{"id":4835,"date":"2020-01-05T12:59:00","date_gmt":"2020-01-05T09:59:00","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4835"},"modified":"2024-03-13T07:47:48","modified_gmt":"2024-03-13T04:47:48","slug":"implement-openldap-password-policies","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/implement-openldap-password-policies\/","title":{"rendered":"Implement OpenLDAP Password Policies"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to implement OpenLDAP password policies. In OpenLDAP, password policies are implemented through the use of <code><strong><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/linux.die.net\/man\/5\/slapo-ppolicy\" target=\"_blank\" rel=\"noreferrer noopener\">Password Policy (ppolicy) Overlay<\/a><\/strong><\/code>.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#implementing-open-ldap-password-policies\">Implementing OpenLDAP Password Policies<\/a><ul><li><a href=\"#p-policy-control-mechanisms\">PPolicy Control Mechanisms<\/a><\/li><li><a href=\"#load-password-policy-module\">Load Password Policy Module<\/a><\/li><li><a href=\"#create-password-policies-ou-container\">Create Password Policies OU Container<\/a><\/li><li><a href=\"#create-open-ldap-password-policy-overlay-dn\">Create OpenLDAP Password Policy Overlay DN<\/a><\/li><li><a href=\"#create-open-ldap-password-policies\">Create OpenLDAP Password Policies<\/a><\/li><li><a href=\"#testing-password-policies\">Testing Password Policies<\/a><ul><li><a href=\"#reset-users-password-as-open-ldap-root-dn-administrator\">Reset User&#8217;s Password as OpenLDAP RootDN Administrator<\/a><\/li><li><a href=\"#reset-users-password-as-non-admin-user\">Reset User&#8217;s Password as Non Admin User<\/a><\/li><\/ul><\/li><li><a href=\"#enforcing-password-complexity-policy\">Enforcing Password Complexity Policy<\/a><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"implementing-open-ldap-password-policies\">Implementing OpenLDAP Password Policies<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"p-policy-control-mechanisms\">PPolicy Control Mechanisms<\/h3>\n\n\n\n<p>ppolicy overlay provides a variety of password control mechanisms including;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Password aging &#8212; both minimum and maximum ages<\/li>\n\n\n\n<li>Password quality<\/li>\n\n\n\n<li>Automatic account locking<\/li>\n\n\n\n<li>Password reuse and duplication control<\/li>\n\n\n\n<li>Account time-outs<\/li>\n\n\n\n<li>Mandatory password resets<\/li>\n\n\n\n<li>Acceptable password content<\/li>\n\n\n\n<li>Grace logins to allow the use of expired passwords for a specific time period after the expiry date.<\/li>\n<\/ul>\n\n\n\n<p>Read more about ppolicy overlay on <code><strong>man slapo-ppolicy<\/strong><\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"load-password-policy-module\">Load Password Policy Module<\/h3>\n\n\n\n<p>In order to implement the password policies, you need to ensure that the, <code>ppolicy.la<\/code> module is loaded onto LDAP database. To list loaded modules, run the command;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slapcat -n 0 | grep -i module<\/pre>\n\n\n\n<p>In our current LDAP setup, no password policy module, <code>ppolicy.la<\/code>, is loaded. See the output of the command above;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n<strong>dn: cn=module{0},cn=config<\/strong>\nobjectClass: olcModuleList\ncn: module{0}\n<strong>olcModulePath: \/usr\/libexec\/openldap\nolcModuleLoad: {0}back_mdb.la\nolcModuleLoad: {1}memberof.la\nolcModuleLoad: {2}refint.la<\/strong>\nstructuralObjectClass: olcModuleList\nolcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC \n 'Loadable module that instantiates \"check_password() function' EQUALITY cas\n op AUXILIARY MAY pwdCheckModule )\n<\/code><\/pre>\n\n\n\n<p>Therefore, to load the module, you can simply create an LDIF file as shown below to define how to add the password policy module to slapd.<\/p>\n\n\n\n<p>Note that in our setup, the modules are located under the path, <code><strong>\/usr\/libexec\/openldap<\/strong><\/code> as defined by the <code><strong>olcModulePath<\/strong><\/code> attribute.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vim load-ppolicy-mod.ldif<\/pre>\n\n\n\n<pre class=\"scroll-sz\"><code>\ndn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: ppolicy.la\n<\/code><\/pre>\n\n\n\n<p>Load the module in to LDAP database.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f load-ppolicy-mod.ldif<\/pre>\n\n\n\n<p>After loading the module, if you list the slapd modules again, you should get an output similar to the below (It might be different for your case);<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">slapcat -n 0 | grep -i module<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ndn: cn=module{0},cn=config\nobjectClass: olcModuleList\ncn: module{0}\nolcModulePath: \/usr\/libexec\/openldap\nolcModuleLoad: {0}back_mdb.la\nolcModuleLoad: {1}memberof.la\nolcModuleLoad: {2}refint.la\n<strong>olcModuleLoad: {3}ppolicy.la<\/strong>\nstructuralObjectClass: olcModuleList\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-password-policies-ou-container\">Create Password Policies OU Container<\/h3>\n\n\n\n<p>Create an LDAP OU container that will be used to store the default password policies.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vi pwpolicy-ou.ldif<\/pre>\n\n\n\n<pre class=\"scroll-sz\"><code>\ndn: ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: pwpolicy\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f pwpolicy-ou.ldif<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-password-policy-overlay-dn\">Create OpenLDAP Password Policy Overlay DN<\/h3>\n\n\n\n<p>Once you have loaded the ppolicy module into slapd database, proceed to add the LDAP password policy <a rel=\"noreferrer noopener\" aria-label=\"Overlay (opens in a new tab)\" href=\"https:\/\/www.openldap.org\/doc\/admin24\/overlays.html\" target=\"_blank\">Overlay<\/a> DN.<\/p>\n\n\n\n<p>Add the password policy overlay into your respective LDAP database backend, which in this setup is mdb.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b  cn=config olcDatabase | grep mdb<\/code><\/pre>\n\n\n\n<p>See the highlighted line in the output below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>dn: olcDatabase={1}mdb,cn=config<\/strong>\nolcDatabase: {1}mdb\ndn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config<\/code><\/pre>\n\n\n\n<p>Create an LDIF file with the content below for adding the ppolicy Overlay DN along with the configuration options into slapd. Replace the domain components accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vi pwpolicyoverlay.ldif<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: olcOverlay=ppolicy,<strong>olcDatabase={1}mdb,cn=config<\/strong>\nobjectClass: olcOverlayConfig\nobjectClass: olcPPolicyConfig\nolcOverlay: ppolicy\nolcPPolicyDefault: cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com\nolcPPolicyHashCleartext: TRUE<\/code><\/pre>\n\n\n\n<p>Read more about the configuration options applied to the ppolicy overlay above on <code>man slapo-ppolicy<\/code>.<\/p>\n\n\n\n<p>Update the database.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f pwpolicyoverlay.ldif<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"create-open-ldap-password-policies\">Create OpenLDAP Password Policies<\/h3>\n\n\n\n<p>You are now ready to create your LDAP password policies under your default password policies ou created above, <code>cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com.<\/code><\/p>\n\n\n\n<p>The&nbsp;<strong>ppolicy<\/strong>&nbsp;overlay depends on the&nbsp;<strong>pwdPolicy<\/strong>&nbsp;object class and thus when defining the policies, you can use any of the attributes described under the ObjectClass attributes section of <strong><code>man slapo-ppolicy<\/code><\/strong>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > ldap-pwpolicies.ldif << 'EOL'\ndn: cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: person\nobjectClass: pwdPolicyChecker\nobjectClass: pwdPolicy\ncn: pwpolicy\nsn: pwpolicy\npwdAttribute: userPassword\npwdMinAge: 0\npwdMaxAge: 5184000\npwdInHistory: 5\npwdCheckQuality: 2\npwdMinLength: 12\npwdExpireWarning: 432000\npwdGraceAuthNLimit: 5\npwdLockout: TRUE\npwdLockoutDuration: 0\npwdMaxFailure: 3\npwdFailureCountInterval: 0\npwdReset: TRUE\npwdMustChange: TRUE\npwdAllowUserChange: TRUE\npwdSafeModify: FALSE\nEOL\n<\/code><\/pre>\n\n\n\n<p>For a good explanation of the password attributes used above, consult, <strong><code>man slapo-ppolicy<\/code><\/strong>. For a description of object classes used consult, <a rel=\"noreferrer noopener\" aria-label=\"Object Classes and Attributes (opens in a new tab)\" href=\"https:\/\/www.zytrax.com\/books\/ldap\/ape\/#device\" target=\"_blank\">Object Classes and Attributes<\/a>.