- Configuration of the ppolicy overlay
- Definition of a password policy
- Usage and behaviour
- Storage location of the policy data
- Considerations when using LDAP replication
- Further links
OpenLDAP has a dynamically loadable module which can enforce password policies. It allows
to define policies for the
userPassword attribute. Policies can define the maximum
login attempts with the wrong password, maximum age of a password and many more.
Here is a short introduction into this module. If you want to read about it in detail, see
the link collection at the end of this page.
Note: The connection parameters and DN parameters deeply depend on your setup, the examples here need to be adjusted to your setup.
Configuration of the ppolicy overlay
The basic configuration depends on your OpenLDAP version. Newer versions store their
configuration in a so-called Online Configuration Database (OLC), older ones use
a configuration file called
OpenLDAP with OLC
- Load the ppolicy schema into OLC:
ldapmodify -D "cn=root,cn=config" -W -a -f /etc/openldap/schema/ppolicy.ldif
- Load the module:
ldapmodify -D "cn=root,cn=config" -W -a -f ppolicymodule.ldif
- Configure ppolicy overlay:
ldapmodify -D "cn=root,cn=config" -W -a -f ppolicyoverlay.ldif
OpenLDAP with slapd.conf
If you have an older version of OpenLDAP, the configuration goes into
The next snippet should come somewhere after the
This means the default policy is located under
Definition of a password policy
In the overlay configuration we specified the default policy, so we add it now using the following LDIF:
All these parameters are described in detail at Chapter 6 OpenLDAP password policy overlay / pwdPolicy ObjectClass and Attributes.
This policy applies to all
userPassword attributes. If an object needs a different policy, just define
the differing policy under another name and reference the policy with the
pwdPolicySubentry attribute. Example:
Usage and behaviour
Query all locked accounts
If an object has the
pwdAccountLockedTime attribute: it is locked since then.
Simply issue the following query:
ldapsearch <MYCONNECTIONPARAMS> -b "ou=People,dc=mydomain,dc=tld" "pwdAccountLockedTime=*" pwdAccountLockedTime
Unlock an account
There are two variants. For the first one you simply delete the
pwdAccountLockedTime attribute which unlocks the
The second variant adds the attribute
pwdReset which basically means: The user can only login again after changing
If the user tries other operations than changing its password, the OpenLDAP server responds with
bind: Operations are restricted to bind/unbind/abandon/StartTLS/modify password
Changing an LDAP password can be done f.e. with the ldappasswd tool:
Behaviour of some policy settings
A short overview of how some of the policies behave (not all covered here): pwdMinAge
Result: Constraint violation (19) Additional info: Password is too young to change
ldap_bind: Invalid credentials (49) in the logfile: ppolicy_bind: Entry cn=My User,ou=People,dc=mydomain,dc=tld has an expired password: 0 grace logins
in the log: ppolicy_bind: Entry cn=My User,ou=People,dc=mydomain,dc=tld has an expired password: 1 grace logins
Result: Constraint violation (19) Additional info: Password is in history of old passwords
Result: Insufficient access (50) Additional info: User alteration of password is not allowed
Storage location of the policy data
Policy data (f.e. number of failed login attempts) is stored as Operational Attributes
on each object. In a normal ldapsearch query operational attributes are not returned. To make
them visible, add a “+” to the end of the query. Example:
ldapsearch <MYCONNECTIONPARAMS> -b "ou=People,dc=mydomain,dc=tld" "+"
Considerations when using LDAP replication
If you replicate from an LDAP master to LDAP slave(s) and your users are authenticating against slaves, take into consideration that the policy data needs to be synced somehow back to the master (f.e. number of failed login attempts).
The ppolicy module already knows about it. You basically need to set the
olcPPolicyForwardUpdates (OLC style) /
(slapd.conf). Furthermore chaining must be configured, including syncrepl.
This is very well documented at Linuxtopia.
Here are some links with more detailed information than this short overview: