openldap 2.4 and ppolicy
Matthew Seaman
matthew at FreeBSD.org
Tue Dec 6 11:59:55 UTC 2016
On 2016/12/05 20:09, Per olof Ljungmark wrote:
> On 2016-12-05 11:00, Matthew Seaman wrote:
>> On 12/05/16 01:55, Per Olof Ljungmark wrote:
>>> Can someone who implemented ppolicy on FreeBSD please enlighten me on
>>> how this is done with the cn=config backend? Openldap can be really
>>> frustrating at times!
>>
>> I've done this, and it is working exactly as designed for me.
>>
>> You need an entry similar to this:
>>
>> dn: olcOverlay={5}ppolicy
>> objectClass: olcOverlayConfig
>> objectClass: olcPPolicyConfig
>> olcOverlay: {5}ppolicy
>> olcPPolicyDefault: cn=Default Password Policy,ou=Policy,dc=example,dc=com
>> olcPPolicyHashCleartext: TRUE
>> olcPPolicyUseLockout: TRUE
>> olcPPolicyForwardUpdates: FALSE
>> structuralObjectClass: olcPPolicyConfig
>>
>> Located at
>>
>> cn=config/olcDatabase={1}mdb
>>
>> This tells LDAP to load the ppolicy overlay.
>>
>> Here olcDatabase {0} is the config tree read from
>> ${LOCALBASE}/etc/openldap/slapd.d/ with olcDatabase {1} being our LDAP tree.
>> Then you need to define your password policy at the specified DN within
>> your main LDAP tree.
>
> Hi Matthew,
>
> I have gotten to a point very close to what you posted, however, I
> cannot add
> objectClass: olcOverlayConfig
> that returns an "unwilling to perform" error. Are your overlays
> statically compiled or dynamic?
>
> Cheers,
>
> //per
>
These are the OPTIONS settings we use:
# poudriere options -z server -s net/openldap24-server
[00:00:00] ====>> Appending to make.conf:
/usr/local/etc/poudriere.d/make.conf
===> The following configuration options are available for
openldap-server-2.4.44:
ACCESSLOG=on: With In-Directory Access Logging overlay
ACI=off: Per-object ACI (experimental)
AUDITLOG=on: With Audit Logging overlay
BDB=off: With BerkeleyDB backend (DEPRECATED)
COLLECT=on: With Collect overy Services overlay
CONSTRAINT=on: With Attribute Constraint overlay
DDS=on: With Dynamic Directory Services overlay
DEBUG=off: Build with debugging support
DEREF=on: With Dereference overlay
DNSSRV=on: With Dnssrv backend
DYNACL=off: Run-time loadable ACL (experimental)
DYNAMIC_BACKENDS=on: Build dynamic backends
DYNGROUP=on: With Dynamic Group overlay
DYNLIST=on: With Dynamic List overlay
FETCH=off: Enable fetch(3) support
GSSAPI=off: With GSSAPI support (implies SASL support)
LMPASSWD=off: With LM hash password support (DEPRECATED)
MDB=on: With Memory-Mapped DB backend
MEMBEROF=on: With Reverse Group Membership overlay
ODBC=off: With SQL backend
OUTLOOK=off: Force caseIgnoreOrderingMatch on name attribute
(experimental)
PASSWD=off: With Passwd backend
PERL=off: With Perl backend
PPOLICY=on: With Password Policy overlay
PROXYCACHE=on: With Proxy Cache overlay
REFINT=on: With Referential Integrity overlay
RELAY=off: With Relay backend
RETCODE=on: With Return Code testing overlay
RLOOKUPS=on: With reverse lookups of client hostnames
RWM=on: With Rewrite/Remap overlay
SASL=off: With (Cyrus) SASL2 support
SEQMOD=on: With Sequential Modify overlay
SHA2=on: With SHA2 Password hashes overlay
SHELL=off: With Shell backend (disables threading)
SLAPI=off: With Netscape SLAPI plugin API (experimental)
SLP=off: With SLPv2 (RFC 2608) support
SMBPWD=off: With Samba Password hashes overlay
SOCK=off: With Sock backend
SSSVLV=on: With ServerSideSort/VLV overlay
SYNCPROV=on: With Syncrepl Provider overlay
TCP_WRAPPERS=off: With tcp wrapper support
TRANSLUCENT=on: With Translucent Proxy overlay
UNIQUE=on: With attribute Uniqueness overlay
VALSORT=on: With Value Sorting overlay
Judging by the output of 'pkg info -l openldap-server' it looks like we
have dynamically loadable back-ends and a dynamically loadable pw-sha2
module, but all of the other overlays are compiled in.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20161206/1a0cf920/attachment.sig>
More information about the freebsd-ports
mailing list