{"id":5476,"date":"2020-04-17T22:14:07","date_gmt":"2020-04-17T19:14:07","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5476"},"modified":"2024-03-14T20:20:57","modified_gmt":"2024-03-14T17:20:57","slug":"disable-password-expiry-for-specific-users-on-openldap","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/disable-password-expiry-for-specific-users-on-openldap\/","title":{"rendered":"Disable Password Expiry for Specific Users on OpenLDAP"},"content":{"rendered":"\n

How can I prevent password expiration for a single specific LDAP user like the LDAP administrator, the replication user, the bind DN user? Well, it is actually possible to disable password expiry for specific users on OpenLDAP. That is what we are going to cover on this guide.<\/p>\n\n\n\n

Disabling OpenLDAP Password Expiry for Specific Users<\/h2>\n\n\n\n

In our previous guide, we learnt how to implement OpenLDAP password policies.<\/p>\n\n\n\n

Implement OpenLDAP Password Policies<\/a><\/p>\n\n\n\n

The Default Password Policy<\/h3>\n\n\n\n

In our demo system, we created an OU container for storing password policies called pwpolicy<\/code><\/strong>.<\/p>\n\n\n\n

ldapsearch -Y ExTERNAL -H ldapi:\/\/\/ -b dc=ldapmaster,dc=kifarunix-demo,dc=com \"(ou=pwpolicy)\" -LLL -Q<\/code><\/pre>\n\n\n\n
dn: ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong>\nobjectClass: organizationalUnit\nobjectClass: top\nou: pwpolicy<\/code><\/pre>\n\n\n\n
Within this container, we set up a subentry with the default password policies which applies to every other user in our OpenLDAP database.<\/p>\n\n\n\n
ldapsearch -Y ExTERNAL -H ldapi:\/\/\/ -b ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com -LLL -Q \"(cn=default)\"<\/code><\/pre>\n\n\n\n
dn: cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong>\nobjectClass: person\nobjectClass: pwdPolicyChecker\nobjectClass: pwdPolicy\ncn: pwpolicy\ncn: default\nsn: pwpolicy\npwdAttribute: userPassword\npwdMinAge: 0\npwdMaxAge: 5184000<\/strong>\npwdInHistory: 5\npwdCheckQuality: 2\npwdMinLength: 12\npwdExpireWarning: 432000\npwdGraceAuthNLimit: 5\npwdLockout: TRUE\npwdLockoutDuration: 0\npwdMaxFailure: 3\npwdFailureCountInterval: 0\npwdMustChange: TRUE\npwdAllowUserChange: TRUE\npwdSafeModify: FALSE<\/code><\/pre>\n\n\n\n
As you can see from our default password policies above, the password is set to expire after 60 days (5184000<\/strong> seconds).<\/p>\n\n\n\n
Creating User Specific Password Policies on OpenLDAP<\/h3>\n\n\n\n
In order to apply specific password policies to a specific category of users on an OpenLDAP server, you need to create specific policies and assign them to the respective users.<\/p>\n\n\n\n
Assigning specific users specific password policies is made possible through the use of pwdPolicySubentry<\/code><\/strong> attribute.<\/p>\n\n\n\n
According to man 5 slapo-ppolicy<\/a>.<\/p>\n\n\n\n
\n
Every account that should be subject to password policy control should have a pwdPolicySubentry<\/strong> attribute containing the DN of a valid pwdPolicy<\/strong> entry, or they can simply use the configured default. In this way different users may be managed according to different policies.<\/p>\n<\/blockquote>\n\n\n\n
This attribute refers directly to the pwdPolicy<\/strong> subentry that is to be used for this particular directory user. If pwdPolicySubentry<\/strong> exists, it must contain the DN of a valid pwdPolicy<\/strong> object. If it does not exist, the ppolicy<\/strong> module will enforce the default password policy rules on the user associated with this authenticating DN. If there is no default, or the referenced subentry does not exist, then no policy rules will be enforced.<\/p><\/blockquote><\/amp-fit-text>\n\n\n\n
Therefore, create an entry with specific password policies. For example, to create a policy that sets the password to not expire, create a DN entry with policies similar to the one below;<\/p>\n\n\n\n
vim pwd_no_expire.ldif<\/code><\/pre>\n\n\n\n
