Well I couldn't find a congruent howto out on the internet, and being as my LDAP replication post is currently the most-viewed page on the blog this month - I thought I'd do a little bit more technical documentation.

I know that in many cases, 'reading the manual' can be a very annoying way of learning, but I've always read it at least once. With ppolicy & openldap you'll get nowhere without RTFM, so please make sure you leave yourself time to go through it.


OpenLDAP is a beast, but it can be a very friendly beast. Like the beast out of Beauty and the Beast, it reacts differently to different people. Were you Belle - then you'll have no problems (notice how Belle reads books) but were you to be Gaston (who uses force & brute strength) the beast isn't going to like you.

Well I'm assuming you already have a working OpenLDAP setup (including user authentication through PAM)- if you haven't then there are some quite good howtos for starting off. If you want advice - please comment rather than send me an email - as then other people will be able to learn from both your questions, and the answers provided (not just by me, but other commentators).

The best thing to do first is to make sure you have decent rpms. See THIS POST for how to get them setup on Centos/RHEL. If you're using another distribution, then make sure their packages applications have a good reputation for working.

ppolicy.la is a module file, and will be installed in /usr/libs/openldap/. It's a good idea to check it's there. The other thing to do is to copy the ppolicy.schema to /etc/openldap/schema/ directory - and make sure that all the attributes you need are uncommented (pwdReset was commented as default, and I didn't realise). It's probably a good idea to read through the schema file too.

In slapd.conf add:

modulepath /usr/lib/openldap

moduleload ppolicy.la

then you need to add the following after the DB section:

overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"

Providing you've got the ACLs set correctly in your slapd.conf (too big to consider covering in this howto) that's all the slapd.conf configuration you'll need.

The other file you'll need to edit it /etc/ldap.conf

uncomment pam_lookup_policy yes

that will now allow PAM to lookup the ppolicy from the LDAP directory.

Ah ha! I know what we've forgotten, the actual policy!

Well this bit's probably the easiest bit (technically) though you'll have to work out what policy you'll be implementing yourself.

Create a new .ldif file called ppolicy.ldif (or jabberwocky.ldif if you like, it really doesn't matter) and add the following details:

# default, policies, example.com
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdMaxAge: 7516800
pwdExpireWarning: 432000
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 1920
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

You'll have different policy options, and by no means am I suggesting the above is a good configuration. Read through the manual and find out the options you want to set. It _may_ be a good enough configuration for you, but I accept no responsibility for it.

Once you've done that run the following

ldapadd -D "cn=Manager,dc=example,dc=com" -W -x -f jabberwocky.ldif (replacing jabberwocky with your choice of ldif name)

You'll be prompted to enter your password - and then hopefully you'll see something along the signs of Success!

Once that's done, run

ldapsearch -D "cn=Manager,dc=example,dc=com" -W -x

which will output the results of what's in the ldap tree (and if you scroll up you should see your brand new ppolicy.

Now you can restart LDAP (notice how we didn't before, just in case users were attempting to authenticate they'd be mightily disrupted).

Hopefully that will restart with no errors. That's that.

The behaviour will rely heavily on your configuration, thereby you can only test your configuration, rather than ppolicy itself.


If you want to check it's working then run the following (provided that pwdMustChange is set to true in the defauly policy):

ldapmodify -x -D "cn=Manager,dc=example,dc=com" -W

dn: uid=($user),ou=Users,dc=example,dc=com

changetype: modify

add: pwdReset

pwdReset: TRUE

then press return and it should say success. try and login now with your username ($user) and your old password. It will then log you in and ask you to change it.


If you have problems with openLDAP itself, then the guys in #ldap on irc.freenode.net are very helpful. However, if it's a problem with another application interfacing with LDAP, please don't disturb them. LDAP connects with hundreds of applications, so please ask the application developers ahead of the LDAP ones.