<\/p>\n\n\n\n<p>Update the Password policies on the slapd.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f ldap-pwpolicies.ldif<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"testing-password-policies\">Testing Password Policies<\/h3>\n\n\n\n<p>To test the effectiveness of the implemented OpenLDAP password policies, we will try to change the password of one of the existing OpenLDAP users in our environment.<\/p>\n\n\n\n<p>Some of the checks we implemented above include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>pwdInHistory<\/strong>: stores 5 previously used passwords in the database to avoid re-use.<\/li>\n\n\n\n<li><strong>pwdCheckQuality<\/strong>: Set to value to 2. The server will check the syntax of the password and if the server is unable to check the syntax it will return an error refusing the password.<\/li>\n\n\n\n<li><strong>pwdMinLength<\/strong>: Sets the minimum number of characters that will be accepted in a password to 12.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"reset-users-password-as-open-ldap-root-dn-administrator\">Reset User's Password as OpenLDAP RootDN Administrator<\/h4>\n\n\n\n<p>Note that the rootDN, which is typically the LDAP administrator, is granted full access and permissions to the entire LDAP directory, including the ability to bypass password policies. This is to ensure that the LDAP administrator can always access and manage the directory, even if there are password policy restrictions in place for regular users. This means that the rootDN administrator can set any password for any user, regardless of the password policy rules defined for regular users. They are not subject to password complexity requirements, expiration rules, or other password policy restrictions that apply to regular users.<\/p>\n\n\n\n<p>Try setting a simple password;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldappasswd -H ldapi:\/\/\/ -Y EXTERNAL -S \"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/pre>\n\n\n\n<p>Since you are resetting\/setting password as LDAP admin, any password can work;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nNew password: <strong>password<\/strong>\nRe-enter new password: <strong>password<\/strong>\nSASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\n\n<\/code><\/pre>\n\n\n\n<p>From the logs, the result is success.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nJul 30 07:43:32 debian slapd[70873]: conn=1045 fd=17 ACCEPT from PATH=\/usr\/var\/run\/ldapi (PATH=\/usr\/var\/run\/ldapi)\nJul 30 07:43:32 debian slapd[70873]: conn=1045 op=0 BIND dn=\"\" method=163\nJul 30 07:43:32 debian slapd[70873]: conn=1045 op=0 BIND authcid=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" authzid=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\"\nJul 30 07:43:32 debian slapd[70873]: conn=1045 op=0 BIND dn=\"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\" mech=EXTERNAL bind_ssf=0 ssf=71\nJul 30 07:43:32 debian slapd[70873]: conn=1045 op=0 RESULT tag=97 err=0 qtime=0.000016 etime=0.000246 text=\nJul 30 07:43:32 debian slapd[70873]: conn=1045 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1\n<strong>Jul 30 07:43:32 debian slapd[70873]: conn=1045 op=1 PASSMOD id=\"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" new\nJul 30 07:43:32 debian slapd[70873]: conn=1045 op=1 RESULT oid= err=0 qtime=0.000015 etime=0.005999 text=<\/strong>\nJul 30 07:43:32 debian slapd[70873]: conn=1045 op=2 UNBIND\nJul 30 07:43:32 debian slapd[70873]: conn=1045 fd=17 closed\n\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"reset-users-password-as-non-admin-user\">Reset User's Password as Non Admin User<\/h4>\n\n\n\n<p>Next, try to test the OpenLDAP password polices complexity enforcement by setting\/resetting the password as non admin OpenLDAP user. Simply just login to a system even try to reset your own user password.<\/p>\n\n\n\n<p>In my Debian 12 server, i have configure SSSD OpenLDAP authenticaiton;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-sssd-for-openldap-client-authentication-on-debian\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure SSSD for OpenLDAP Client Authentication on Debian 12\/11\/10\/9<\/a><\/p>\n\n\n\n<p>Thus, let me try to login to my Debian 12 server as an OpenLDAP user;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh johndoe@192.168.56.103<\/code><\/pre>\n\n\n\n<p>Using simple password (<strong><em>The password fails the dictionary check - it is based on a dictionary word<\/em><\/strong>);<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nThe authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.