Configuring PPolicy for OpenLDAP 2.5
This article provides a detailed guide on configuring Policy (PPolicy) for the latest version of OpenLDAP, version 2.5. Readers will learn how to effectively configure and manage password policies within their OpenLDAP environment.
Updated at July 27th, 2024
Table of Contents
Aug 23, 2022
Configure Password Policy in slapd.conf
In the global section add the following to the included schemas:
sudo vi /opt/symas/etc/openldap/slapd.confAdd the following to the modules list:
moduleload ppolicy.laAdd the policy overlay within the main database section, preferably below the syncprov and accesslog overlay(s):
overlay ppolicy
ppolicy_default "cn=passwordDefault,ou=Policies,dc=sample,dc=com"
ppolicy_forward_updatesNOTE: If a consumer will be in your environment, you will need configure the chaining overlay.
Restart the slapd service to make the changes take effect
sudo systemctl restart slapd
-or-
sudo service slapd restartAdd Password Policies Group to database.
Create a ppolicy ldif with the content below to add the password policy settings to the database.
sudo vi /opt/symas/etc/openldap/ppolicy.ldif
dn: ou=Policies,dc=sample,dc=com
ou: Policies
objectClass: organizationalUnit
dn: cn=passwordDefault,ou=Policies,dc=sample,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 6
pwdInHistory: 5
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE
dn: cn=passwordSpecial,ou=Policies,dc=sample,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordSpecial
sn: passwordSpecial
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinAge: 0
pwdMaxAge: 0
pwdMinLength: 10
pwdInHistory: 5
pwdMaxFailure: 10
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSEPlease review our ppolicy man page for further details.
Import the policies using an ldapadd command:
ldapadd -x -H ldap://localhost -D dc=sample,dc=com -w secret -f
/opt/symas/etc/openldap/ppolicy.ldifApply Policies to Specific Users
Apply the special password policy to Aarika Wolfman with the following LDIF:
ldapmodify -x -H ldap://localhost -D dc=sample,dc=com -w secret
dn: cn=Aarika Wolfman,ou=Peons,dc=sample,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=passwordSpecial,ou=Policies,dc=sample,dc=comExtra [enter] to execute, [ctrl]+[d] to terminate
Test the special policy is in force by attempting to change Aarika Wolfman’s password
ldappasswd -x -H ldap://localhost -D "cn=Aarika Wolfman,ou=Peons,dc=sample,dc=com" -W -SSet the password to 1234567.
Existing password is namfloWaki.
This should violate the minimum length setting of the special policy but not the default policy and the command should, therefore, fail.
Force Password Reset
To force reset of password on a user group in LDAP create a passwordReset policy and then add that policy to the users who need their password reset.
Create Password Reset Policy
ldapadd -x -H ldap://localhost -D dc=sample,dc=com -w secret
dn: cn=passwordReset,ou=Policies,dc=sample,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordReset
sn: passwordReset
pwdAttribute: userPassword
pwdReset: True
pwdMustChange: TRUEExtra [enter] to execute, [ctrl]+[d] to terminate
Apply the Password Reset Policy to a User:
ldapmodify -x -H ldap://localhost -D dc=sample,dc=com -w secret
dn: cn=My User,ou=People,dc=sample,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=passwordReset,ou=Policies,dc=sample,dc=comExtra [enter] to execute, [ctrl]+[d] to terminate