Enable Password Policy in OpenLDAP 2.4.44

Question

I am trying to enable user password policies in my OpenLDAP 2.4.44 instance based on the osixia/docker-openldap Docker image.

Basically, following this description, I have set up following structure in my OpenLDAP instance:

ldapsearch -h localhost -p 1389 -D "cn=admin,dc=mycompany,dc=io" -w mypassword -b "dc=mycompany,dc=io" -s sub "(objectclass=*)"

# mycompany.io
dn: dc=mycompany,dc=io
objectClass: top
objectClass: dcObject
objectClass: organization
o: Example Inc.
dc: mycompany

# admin, mycompany.io
dn: cn=admin,dc=mycompany,dc=io
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: hashhashhash

# my-group, mycompany.io
dn: ou=my-group,dc=mycompany,dc=io
objectClass: organizationalUnit
objectClass: extensibleObject
objectClass: top
ou: my-group

# policies, mycompany.io
dn: ou=policies,dc=mycompany,dc=io
objectClass: organizationalUnit
objectClass: extensibleObject
objectClass: top
ou: policies

# passwordDefault, policies, mycompany.io
dn: cn=passwordDefault,ou=policies,dc=mycompany,dc=io
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: 2.5.4.35
pwdAllowUserChange: TRUE
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 10
pwdMaxRecordedFailure: 10
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: FALSE
pwdInHistory: 2

# test-admin, my-group, mycompany.io
dn: uid=test-admin,ou=my-group,dc=mycompany,dc=io
uid: test-admin
userPassword:: hashhashhash
objectClass: account
objectClass: simpleSecurityObject
objectClass: top

# test-user-1, my-group, mycompany.io
dn: uid=test-user-1,ou=my-group,dc=mycompany,dc=io
uid: test-user-1
userPassword:: hashhashhash
objectClass: account
objectClass: simpleSecurityObject
objectClass: top

# test-user-2, my-group, mycompany.io
dn: uid=test-user-2,ou=my-group,dc=mycompany,dc=io
uid: test-user-2
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
userPassword:: hashhashhash

# search result
search: 2
result: 0 Success

# numResponses: 9
# numEntries: 8

So, according to the policy, I expect the my test-user-2 will not be able to use the same password twice (pwdInHistory: 2).

So, I try to verify that:

ldappasswd -h localhost -p 1389 -D "uid=test-user-2,ou=my-group,dc=mycompany,dc=io" -W -A -S

But, unfortunately, I can reuse old test-user-2 passwords as many times as I wish. So, the password policy doesn't work, unfortunately.

Can anybody spot an error in my configuration?

How can I verify that the password policy is getting applied?

How can I verify in the OpenLDAP that the password policy is enabled and active?

Answer 1

There were 2 problems in my setup.

1. There is no "sn" attribute in the pwdPolicy schema. So, in order to create the policy it needs to be deleted from the ldif file

2. The cn=config was active in my OpenLDAP instance, but the password policy module was not activated. The following LDIF file had to be loaded using the following command line command

activate-ppolicy.ldif

dn: cn=module,cn=config
cn: module{0}
objectClass: top
objectClass: olcModuleList
olcModuleLoad: ppolicy.la
olcModulePath: /usr/lib/ldap

dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=passwordDefault,ou=policies,dc=mycompany,dc=io
olcPPolicyForwardUpdates: FALSE
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE

Command to upload

ldapmodify -h localhost -p 1389 -D "cn=admin,cn=config" -w config -a -f ./activate-ppolicy.ldif

Please note the special cn=admin,cn-config user name (different from the main root admin account cn=admin,dc=mycompany,dc=io) with the default password "config".