1 (edited by imak 2015-11-10 04:28:11)

Topic: Can't configure password policy when using SOGo

======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Debian 7.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====
Hi!
I can't solve even one problem.
When using SOGo does not work to set password policy.
I know SOGo has no mechanism for policy management of passwords. But the documentation says that you can configure the password policy in LDAP.
I tried to configure ppolicy overlay, but so far I have failed.
Perhaps there is a ready reshenie my problem?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Can't configure password policy when using SOGo

Show us how you configure OpenLDAP ppolicy overlay, and show us related log in both /var/log/sogo/sogo.log and /var/log/openldap.log.

BTW, each time you report an issue, please show us what you did/modified/changed, and attach related log.

3 (edited by imak 2015-11-11 05:35:40)

Re: Can't configure password policy when using SOGo

ZhangHuangbin wrote:

Show us how you configure OpenLDAP ppolicy overlay, and show us related log in both /var/log/sogo/sogo.log and /var/log/openldap.log.

BTW, each time you report an issue, please show us what you did/modified/changed, and attach related log.

Hi!
1) I'm modified /etc/ldap/slapd.conf:

.....
[b] include     /etc/ldap/schema/ppolicy.schema   [/b]  
# Amavisd-new schema.
......
[b] moduleload  ppolicy.la [/b]
.......
# Database used to store mail accounts
database    hdb
....
# Load overlay
overlay ppolicy
ppolicy_default "cn=passwordPolicy,dc=mydomain,dc=ru"
....

2) Then stop sldapd
3) and add to ldap base:

dn: cn=passwordPolicy,dc=mydomain,dc=ru
cn: passwordPolicy
sn: passwordPolicy
pwdMinLength: 8
objectClass: inetOrgPerson
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: userPassword
structuralObjectClass: inetOrgPerson
entryUUID: 7c07332e-1819-1035-9be5-e37077db3529
creatorsName: cn=Manager,dc=mydomain,dc=ru
createTimestamp: 20151105145857Z
entryCSN: 20151105145857.476024Z#000000#000#000000
modifiersName: cn=Manager,dc=mydomain,dc=ru
modifyTimestamp: 20151105145857Z

4) Started slapd
5) and restart sogo

My LOGS:
openldap.log.1 & openldap.log

Nov  3 20:35:12 mail slapd[25234]: slapd stopped.
Nov  3 20:35:12 mail slapd[25234]: connections_destroy: nothing to destroy.
Nov  3 20:36:04 mail slapd[25286]: @(#) $OpenLDAP: slapd  (Sep 11 2015 15:18:47) $#012#011buildd@x86-csail-01:/build/openldap-e51fz0/openldap-2.4.31/debian/build/servers/slapd
Nov  5 11:37:04 mail slapd[13593]: @(#) $OpenLDAP: slapd  (Sep 11 2015 15:18:47) $#012#011buildd@x86-csail-01:/build/openldap-e51fz0/openldap-2.4.31/debian/build/servers/slapd
Nov  5 16:41:33 mail slapd[32144]: @(#) $OpenLDAP: slapd  (Sep 11 2015 15:18:47) $#012#011buildd@x86-csail-01:/build/openldap-e51fz0/openldap-2.4.31/debian/build/servers/slapd
Nov  7 16:56:15 mail slapd[3420]: @(#) $OpenLDAP: slapd  (Sep 11 2015 15:18:47) $#012#011buildd@x86-csail-01:/build/openldap-e51fz0/openldap-2.4.31/debian/build/servers/slapd
Nov 11 00:10:47 mail slapd[7767]: @(#) $OpenLDAP: slapd  (Sep 11 2015 15:18:47) $#012#011buildd@x86-csail-01:/build/openldap-e51fz0/openldap-2.4.31/debian/build/servers/slapd

sogo.log more than 3MB  each day. Can I choose something?

4

Re: Can't configure password policy when using SOGo

I used these manuals:
https://tobrunet.ch/articles/openldap-p … y-overlay/
http://pro-ldap.ru/tr/zytrax/ch6/ppolicy.html (sorry this resource is in Russian)

5

Re: Can't configure password policy when using SOGo

*) No SOGo log with ppolicy triggerred?
*) I suggest asking in SOGo mailing list instead to get support from SOGo developer:
http://www.sogo.nu/en/support/community.html

6

Re: Can't configure password policy when using SOGo

By the way, do you have 'passwordPolicy = YES;' in /etc/sogo/sogo.conf? It's disabled by default, you should add it manually.

7

Re: Can't configure password policy when using SOGo

ZhangHuangbin wrote:

By the way, do you have 'passwordPolicy = YES;' in /etc/sogo/sogo.conf? It's disabled by default, you should add it manually.

I didn't know about this option. What concerns me is that all variables in sogo.conf start with WO or SO.
This parameter must be added in SOGoUserSources or somewhere else?

8

Re: Can't configure password policy when using SOGo

ZhangHuangbin wrote:

By the way, do you have 'passwordPolicy = YES;' in /etc/sogo/sogo.conf? It's disabled by default, you should add it manually.

I added the parameter 'passwordPolicy = YES;' in OSGoUserSources and restarted SOGo.
Then in sogo.log there were records on the work policy:

grep -i policy /var/log/sogo/sogo.log
Nov 11 10:05:49 sogod [10568]: SOGoRootPage Login from '89.221.48.66' for user 'bondarev' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Nov 11 11:18:30 sogod [10567]: SOGoRootPage Login from '89.169.50.93' for user 'morozov' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Nov 11 12:55:30 sogod [5731]: <0x0xb7eba230[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1
Nov 11 12:55:30 sogod [5730]: <0x0xb7eba1a8[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1
Nov 11 12:56:24 sogod [5730]: <0x0xb81e0238[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1
Nov 11 12:56:24 sogod [5730]: <0x0xb8124540[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1
Nov 11 12:56:31 sogod [5731]: <0x0xb8133458[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1
Nov 11 12:57:00 sogod [5730]: <0x0xb8144c20[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1
Nov 11 12:57:09 sogod [5730]: <0x0xb81971c8[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1
Nov 11 12:57:26 sogod [5729]: <0x0xb82a13d8[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 0
Nov 11 12:57:26 sogod [5729]: SOGoRootPage Login from '89.221.48.66' for user 'test1@mydomain.ru' might not have worked - password policy: 65535  grace: -1  expire: -1  bound: 0
Nov 11 12:57:47 sogod [5729]: <0x0xb8211e20[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1
Nov 11 12:57:50 sogod [5730]: <0x0xb82231a8[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1
Nov 11 12:58:00 sogod [5729]: <0x0xb824cd68[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1
Nov 11 12:59:03 sogod [5730]: <0x0xb82b86c0[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1
Nov 11 12:59:12 sogod [5729]: <0x0xb81c42a8[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1
Nov 11 12:59:14 sogod [5729]: <0x0xb811fac0[NGLdapConnection]> bind - policy values: -1 -1 65535 - bound: 1

But the password policy is still not working.
Then the user test1 I replaced Hash Metod from SSHA  to Plaintext.
After that, the password policy for test1 began to act.