[LDAP-interop] help with ppolicy

Tue Apr 18 21:38:04 EDT 2006

I am using Gary Tay's excellent document for setting up LDAP as
a naming service.  The largest difference is that I changed
replication schemes using syncrepl instead of slurpd.

The original requirement was just have a mechanism so that 
passwords will expire.  Using shadow attributes worked for this 
but now I have been presented some new requirements:

Lockout should happen after 10 failed attempts

The last 5 passwords should not be re-used

I am trying to use the ppolicy overlay to do this.

slapd.conf:
==========
overlay         ppolicy
ppolicy_default "cn=Password Policy,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout

slapcat segment of password policy
===================================
dn: cn=Password Policy,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: Password Policy
pwdAttribute: userPassword
pwdMaxAge: 7776000
pwdInHistory: 5
pwdCheckQuality: 1
pwdMinLength: 1
pwdExpireWarning: 2592000
pwdGraceAuthNLimit: 5
pwdMaxFailure: 10
pwdFailureCountInterval: 0
pwdMustChange: FALSE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
structuralObjectClass: device
entryUUID: 258dd518-628c-102a-8699-a3bbec6cef59
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20060417183136Z
pwdLockoutDuration: 7776000
pwdLockout: TRUE
entryCSN: 20060418182850Z#000000#00#000000
modifiersName: cn=Manager,dc=example,dc=com
modifyTimestamp: 20060418182850Z

slapcat of a user that should be locked
=======================================
dn: uid=geoffl,ou=People,dc=example,dc=com
uid: geoffl
cn: Geoffrey Lassner
shadowMax: 99999
shadowWarning: 60
shadowExpire: 99999
uidNumber: 2364
homeDirectory: /home/geoffl
gecos: Geoffrey Lassner
structuralObjectClass: account
entryUUID: 32a48e70-3750-102a-8c5f-1504ca8de533
creatorsName: cn=Manager,dc=example,dc=com
createTimestamp: 20060221180408Z
loginShell: /bin/bash
gidNumber: 14
objectClass: pwdPolicy
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
pwdAttribute: userPassword
pwdHistory: 20060417195105Z#1.3.6.1.4.1.1466.115.121.1.40#20#{crypt}rK3mca4Y/x
 tnc
pwdHistory: 20060417195315Z#1.3.6.1.4.1.1466.115.121.1.40#20#{CRYPT}7a2vVTpmx0
 FQY
pwdHistory: 20060417195324Z#1.3.6.1.4.1.1466.115.121.1.40#20#{CRYPT}2iLvvgAjJF
 6YE
pwdHistory: 20060418173652Z#1.3.6.1.4.1.1466.115.121.1.40#20#{CRYPT}7EB97toNB7
 cT.
pwdHistory: 20060418173706Z#1.3.6.1.4.1.1466.115.121.1.40#20#{crypt}/IQ5J.Q2xR
 t2U
userPassword:: e2NyeXB0fTA0YW0wSC93YTh5bnc=
pwdChangedTime: 20060418173706Z
shadowLastChange: 13256
pwdFailureTime: 20060418185237Z
pwdFailureTime: 20060418185240Z
pwdFailureTime: 20060418185245Z
pwdFailureTime: 20060418185249Z
pwdFailureTime: 20060418185252Z
pwdFailureTime: 20060418185255Z
pwdFailureTime: 20060418185301Z
pwdFailureTime: 20060418185304Z
pwdFailureTime: 20060418185307Z
pwdFailureTime: 20060418185522Z
pwdAccountLockedTime: 20060418185522Z
entryCSN: 20060418185522Z#000000#00#000000
modifiersName: cn=Manager,dc=example,dc=com
modifyTimestamp: 20060418185522Z

However none of my systems honor the lockout:
RHEL 4    (native ldap client)
Solaris 8 (native ldap client)
AIX 5.3   (native ldap client)
AIX 5.2   (native ldap client)

Solaris 8, AIX 5.3, AIX 5.2 do not update pwdFailureTime
when a failed login occurs. 

The last five passwords rule works as long as I use
ldappassword to update passwords.

Is there something obvious that I am doing wrong?  Ideas/Things
to check?

If there is more information required that I forgot to post please
let me know.

Thanks,
Geoffrey