\nED25519 key fingerprint is SHA256:fwedLDZSVOjpS4vf9coDc9Fw39cbpMiy4ZdCYf5xguY.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.56.103' (ED25519) to the list of known hosts.\njohndoe@192.168.56.103's password: \nPassword expired. Change your password now.\nPassword expired. Change your password now.\nCreating directory '\/home\/johndoe'.\nLinux bookworm12 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Sun Jul 30 07:57:51 2023 from 192.168.56.103\n<strong>WARNING: Your password has expired.\nYou must change your password now and login again!\nCurrent Password: \nNew password: \nBAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word\nNew password: \nBAD PASSWORD: The password fails the dictionary check - it is based on a dictionary word\nNew password: \nRetype new password: \nPassword change failed. Server message: Password fails quality checking policy\npasswd: Authentication token is no longer valid; new one required\npasswd: password unchanged\nConnection to 192.168.56.103 closed.<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Re-using the existing password (<strong>The password is the same as the old one<\/strong>);<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\njohndoe@192.168.56.103's password: \nPassword expired. Change your password now.\nPassword expired. Change your password now.\nLinux bookworm12 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Sun Jul 30 08:02:37 2023 from 192.168.56.103\n<strong>WARNING: Your password has expired.\nYou must change your password now and login again!\nCurrent Password: \nNew password: \nBAD PASSWORD: The password is the same as the old one\nNew password: \nBAD PASSWORD: The password is the same as the old one\nNew password: \nBAD PASSWORD: The password is the same as the old one\npasswd: Have exhausted maximum number of retries for service\npasswd: password unchanged<\/strong>\nConnection to 192.168.56.103 closed.\n<\/code><\/pre>\n\n\n\n<p>One thing that I noticed while testing on whether the user will be prompted to reset their password on first time login is that, despite having set the, <strong><code>pwdMustChange: TRUE<\/code><\/strong> attribute, unless you add the attribute, <code>pwdReset: TRUE<\/code> on the user entry, this will not work.<\/p>\n\n\n\n<p>So if you want the user to be prompted to reset their passwords on first time login, simply edit the user entry and add the <strong>pwdReset: TRUE<\/strong>.<\/p>\n\n\n\n<p>For example, if I want the user, june, in my LDAP db to be prompted to reset the password, I would simply edit and update its entry as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vim mod-john.ldif<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nchangetype: modify\n<strong>add: pwdReset\npwdReset: TRUE<\/strong><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapmodify -Y EXTERNAL -H ldapi:\/\/\/ -f mod-june.ldif<\/pre>\n\n\n\n<p>If you are logging to a system you had already logged in using your OpenLDAP account, and using SSSD for authentication, clear the cache;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sss_cache -E<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl stop sssd;rm -rf \/var\/lib\/sss\/db\/*;systemctl restart sssd<\/pre>\n\n\n\n<p>The login;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ssh -l johndoe localhost<\/pre>\n\n\n\n<p>Let's set the password that matches the complexity, (<strong>sTr0nGW@123.<\/strong>).<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nThe authenticity of host 'localhost (::1)' can't be established.\nED25519 key fingerprint is SHA256:fwedLDZSVOjpS4vf9coDc9Fw39cbpMiy4ZdCYf5xguY.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added 'localhost' (ED25519) to the list of known hosts.\njohndoe@localhost's password: \nPassword expired. Change your password now.\nPassword expired. Change your password now.\nLinux bookworm12 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Sun Jul 30 08:16:04 2023 from ::1\n<strong>WARNING: Your password has expired.\nYou must change your password now and login again!\nCurrent Password: \nNew password: sTr0nGW@123.\nRetype new password: sTr0nGW@123.