Openldap: Is that possible to use "userPassword" instead of "2.5.4.35" for pwdAttribute?

Question

I am using Openldap 2.4.11 in Fedora Core 13.

I am trying to create a password policy:

dn: cn=default,ou=policies,dc=estream,dc=com,dc=my
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: default
pwdAttribute: 2.5.4.35
sn: test

If I specify pwdAttriute to "userPassword", I get an error

LDAP: error code 21 - pwdAttribute: value #0 invalid per syntax

Instead, I force to use OID for pwdAttribute:

pwdAttribute: 2.5.4.35

Is that possible to use "userPassword" instead of "2.5.4.35" for pwdAttribute?

I attempt to configure openldap to load module ppolicy.la in cn=config, but it doesn't seems to work too after restart slapd service for few times:

dn: cn=module{0},cn=config
objectClass: olcConfig
objectClass: olcModuleList
objectClass: top
cn: module{0}
olcModuleLoad: {0}/usr/lib64/openldap/ppolicy.la

Answer 1

I just ran into this issue, and solved it differently than the foregoing. I am setting up a new LDAP on CentOS 6.4 (for eventual deployment on RHEL 6.4), and it defaults to the "(cn=config)" configuration scheme, so all the (no doubt excellent) instructions above for modifying slapd.conf don't apply.

In the "(cn=config)" way (also called "slapd.d" on some websites), there are lots of steps to getting overlays to work. The default CentOS 6.4 LDAP I was dealing with included the ppolicy schema, but it wasn't activated.

To get it going, there were many steps:

First, the "ppolicy" module is dynamic, you have to make sure it's included in the list of run-time modules. The default CentOS install didn't have any, so I first had to turn on modules, and then add ppolicy to the list. This LDIF does it:

dn: cn=Module{0},cn=config
objectClass: olcModuleList
cn: Module{0}
olcModuleLoad: ppolicy

If you later want to add more modules, just append additional olcModuleLoad entries to this dn.

Second, you have to turn on the overlay for the database(s) to which you want it to apply. Create another dn, thus:

dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy

These first two steps get done in the "cn=config" domain, i.e. outside the database, by the root user of the machine. Subsequent steps are in "dc=example,dc=com" scope, and so can be done by the rootDN.

The third step is to create a container for your password policies. This might be optional, I'm not sure -- I created a dn like:

dn: ou=pwpolicies,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: pwpolicies

Fourth, create your actual policy -- people who have run into this error already have this, this is the dn with the "pwdAttribute" thing that's getting the syntax error. With the foregoing overlay and module work done right, you can use pwdAttribute: userPassword" without getting a syntax error. My policy was inside the ou container, of course, and I used an objectClass of "device" in addition to "pwdPolicy", as has been suggested elsewhere.

Finally, you can then actually use the policy, of course.

This whole process was made more confusing for me because so much of the documentation out there is about how to set up slapd.conf. I pieced most of this together from the Zytrax "LDAP for Rocket Scientists" book, which covers the module and overlay stuff very well, but has a wrong or obsolete example (missing a structural object class) in their password policy section.

Answer 2

I converted my 2.3 to 2.4 on a new server and I was getting the same error on Red Hat 6.3. I used pwdAttribute: 2.5.4.35 instead and it loaded w/o issue.

Answer 3

EJP's answer is incorrect, in my experience.

I received the same error message running openldap 2.4.29. The password policy overlay allows the use of pwdAttribute: userPassword, but only if the overlay is enabled. Otherwise the value will be rejected with the message above (pwdAttribute: value #0 invalid per syntax).

If your OpenLDAP installation uses dynamic modules, be sure to include

moduleload      ppolicy.la

in your slapd.conf file (or the suitable equivalent in your cn=config database).

Then load the overlay for the appropriate database:

database        bdb
suffix          "o=example.com"
rootdn          "cn=Directory Manager,o=example.com"
rootpw          password
directory       /opt/openldap-2.4.29/var/openldap-data/example.com
overlay         ppolicy

Prior to loading the overlay, I could only supply the OID for pwdAttribute. After rebuilding with --enable-ppolicy and adding the overlay entry, I was able to use ldapmodify to replace pwdAttribute: 2.5.4.35 with pwdAttribute: userPassword.

I did have to refresh the value of pwdAttribute after loading the overlay.

Answer 4

Instead, I force to use OID for pwdAttribute:

You can specify either an OID or the attribute name, provided both the relevant schema and the ppolicy overlay are loaded.

Why have you got objectClass=person in there? A password policy isn't a person. It's customary to use objectClass=device as the structural class for password policies.