Disable Password Expiry for Specific Users on OpenLDAP

0
1095

How can I prevent password expiration for a single specific LDAP user like the LDAP administrator, the replication user, the bind DN user? Well, it is actually possible to disable password expiry for specific users on OpenLDAP. That is what we are going to cover on this guide.

Disable Password Expiry for Specific Users on OpenLDAP

In our previous guide, we learnt how to implement OpenLDAP password policies.

Implement OpenLDAP Password Policies

The Default Password Policy

In our demo system, we created an OU container for storing password policies called pwpolicy.

ldapsearch -Y ExTERNAL -H ldapi:/// -b dc=ldapmaster,dc=kifarunix-demo,dc=com "(ou=pwpolicy)" -LLL -Q
dn: ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: pwpolicy

Within this container, we set up a subentry with the default password policies which applies to every other user in our OpenLDAP database.

ldapsearch -Y ExTERNAL -H ldapi:/// -b ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com -LLL -Q "(cn=default)"
dn: cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: person
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
cn: pwpolicy
cn: default
sn: pwpolicy
pwdAttribute: userPassword
pwdMinAge: 0
pwdMaxAge: 5184000
pwdInHistory: 5
pwdCheckQuality: 2
pwdMinLength: 12
pwdExpireWarning: 432000
pwdGraceAuthNLimit: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

As you can see from our default password policies above, the password is set to expire after 60 days (5184000 seconds).

Creating User Specific Password Policies on OpenLDAP

In order to apply specific password policies to a specific category of users on an OpenLDAP server, you need to create specific policies and assign them to the respective users.

Assigning specific users specific password policies is made possible through the use of pwdPolicySubentry attribute.

According to man 5 slapo-ppolicy.

Every account that should be subject to password policy control should have a pwdPolicySubentry attribute containing the DN of a valid pwdPolicy entry, or they can simply use the configured default. In this way different users may be managed according to different policies.

This attribute refers directly to the pwdPolicy subentry that is to be used for this particular directory user. If pwdPolicySubentry exists, it must contain the DN of a valid pwdPolicy object. If it does not exist, the ppolicy module will enforce the default password policy rules on the user associated with this authenticating DN. If there is no default, or the referenced subentry does not exist, then no policy rules will be enforced.

Therefore, create an entry with specific password policies. For example, to create a policy that sets the password to not expire, create a DN entry with policies similar to the one below;

vim pwd_no_expire.ldif
dn: cn=pwd-no-expire,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: person
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
cn: pwpolicy
cn: pwd-no-expire
sn: pwpolicy
pwdAttribute: userPassword
pwdMinAge: 0
pwdMaxAge: 0
pwdInHistory: 5
pwdCheckQuality: 1
pwdMinLength: 12
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxFailure: 3
pwdFailureCountInterval: 0

Note that we created a subentry, cn=pwd-no-expire,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com, with no password age limit (pwdMaxAge: 0).

According to man slapo-ppolicy, the pwdMaxAge attribute contains the number of seconds after which a modified password will expire. If this attribute is not present, or if its
value is zero (0), then passwords will not expire.

Update the OpenLDAP database with your policies now;

ldapadd -Y EXTERNAL -H ldapi:/// -f pwd_no_expire.ldif

You now have two policies, the default and let’s call it user specific policies.

ldapsearch -Y ExTERNAL -H ldapi:/// -b ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com -LLL -Q
dn: ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: pwpolicy

dn: cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: person
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
cn: pwpolicy
cn: default
sn: pwpolicy
pwdAttribute: userPassword
pwdMinAge: 0
pwdInHistory: 5
pwdCheckQuality: 2
pwdMinLength: 12
pwdExpireWarning: 432000
pwdGraceAuthNLimit: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
pwdMaxAge: 5184000

dn: cn=pwd-no-expire,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: person
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
cn: pwpolicy
cn: pwd-no-expire
sn: pwpolicy
pwdAttribute: userPassword
pwdMinAge: 0
pwdMaxAge: 0
pwdInHistory: 5
pwdCheckQuality: 1
pwdMinLength: 12
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxFailure: 3
pwdFailureCountInterval: 0

Add User to New Password Policy

Now, add all users you want to disable password expiry for to the new no password expiry policy create above.

