordReset,ou=Policies,dc=example,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordReset
sn: passwordReset
pwdAttribute: userPassword
pwdReset: True
pwdMustChange: TRUEExtra [enter] to execute, [Ctrl]+[d] to terminate
Apply the Password Reset Policy to a User:
ldapmodify -x -H ldap://localhost -D dc=example,dc=com -w secret
dn: cn=My User,ou=People,dc=example,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=passwordReset,ou=Policies,dc=example,dc=com Extra [enter] to execute, [Ctrl]+[d] to terminate