\npasswd: password updated successfully\nConnection to localhost closed.<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Read more about OpenLDAP password policies on <a href=\"http:\/\/www.openldap.org\/doc\/admin24\/overlays.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Administrator&#039;s Guide: Overlays (opens in a new tab)\">Administrator's Guide: Overlays<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enforcing-password-complexity-policy\">Enforcing Password Complexity Policy<\/h3>\n\n\n\n<p>Well, as you can see, as the policies provided, are working as expected.<\/p>\n\n\n\n<p>As a further example, you can try to perform multiple failed logins (As per this, the account will lock after third failed attempt);<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pwdLockout: TRUE\npwdLockoutDuration: 0\npwdMaxFailure: 3<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh johndoe@locahost<\/code><\/pre>\n\n\n\n<p>After a number of failed attempts (3&gt;), then your account locks. You can check the password failure time and lock time.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ \\\n-b \"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" \"(pwdAccountLockedTime=*)\" \\\npwdFailureTime pwdFailureCount pwdAccountLockedTime -QQ -LL<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n<strong>version: 1\n\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\npwdFailureTime: 20230730193044.652730Z\npwdFailureTime: 20230730193049.144979Z\npwdFailureTime: 20230730193100.668744Z\npwdAccountLockedTime: 20230730193100Z<\/strong>\n<\/code><\/pre>\n\n\n\n<p>To list all accounts whose accounts have been locked;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapsearch -Y EXTERNAL -H ldapi:\/\/\/ \\\n-b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" \"(pwdAccountLockedTime=*)\" dn -QQ -LLL<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\n<p>If you want to unlock a locked account, then you need to delete the <code><strong>pwdAccountLockedTime<\/strong><\/code> attribute from the user's entry.<\/p>\n\n\n\n<p>For example, to unlock johndoe's account, create an LDIF file on the OpenLDAP server;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim unlock_user.ldif<\/code><\/pre>\n\n\n\n<p>Replace the DN of the user accordingly.<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nchangetype: modify\ndelete: pwdAccountLockedTime\n<\/code><\/pre>\n\n\n\n<p>The update the database to remove the entry;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ldapmodify -Y external -H ldapi:\/\/\/ -f unlock_user.ldif<\/code><\/pre>\n\n\n\n<p>You should now be able to login to the account with correct credentials;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/configure-sssd-for-openldap-authentication-on-centos-8\/\" target=\"_blank\">Configure SSSD for OpenLDAP Authentication on CentOS 8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/how-to-create-openldap-member-groups\/\" target=\"_blank\">How to Create OpenLDAP Member Groups<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/configure-sssd-for-openldap-client-authentication-on-debian-10-9\/\" target=\"_blank\">Configure SSSD for OpenLDAP Client Authentication on Debian 10\/9<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/how-to-configure-sudo-via-openldap-server\/\" target=\"_blank\">How to Configure SUDO via OpenLDAP Server<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to implement OpenLDAP password policies. In OpenLDAP, password policies are implemented through the use of Password<\/p>\n","protected":false},"author":1,"featured_media":16957,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[1262,1261,353,1257,1258,1260,1259],"class_list":["post-4835","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-openldap-password-complexity-checks","tag-openldap-password-policies","tag-password-complexity","tag-password-policies","tag-ppolicy","tag-pqchecker","tag-pwdqualitycheck","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4835"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4835"}],"version-history":[{"count":14,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4835\/revisions"}],"predecessor-version":[{"id":21302,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4835\/revisions\/21302"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/16957"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}