On Thursday, 14 June 2007, Simon Gao wrote: > To help troubleshoot ppolicy issue, I set a client binding to provider > directly. So far my tests show following attributes work as expected: > > pwdLockout > pwdLockoutDuration > pwdMinAge > pwdMaxAge > pwdGraceAuthnLimit > pwdAllowUserChange > pwdMaxFailure > > > Following does not work for some reason: > > pwdInHistory ppolicy does not check whether an old > password exist in history or not; or maybe old password was not even > being saved False: $ ldapsearch -x -D $ROOTDN -w $ROOTPW "(uid=bgmilne)" pwdHistory|grep ^pwd pwdHistory: 20051024195301Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}due/1GRmi+/ pwdHistory: 20051024195320Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}WoTiMN/HvKb pwdHistory: 20051024200447Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}QcLPVL+c+Gg pwdHistory: 20051024200859Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}uLaheCI+c8r pwdHistory: 20051024200906Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}IA62ZoaOYL/ pwdHistory: 20051024201018Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}ZOo4R/MjzmT pwdHistory: 20051026152114Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}Xy2GA6wJSW0 pwdHistory: 20051129080907Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}ltRPSEWys6V pwdHistory: 20070615091512Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}7XFYw9QSbM/ pwdHistory: 20070615091738Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}jmJjm9PIMVL pwdHistory: 20070615092245Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}sraq4BVS46n (I intentionally truncated these to not expose my test passwords). Note that most attibutes related to ppolicy are operational attributes, you either have to ask for them by name, or ask for all operational attributes (with '+'). Testing a password change with a password in my history: $ ldappasswd -x -D uid=bgmilne,ou=People,$BASEDN -W -S New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password is in history of old passwords > pwdCheckQuality can only be set to 1 or disable it. This leads > me to believe password syntax check does not work on server. This is > confirmed with pwdMinLength failing to block password less than > specified number of > characters. Does it take an external module for pwdCheckQuality to work? If you want to do anything besides check min and max lengths, you need a module. However, pwdMinLength works for me (see below). Note that depending on how you are changing passwords, the server might not have the opportunity to check this (set pwdCheckQuality to 2 if you don't want to allow methods where the server cannot check them). > or some built-in function with slapd supposed to take care of it? > > pwdExpireWarning does not send out warning message to user about > password expiration. What else is required to make this feature working? Maybe you had more grace logins configured than you tried: $ ldapwhoami -x -D uid=bgmilne,ou=People,$BASEDN -W -e ppolicy Enter LDAP Password: ldap_bind: Success (0) (Password expired, 4 grace logins remain) dn:uid=bgmilne,ou=People,ou=internal,dc=telkomsa,dc=net Result: Success (0) [...] $ ldapwhoami -x -D uid=bgmilne,ou=People,$BASEDN -W -e ppolicy Enter LDAP Password: ldap_bind: Invalid credentials (49); Password expired $ ldapwhoami -x -D uid=bgmilne,ou=People,$BASEDN -W Enter LDAP Password: ldap_bind: Invalid credentials (49) > pwdMinLength does not work. It does, if pwdCheckQuality is 1 or 2: $ ldappasswd -x -D uid=bgmilne,ou=People,$BASEDN -W -s qwertyu Enter LDAP Password: Result: Constraint violation (19) Additional info: Password fails quality checking policy $ ldappasswd -x -D uid=bgmilne,ou=People,$BASEDN -W -s qwertyui Enter LDAP Password: Result: Success (0) > pwdSafeModify does not work if set to TRUE. How should > one configure an client to send both existing and new password to provider? Depends on the client. pam_ldap can be configured to do this, and I think the -a/-A/-t options to ldappasswd pertain to this. > Does anyone make above attributes working? Can you share your experience > if you do? I think the more applicable question is, "how are you testing?". Regards, Buchan > > Simon > > > 1. *Change pwdCheckQuality from default 2 to 1. Does this attribute > > require check_password module to work? 2.3.35 does not seem including > > this module. Where can I find it? > > > > 2. **Change pwdSafeModify from TRUE to FALSE. How to configure a > > consumer's chain overlay to send both existing and new password to > > provider at the same time? -- Buchan Milne ISP Systems Specialist - Monitoring/Authentication Team Leader B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592) http://en.wikipedia.org/wiki/List_of_Internet_slang_phrases
Attachment:
pgpKTQAky5Wvz.pgp
Description: PGP signature