TurnKey Linux Virtual Appliance Library

Open LDAP password policy

 

Hi,
 
I'm trying to enable the password policy on the Turnkey LDAP server, I have the following configuration:
 
# default, policies, example.local
 
dn: cn=default,ou=policies,dc=example,dc=local
 
objectClass: top
 
objectClass: device
 
objectClass: pwdPolicy
 
cn: default
 
pwdCheckModule: check_password.so
 
pwdAttribute: userPassword
 
pwdMinAge: 604800
 
pwdMaxAge: 3629000
 
pwdExpireWarning: 604800
 
pwdInHistory: 12
 
pwdCheckQuality: 2
 
pwdMinLength: 8
 
pwdMaxFailure: 6
 
pwdLockout: TRUE
 
pwdLockoutDuration: 0
 
pwdGraceAuthNLimit: 0
 
pwdFailureCountInterval: 0
 
pwdMustChange: TRUE
 
pwdAllowUserChange: TRUE
 
pwdSafeModify: FALSE
 
Trying to add it into the LDAP server results in the following error:
 
 
adding new entry "cn=default,ou=policies,dc=example,dc=local"
 
ldap_add: Invalid syntax (21)
 
        additional info: objectClass: value #2 invalid per syntax
 
 
which is the pwdPolicy object.
 
 
My /usr/share/slapd/slapd.conf includes the following config:
 
include         /etc/ldap/schema/ppolicy.schema
 
moduleload      ppolicy.la
 
...
 
overlay ppolicy
 
ppolicy_default "cn=default,ou=policies,dc=example,dc=local"
 
ppolicy_use_lockout
 
ppolicy_hash_cleartext
 
 
I've also made sure /usr/lib/ldap/ppolicy.la and /etc/ldap/schema/ppolicy.schema exist.
 
 
Has anyone had any luck getting ppolicy configured on Turnkey? Is there an important step I'm missing?
 
 
Thanks guys,
 
Gordon

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)