dn: cn=pwd-no-expire,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong>\nobjectClass: person\nobjectClass: pwdPolicyChecker\nobjectClass: pwdPolicy\ncn: pwpolicy\ncn: pwd-no-expire<\/strong>\nsn: pwpolicy\npwdAttribute: userPassword\npwdMinAge: 0\npwdMaxAge: 0\npwdInHistory: 5\npwdCheckQuality: 1\npwdMinLength: 12\npwdLockout: TRUE\npwdLockoutDuration: 0\npwdMaxFailure: 3\npwdFailureCountInterval: 0<\/code><\/pre>\n\n\n\n
Note that we created a subentry, cn=pwd-no-expire,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong>, with no password age limit (pwdMaxAge: 0<\/code>).<\/p>\n\n\n\n
According to man slapo-ppolicy<\/strong><\/code>, the pwdMaxAge<\/code><\/strong> attribute contains the number of seconds after which a modified password will expire. If this attribute is not present, or if its
value is zero (0), then passwords will not expire.<\/strong><\/p>\n\n\n\n
Update the OpenLDAP database with your policies now;<\/p>\n\n\n\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f pwd_no_expire.ldif<\/code><\/pre>\n\n\n\n
You now have two policies, the default and let’s call it user specific policies.<\/p>\n\n\n\n
ldapsearch -Y ExTERNAL -H ldapi:\/\/\/ -b ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com -LLL -Q<\/code><\/pre>\n\n\n\n
dn: ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: organizationalUnit\nobjectClass: top\nou: pwpolicy\n\ndn: cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong>\nobjectClass: person\nobjectClass: pwdPolicyChecker\nobjectClass: pwdPolicy\ncn: pwpolicy\ncn: default\nsn: pwpolicy\npwdAttribute: userPassword\npwdMinAge: 0\npwdInHistory: 5\npwdCheckQuality: 2\npwdMinLength: 12\npwdExpireWarning: 432000\npwdGraceAuthNLimit: 5\npwdLockout: TRUE\npwdLockoutDuration: 0\npwdMaxFailure: 3\npwdFailureCountInterval: 0\npwdMustChange: TRUE\npwdAllowUserChange: TRUE\npwdSafeModify: FALSE\npwdMaxAge: 5184000<\/strong>\n\ndn: cn=pwd-no-expire,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong>\nobjectClass: person\nobjectClass: pwdPolicyChecker\nobjectClass: pwdPolicy\ncn: pwpolicy\ncn: pwd-no-expire\nsn: pwpolicy\npwdAttribute: userPassword\npwdMinAge: 0\npwdMaxAge: 0<\/strong>\npwdInHistory: 5\npwdCheckQuality: 1\npwdMinLength: 12\npwdLockout: TRUE\npwdLockoutDuration: 0\npwdMaxFailure: 3\npwdFailureCountInterval: 0<\/code><\/pre>\n\n\n\n
Add User to New Password Policy<\/h3>\n\n\n\n
Now, add all users you want to disable password expiry for to the new no password expiry policy create above.<\/p>\n\n\n\n
In our demo, we have two user for demonstration purposes.<\/p>\n\n\n\n
ldapsearch -Y ExTERNAL -H ldapi:\/\/\/ -b ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com -LLL -Q dn<\/code><\/pre>\n\n\n\n
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\n
We will add the user, janedoe<\/strong><\/code>, to the new created policy with no password age limit defined (cn=pwd-no-expire,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code>) by modifying its attributes and adding the pwdPolicySubentry<\/strong><\/code> which we gonna point it to the new policy as shown below;<\/p>\n\n\n\n
vim janedoe.ldif<\/code><\/pre>\n\n\n\n
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nchangetype: modify\nadd: pwdPolicySubentry\npwdPolicySubentry: cn=pwd-no-expire,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong><\/strong><\/code><\/pre>\n\n\n\n
Update user attributes;<\/p>\n\n\n\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f janedoe.ldif<\/code><\/pre>\n\n\n\n
Verify Password Expiry Status<\/h3>\n\n\n\n
How can we verify that our user has been exempted from password expiry policy?<\/p>\n\n\n\n
To quickly demonstrate this, we will reduce the password maximum age to two minutes on the default policy so that the password expiry notification can be generated quickly without having to wait for the next 55 days as per our default policy to generate the notification.<\/p>\n\n\n\n
vim reduce-pwdmaxage.ldif<\/code><\/pre>\n\n\n\n
dn: cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong>\nchangetype: modify\nreplace: pwdMaxAge\npwdMaxAge: 120<\/code><\/pre>\n\n\n\n
Well, apart from comparing the value of pwdChangedTime<\/code> to the value of pwdMaxAge<\/code>  to determine the password expiry date, let us try to verify user passwords using ldapwhoami<\/code> command and check the logs in realtime.<\/p>\n\n\n\n
