How to configure password openldap server in Red Hat Enterprise Linux 5?

Issue

• Although it is possible to apply password policies using "shadow" attributes like (shadowLastChange, shadowMin,  shadowMax, shadowWarning, shadowInactive, shadowExpire ) provided in shadowAccount objectclass, one drawback is that it cannot used with the default policy. Everything needs to set manually for each user.

Environment

• Red Hat Enterprise Linux 5
• openldap-servers-2.3.43-3.el5
• openldap-servers-overlays-2.3.43-3.el5
• openldap-2.3.43-3.el5
• openldap-clients-2.3.43-3.el5

Resolution

Here are the sample for enabling password policies in openldap.

1. Refer to the following sample for configuration of the /etc/openldap/slapd.conf file:

# Include ppolicy schema in schema section of slapd.conf file

include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/ppolicy.schema

allow bind_v2

pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

loglevel 296

#uncomment the following lines in dynamic backend modules:

modulepath  /usr/lib/openldap

moduleload ppolicy.la

# Following access directives are required to implement policy:

access to attrs=userPassword
  by self write
  by anonymous auth
  by * none

access to attrs=shadowLastChange
  by self write
  by * read

access to *
      by * read

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database    bdb
suffix      "dc=example,dc=com"
rootdn      "cn=root,dc=example,dc=com"
rootpw     secret
directory   /var/lib/ldap/

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index entryCSN,entryUUID        eq

# define the default policy

overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
ppolicy_use_lockout

To make openldap password policies work, the ppolicy.la module should be loaded from slapd.conf file. This module is provided by the openldap-servers-overlays package and will available only if this package is installed on the LDAP server.

2. Once slapd.conf is configured, add some records to the ldap server to test policies. Here is a sample ldif file.

# example.com
dn: dc=example,dc=com
dc: example
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject

# policies, example.com
dn: u=policies,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: policies

# default, policies, example.com
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 1920
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
pwdMaxAge: 172800
pwdExpireWarning: 86400

# jery, example.com
dn: uid=jery,dc=example,dc=com
uid: jery
cn: example jery
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: pwdPolicy
loginShell: /bin/bash
gecos: example jery
uidNumber: 1011
gidNumber: 1011
homeDirectory: /home/jery
pwdAttribute: userPassword
userPassword: {SSHA}06TS/1t/FZUZ5zxWYnDW9Zcz9NFPNqeN

3. slapadd -l example.ldif

4. This is an optional step, to avoid warning massages while starting the ldap daemon for the first time.

chmod -R ldap.ldap /var/lib/ldap/*

5. Restart the slpad service.

# service ldap start

Client side configuration

1. Run the "authconfig-tui" command.

2. Select "Use LDAP" in the User Information Section and select "Use LDAP Authentication" from the authentication section.

3. Click Next. Add IP/hostname of the LDAP server in server and add "Base BN" for directory.

server: ldap://server1.example.com/
Base DN: dc=example,dc=com

Click ok.

4. To make the policies work on the ldap client, please add the following lines in the /etc/ldap.conf file:

pam_lookup_policy yes
pam_password clear

Save and exit.

Comments

1. There are two ways password policy can be applied to individual objects

• The pwdPolicySubentry in a user's object - If a user's object has a pwdPolicySubEntry attribute specifying the DN of a policy object, then the policy defined by that object is applied.
• Default password policy - If there is no specific pwdPolicySubentry set for an object, and the password policy module was configured with the DN of a default policy object and if that object exists, then the policy defined in that object is applied.

Refer 'man slapo-ppolicy' for more information.

2. If the ppolicy_default directive is not defined (in the slapd.conf file), and there is no specific password policy for the user, then no password policy will be applied for that user entry. This strategy could be used to enable password policies for a limited number  users or class of users.

3. The password policies will work only if the user logged in and changed his password first time.

4. The "pwd" attributes take values in seconds, so "pwdMaxAge: 172800" will expire user password after 48 hours and the password expiry warning  will be given after 24 hours "pwdExpireWarning: 86400".

5. The ldap server needs to receive the new password in plain text to enforce password length and strength. For this, pam_password has to be 'clear'.

6. Ensure that pwdGraceAuthNLimit is set to 0, setting this to any positive value will allow the user to login without enforcing password change - till the number of grace logins expire. This can confuse admins, who expect the password change to be enforced.

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/4/html/Reference_Guide/s1-ldap-quickstart.html