Date: Tue, 6 Dec 2016 11:59:41 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: Per olof Ljungmark <peo@intersonic.se>, freebsd-ports@freebsd.org Subject: Re: openldap 2.4 and ppolicy Message-ID: <da872f62-c6e9-3d44-2eca-e020809a340c@FreeBSD.org> In-Reply-To: <fe71363b-9afc-fb9a-5571-4eed7cd88b10@intersonic.se> References: <B06CFFBF-8418-41D1-8802-A34A8BB5DDE9@intersonic.se> <73ad7c1c-3d2d-ee6b-768f-6c65a6728303@freebsd.org> <fe71363b-9afc-fb9a-5571-4eed7cd88b10@intersonic.se>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--mtxmSK8Fdj2pasgGjFKx5PT4uU7mBi9Nm
Content-Type: multipart/mixed; boundary="pNQakSlcjX21vsQWkJ5x8laHvrC40N2S3";
protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: Per olof Ljungmark <peo@intersonic.se>, freebsd-ports@freebsd.org
Message-ID: <da872f62-c6e9-3d44-2eca-e020809a340c@FreeBSD.org>
Subject: Re: openldap 2.4 and ppolicy
References: <B06CFFBF-8418-41D1-8802-A34A8BB5DDE9@intersonic.se>
<73ad7c1c-3d2d-ee6b-768f-6c65a6728303@freebsd.org>
<fe71363b-9afc-fb9a-5571-4eed7cd88b10@intersonic.se>
In-Reply-To: <fe71363b-9afc-fb9a-5571-4eed7cd88b10@intersonic.se>
--pNQakSlcjX21vsQWkJ5x8laHvrC40N2S3
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On 2016/12/05 20:09, Per olof Ljungmark wrote:
> On 2016-12-05 11:00, Matthew Seaman wrote:
>> On 12/05/16 01:55, Per Olof Ljungmark wrote:
>>> Can someone who implemented ppolicy on FreeBSD please enlighten me on=
>>> how this is done with the cn=3Dconfig backend? Openldap can be really=
>>> frustrating at times!
>>
>> I've done this, and it is working exactly as designed for me.
>>
>> You need an entry similar to this:
>>
>> dn: olcOverlay=3D{5}ppolicy
>> objectClass: olcOverlayConfig
>> objectClass: olcPPolicyConfig
>> olcOverlay: {5}ppolicy
>> olcPPolicyDefault: cn=3DDefault Password Policy,ou=3DPolicy,dc=3Dexamp=
le,dc=3Dcom
>> olcPPolicyHashCleartext: TRUE
>> olcPPolicyUseLockout: TRUE
>> olcPPolicyForwardUpdates: FALSE
>> structuralObjectClass: olcPPolicyConfig
>>
>> Located at
>>
>> cn=3Dconfig/olcDatabase=3D{1}mdb
>>
>> This tells LDAP to load the ppolicy overlay.
>>
>> Here olcDatabase {0} is the config tree read from
>> ${LOCALBASE}/etc/openldap/slapd.d/ with olcDatabase {1} being our LDAP=
tree.
>> Then you need to define your password policy at the specified DN withi=
n
>> your main LDAP tree.
>=20
> Hi Matthew,
>=20
> I have gotten to a point very close to what you posted, however, I
> cannot add
> objectClass: olcOverlayConfig
> that returns an "unwilling to perform" error. Are your overlays
> statically compiled or dynamic?