Next, we will reset the passwords for the two users above, janedoe<\/code> and johndoe<\/code>, as per the specified policies. After that, we can verify whether LDAP sets the password expiry information.<\/p>\n\n\n\n
To reset the passwords, run the command below on your OpenLDAP server. Replace the user entries accordingly;<\/p>\n\n\n\n
ldappasswd -H ldapi:\/\/\/ -Y EXTERNAL -S \"uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\"<\/code><\/pre>\n\n\n\n
To be able to check the password expiry notification on the logs, verify your password with ldapwhoami<\/strong><\/code> command. While running these commands, open another terminal and tail the logs in real time;<\/p>\n\n\n\n
ldapwhoami -h ldapmaster.kifarunix-demo.com -x -D \"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -W<\/code><\/pre>\n\n\n\n
ldapwhoami -h ldapmaster.kifarunix-demo.com -x -D \"uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -W<\/code><\/pre>\n\n\n\n
Tailing the logs;<\/p>\n\n\n\n
tail -f \/var\/log\/slapd.log<\/code><\/pre>\n\n\n\n
Apr 17 23:54:24 ldapmaster slapd[4915]: conn=1003 fd=18 ACCEPT from IP=192.168.56.180:34722 (IP=0.0.0.0:389)\nApr 17 23:54:24 ldapmaster slapd[4915]: conn=1003 op=0 BIND dn=\"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" method=128\nApr 17 23:54:24 ldapmaster slapd[4915]: conn=1003 op=0 BIND dn=\"uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" mech=SIMPLE ssf=0\nApr 17 23:54:24 ldapmaster slapd[4915]: ppolicy_bind: Setting warning for password expiry for uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com = 74 seconds<\/strong>\nApr 17 23:54:24 ldapmaster slapd[4915]: conn=1003 op=0 RESULT tag=97 err=0 text=\n...\n...\nApr 17 23:54:49 ldapmaster slapd[4915]: conn=1004 fd=18 ACCEPT from IP=192.168.56.180:34724 (IP=0.0.0.0:389)\nApr 17 23:54:49 ldapmaster slapd[4915]: conn=1004 op=0 BIND dn=\"uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" method=128\nApr 17 23:54:49 ldapmaster slapd[4915]: conn=1004 op=0 BIND dn=\"uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" mech=SIMPLE ssf=0<\/strong>\nApr 17 23:54:49 ldapmaster slapd[4915]: conn=1004 op=0 RESULT tag=97 err=0 text=\nApr 17 23:54:49 ldapmaster slapd[4915]: conn=1004 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.3<\/code><\/pre>\n\n\n\n
As you can see from above logs, the password for the user, johndoe expiry warning is generated as it is using the default password policy with password maximum age set to 120 seconds.<\/p>\n\n\n\n
No password expiry notification is generated for user janedoe as it is using the password policy with no password expiry set.<\/p>\n\n\n\n
And that is how you can simply disable OpenLDAP password expiry for specific users on OpenLDAP server.<\/p>\n\n\n\n
Related Tutorials<\/h3>\n\n\n\n
Setup OpenLDAP Master-Master Replication on CentOS 8<\/a><\/p>\n\n\n\n
Configure OpenLDAP SSSD client on CentOS 6\/7<\/a><\/p>\n\n\n\n
Setup OpenLDAP Master-Slave Replication on CentOS 8<\/a><\/p>\n\n\n\n
Setup LDAP Self Service Password Tool on CentOS 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
How can I prevent password expiration for a single specific LDAP user like the LDAP administrator, the replication user, the bind DN user? Well, it<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[1441,1444,1440,1442,1445],"class_list":["post-5476","post","type-post","status-publish","format-standard","hentry","category-howtos","category-directory-server","category-openldap","tag-disable-password-expiry-for-openldap-user","tag-enable-pwdpolicysubentry-openldap","tag-openldap-set-single-user-password-to-never-expire","tag-password-policies-openldap","tag-pwdpolicysubentry","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5476"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5476"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5476\/revisions"}],"predecessor-version":[{"id":21373,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5476\/revisions\/21373"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}