Date: Tue, 6 Dec 2016 11:59:41 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: Per olof Ljungmark <peo@intersonic.se>, freebsd-ports@freebsd.org Subject: Re: openldap 2.4 and ppolicy Message-ID: <da872f62-c6e9-3d44-2eca-e020809a340c@FreeBSD.org> In-Reply-To: <fe71363b-9afc-fb9a-5571-4eed7cd88b10@intersonic.se> References: <B06CFFBF-8418-41D1-8802-A34A8BB5DDE9@intersonic.se> <73ad7c1c-3d2d-ee6b-768f-6c65a6728303@freebsd.org> <fe71363b-9afc-fb9a-5571-4eed7cd88b10@intersonic.se>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mtxmSK8Fdj2pasgGjFKx5PT4uU7mBi9Nm Content-Type: multipart/mixed; boundary="pNQakSlcjX21vsQWkJ5x8laHvrC40N2S3"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: Per olof Ljungmark <peo@intersonic.se>, freebsd-ports@freebsd.org Message-ID: <da872f62-c6e9-3d44-2eca-e020809a340c@FreeBSD.org> Subject: Re: openldap 2.4 and ppolicy References: <B06CFFBF-8418-41D1-8802-A34A8BB5DDE9@intersonic.se> <73ad7c1c-3d2d-ee6b-768f-6c65a6728303@freebsd.org> <fe71363b-9afc-fb9a-5571-4eed7cd88b10@intersonic.se> In-Reply-To: <fe71363b-9afc-fb9a-5571-4eed7cd88b10@intersonic.se> --pNQakSlcjX21vsQWkJ5x8laHvrC40N2S3 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2016/12/05 20:09, Per olof Ljungmark wrote: > On 2016-12-05 11:00, Matthew Seaman wrote: >> On 12/05/16 01:55, Per Olof Ljungmark wrote: >>> Can someone who implemented ppolicy on FreeBSD please enlighten me on= >>> how this is done with the cn=3Dconfig backend? Openldap can be really= >>> frustrating at times! >> >> I've done this, and it is working exactly as designed for me. >> >> You need an entry similar to this: >> >> dn: olcOverlay=3D{5}ppolicy >> objectClass: olcOverlayConfig >> objectClass: olcPPolicyConfig >> olcOverlay: {5}ppolicy >> olcPPolicyDefault: cn=3DDefault Password Policy,ou=3DPolicy,dc=3Dexamp= le,dc=3Dcom >> olcPPolicyHashCleartext: TRUE >> olcPPolicyUseLockout: TRUE >> olcPPolicyForwardUpdates: FALSE >> structuralObjectClass: olcPPolicyConfig >> >> Located at >> >> cn=3Dconfig/olcDatabase=3D{1}mdb >> >> This tells LDAP to load the ppolicy overlay. >> >> Here olcDatabase {0} is the config tree read from >> ${LOCALBASE}/etc/openldap/slapd.d/ with olcDatabase {1} being our LDAP= tree. >> Then you need to define your password policy at the specified DN withi= n >> your main LDAP tree. >=20 > Hi Matthew, >=20 > I have gotten to a point very close to what you posted, however, I > cannot add > objectClass: olcOverlayConfig > that returns an "unwilling to perform" error. Are your overlays > statically compiled or dynamic? >=20 > Cheers, >=20 > //per >=20 These are the OPTIONS settings we use: # poudriere options -z server -s net/openldap24-server [00:00:00] =3D=3D=3D=3D>> Appending to make.conf: /usr/local/etc/poudriere.d/make.conf =3D=3D=3D> The following configuration options are available for openldap-server-2.4.44: ACCESSLOG=3Don: With In-Directory Access Logging overlay ACI=3Doff: Per-object ACI (experimental) AUDITLOG=3Don: With Audit Logging overlay BDB=3Doff: With BerkeleyDB backend (DEPRECATED) COLLECT=3Don: With Collect overy Services overlay CONSTRAINT=3Don: With Attribute Constraint overlay DDS=3Don: With Dynamic Directory Services overlay DEBUG=3Doff: Build with debugging support DEREF=3Don: With Dereference overlay DNSSRV=3Don: With Dnssrv backend DYNACL=3Doff: Run-time loadable ACL (experimental) DYNAMIC_BACKENDS=3Don: Build dynamic backends DYNGROUP=3Don: With Dynamic Group overlay DYNLIST=3Don: With Dynamic List overlay FETCH=3Doff: Enable fetch(3) support GSSAPI=3Doff: With GSSAPI support (implies SASL support) LMPASSWD=3Doff: With LM hash password support (DEPRECATED) MDB=3Don: With Memory-Mapped DB backend MEMBEROF=3Don: With Reverse Group Membership overlay ODBC=3Doff: With SQL backend OUTLOOK=3Doff: Force caseIgnoreOrderingMatch on name attribute (experimental) PASSWD=3Doff: With Passwd backend PERL=3Doff: With Perl backend PPOLICY=3Don: With Password Policy overlay PROXYCACHE=3Don: With Proxy Cache overlay REFINT=3Don: With Referential Integrity overlay RELAY=3Doff: With Relay backend RETCODE=3Don: With Return Code testing overlay RLOOKUPS=3Don: With reverse lookups of client hostnames RWM=3Don: With Rewrite/Remap overlay SASL=3Doff: With (Cyrus) SASL2 support SEQMOD=3Don: With Sequential Modify overlay SHA2=3Don: With SHA2 Password hashes overlay SHELL=3Doff: With Shell backend (disables threading) SLAPI=3Doff: With Netscape SLAPI plugin API (experimental) SLP=3Doff: With SLPv2 (RFC 2608) support SMBPWD=3Doff: With Samba Password hashes overlay SOCK=3Doff: With Sock backend SSSVLV=3Don: With ServerSideSort/VLV overlay SYNCPROV=3Don: With Syncrepl Provider overlay TCP_WRAPPERS=3Doff: With tcp wrapper support TRANSLUCENT=3Don: With Translucent Proxy overlay UNIQUE=3Don: With attribute Uniqueness overlay VALSORT=3Don: With Value Sorting overlay Judging by the output of 'pkg info -l openldap-server' it looks like we have dynamically loadable back-ends and a dynamically loadable pw-sha2 module, but all of the other overlays are compiled in. Cheers, Matthew --pNQakSlcjX21vsQWkJ5x8laHvrC40N2S3-- --mtxmSK8Fdj2pasgGjFKx5PT4uU7mBi9Nm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJYRqg1XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTn6GYP/3EpVbCzZhgxrP2c/Ahdxy4H 39dbTW8nkSVQg0fYVbNUhfCHaOqrtHnftYmBC1TDHTAVDbrL43XPEjxRoiOwOo5o ARuz84vXGejFG6yP+V/w4nQtCJuOT74S2xz/XB9WHfJbcHVlZERwurTe+43XFkdk 7FoAPEfPzXY9r9sgjvQ2v82Xg0gprkbWc9hObDKCoZO2+CAgm00uAoS5MBOazkdH u/rfUuDG+qK9HV7ACjwxeHn8dB16c8eo3j+rOsVgm6sbSqhAcf9WohO51kQ4BXPN qOOElkOTeqfKbggenfMHfL6DLCDzOMKzoGJFSjWdWtdOiRTiTg/4RZ65+zNuXzg2 4XwJKNLOpEYL+/OgkKvfWwHy4Rz+PcpYv0B2P+Tp0xuDN531aNM+4cy2G4+P71UH mEsLWoH1QMyawCkn6EfElswz/t2iG1LT4PKwPbXUobq0MR/xEwGsEUokehxWynui 9e6/1RR/oMvIqljkRx+Uwr5H/xY1yVsY7sqKjgRBkj5/njgNADbAmWM+jm1wYJKc qqDEj/N7SqocIcrHFATCR4K9PgjPGStYzjPrl2kx9wXezZho1jlob3MuKy3nzjmo G8GNgOf1Q1aEAU28is3fFevi2HXYGUG3c4kA0JKvuxNkunZqfkrO2RaYaFzJTr60 rgjQMpTcHTZp8+6YpAdl =hpjZ -----END PGP SIGNATURE----- --mtxmSK8Fdj2pasgGjFKx5PT4uU7mBi9Nm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?da872f62-c6e9-3d44-2eca-e020809a340c>