>=20
> Cheers,
>=20
> //per
>=20
These are the OPTIONS settings we use:
# poudriere options -z server -s net/openldap24-server
[00:00:00] =3D=3D=3D=3D>> Appending to make.conf:
/usr/local/etc/poudriere.d/make.conf
=3D=3D=3D> The following configuration options are available for
openldap-server-2.4.44:
ACCESSLOG=3Don: With In-Directory Access Logging overlay
ACI=3Doff: Per-object ACI (experimental)
AUDITLOG=3Don: With Audit Logging overlay
BDB=3Doff: With BerkeleyDB backend (DEPRECATED)
COLLECT=3Don: With Collect overy Services overlay
CONSTRAINT=3Don: With Attribute Constraint overlay
DDS=3Don: With Dynamic Directory Services overlay
DEBUG=3Doff: Build with debugging support
DEREF=3Don: With Dereference overlay
DNSSRV=3Don: With Dnssrv backend
DYNACL=3Doff: Run-time loadable ACL (experimental)
DYNAMIC_BACKENDS=3Don: Build dynamic backends
DYNGROUP=3Don: With Dynamic Group overlay
DYNLIST=3Don: With Dynamic List overlay
FETCH=3Doff: Enable fetch(3) support
GSSAPI=3Doff: With GSSAPI support (implies SASL support)
LMPASSWD=3Doff: With LM hash password support (DEPRECATED)
MDB=3Don: With Memory-Mapped DB backend
MEMBEROF=3Don: With Reverse Group Membership overlay
ODBC=3Doff: With SQL backend
OUTLOOK=3Doff: Force caseIgnoreOrderingMatch on name attribute
(experimental)
PASSWD=3Doff: With Passwd backend
PERL=3Doff: With Perl backend
PPOLICY=3Don: With Password Policy overlay
PROXYCACHE=3Don: With Proxy Cache overlay
REFINT=3Don: With Referential Integrity overlay
RELAY=3Doff: With Relay backend
RETCODE=3Don: With Return Code testing overlay
RLOOKUPS=3Don: With reverse lookups of client hostnames
RWM=3Don: With Rewrite/Remap overlay
SASL=3Doff: With (Cyrus) SASL2 support
SEQMOD=3Don: With Sequential Modify overlay
SHA2=3Don: With SHA2 Password hashes overlay
SHELL=3Doff: With Shell backend (disables threading)
SLAPI=3Doff: With Netscape SLAPI plugin API (experimental)
SLP=3Doff: With SLPv2 (RFC 2608) support
SMBPWD=3Doff: With Samba Password hashes overlay
SOCK=3Doff: With Sock backend
SSSVLV=3Don: With ServerSideSort/VLV overlay
SYNCPROV=3Don: With Syncrepl Provider overlay
TCP_WRAPPERS=3Doff: With tcp wrapper support
TRANSLUCENT=3Don: With Translucent Proxy overlay
UNIQUE=3Don: With attribute Uniqueness overlay
VALSORT=3Don: With Value Sorting overlay
Judging by the output of 'pkg info -l openldap-server' it looks like we
have dynamically loadable back-ends and a dynamically loadable pw-sha2
module, but all of the other overlays are compiled in.
Cheers,
Matthew
--pNQakSlcjX21vsQWkJ5x8laHvrC40N2S3--
--mtxmSK8Fdj2pasgGjFKx5PT4uU7mBi9Nm
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQJ8BAEBCgBmBQJYRqg1XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTn6GYP/3EpVbCzZhgxrP2c/Ahdxy4H
39dbTW8nkSVQg0fYVbNUhfCHaOqrtHnftYmBC1TDHTAVDbrL43XPEjxRoiOwOo5o
ARuz84vXGejFG6yP+V/w4nQtCJuOT74S2xz/XB9WHfJbcHVlZERwurTe+43XFkdk
7FoAPEfPzXY9r9sgjvQ2v82Xg0gprkbWc9hObDKCoZO2+CAgm00uAoS5MBOazkdH
u/rfUuDG+qK9HV7ACjwxeHn8dB16c8eo3j+rOsVgm6sbSqhAcf9WohO51kQ4BXPN
qOOElkOTeqfKbggenfMHfL6DLCDzOMKzoGJFSjWdWtdOiRTiTg/4RZ65+zNuXzg2
4XwJKNLOpEYL+/OgkKvfWwHy4Rz+PcpYv0B2P+Tp0xuDN531aNM+4cy2G4+P71UH
mEsLWoH1QMyawCkn6EfElswz/t2iG1LT4PKwPbXUobq0MR/xEwGsEUokehxWynui
9e6/1RR/oMvIqljkRx+Uwr5H/xY1yVsY7sqKjgRBkj5/njgNADbAmWM+jm1wYJKc
qqDEj/N7SqocIcrHFATCR4K9PgjPGStYzjPrl2kx9wXezZho1jlob3MuKy3nzjmo
G8GNgOf1Q1aEAU28is3fFevi2HXYGUG3c4kA0JKvuxNkunZqfkrO2RaYaFzJTr60
rgjQMpTcHTZp8+6YpAdl
=hpjZ
-----END PGP SIGNATURE-----
--mtxmSK8Fdj2pasgGjFKx5PT4uU7mBi9Nm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?da872f62-c6e9-3d44-2eca-e020809a340c>