In our demo, we have two user for demonstration purposes.

ldapsearch -Y ExTERNAL -H ldapi:/// -b ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com -LLL -Q dn
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

We will add the user, janedoe, to the new created policy with no password age limit defined (cn=pwd-no-expire,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com) by modifying its attributes and adding the pwdPolicySubentry which we gonna point it to the new policy as shown below;

vim janedoe.ldif
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=pwd-no-expire,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com

Update user attributes;

ldapadd -Y EXTERNAL -H ldapi:/// -f janedoe.ldif

Verify Password Expiry Status

How can we verify that our user has been exempted from password expiry policy?

To quickly demonstrate this, we will reduce the password maximum age to two minutes on the default policy so that the password expiry notification can be generated quickly without having to wait for the next 55 days as per our default policy to generate the notification.

vim reduce-pwdmaxage.ldif
dn: cn=default,ou=pwpolicy,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
replace: pwdMaxAge
pwdMaxAge: 120

Well, apart from comparing the value of pwdChangedTime to the value of pwdMaxAge  to determine the password expiry date, let us try to verify user passwords using ldapwhoami command and check the logs in realtime.

Next, we will reset the passwords for the two users above, janedoe and johndoe, as per the specified policies. After that, we can verify whether LDAP sets the password expiry information.

To reset the passwords, run the command below on your OpenLDAP server. Replace the user entries accordingly;

ldappasswd -H ldapi:/// -Y EXTERNAL -S "uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com"

To be able to check the password expiry notification on the logs, verify your password with ldapwhoami command. While running these commands, open another terminal and tail the logs in real time;

ldapwhoami -h ldapmaster.kifarunix-demo.com -x -D "uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W
ldapwhoami -h ldapmaster.kifarunix-demo.com -x -D "uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W

Tailing the logs;

tail -f /var/log/slapd.log
Apr 17 23:54:24 ldapmaster slapd[4915]: conn=1003 fd=18 ACCEPT from IP=192.168.56.180:34722 (IP=0.0.0.0:389)
Apr 17 23:54:24 ldapmaster slapd[4915]: conn=1003 op=0 BIND dn="uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" method=128
Apr 17 23:54:24 ldapmaster slapd[4915]: conn=1003 op=0 BIND dn="uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" mech=SIMPLE ssf=0
Apr 17 23:54:24 ldapmaster slapd[4915]: ppolicy_bind: Setting warning for password expiry for uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com = 74 seconds
Apr 17 23:54:24 ldapmaster slapd[4915]: conn=1003 op=0 RESULT tag=97 err=0 text=
...
...
Apr 17 23:54:49 ldapmaster slapd[4915]: conn=1004 fd=18 ACCEPT from IP=192.168.56.180:34724 (IP=0.0.0.0:389)
Apr 17 23:54:49 ldapmaster slapd[4915]: conn=1004 op=0 BIND dn="uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" method=128
Apr 17 23:54:49 ldapmaster slapd[4915]: conn=1004 op=0 BIND dn="uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" mech=SIMPLE ssf=0
Apr 17 23:54:49 ldapmaster slapd[4915]: conn=1004 op=0 RESULT tag=97 err=0 text=
Apr 17 23:54:49 ldapmaster slapd[4915]: conn=1004 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.3

As you can see from above logs, the password for the user, johndoe expiry warning is generated as it is using the default password policy with password maximum age set to 120 seconds.

No password expiry notification is generated for user janedoe as it is using the password policy with no password expiry set.

And that is how you can simply disable password expiry for specific users on OpenLDAP server.

That marks the end of our guide on how to disable Password Expiry for Specific Users on OpenLDAP.

Related Tutorials

Setup OpenLDAP Master-Master Replication on CentOS 8

Configure OpenLDAP SSSD client on CentOS 6/7

Setup OpenLDAP Master-Slave Replication on CentOS 8

Setup LDAP Self Service Password Tool on CentOS 8

LEAVE A REPLY

Please enter your comment!
Please enter your name here