[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
password policy user configuration
Hi there,
I already compiled last openldap stable version with this commands
# ./configure
--program-prefix=/usr/local/ldap
--enable-bdb
--enable-modules
--enable-overlays=yes
--enable-backends=yes
--disable-ipv6
--with-cyrus-sasl
--with-tls
--disable-sql
# make depend; make; make install
and after running make test command, I saw that everything was OK, so
I can start slapd with ppolicy module included.
When I include pwdPolicy objectclass in user configuration I can see
several pwd parameters, but after set some values, I can't see this
policy working. I mean, in my user bellow, I set "pwdInHistory = 6",
but when I try to change their password, OpanLDAP do not check this
value.
Here is command used to change passwords
ldappasswd -w test1234 -a test1234 -s 5432test -x -H
ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org
ldappasswd -w 5432test -a 5432test -s test1234 -x -H
ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org
I can execute this commands ad eternum, with no error messages from
LDAP server telling me that my password is not OK. According with my
configuration I would use 7 different passwords (6 in history +1 to
change)
And I can change this password faster than it expires (according with
configuration bellow "pwdMinAge: 30" tells me to wait 30 seconds to
change my password)
User definition
dn: uid=test,ou=orgunit,o=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: person
objectClass: pwdPolicy
loginShell: /bin/bash
givenName: test
sn: test-test
displayName: test test-test
uid: test
homeDirectory: /home/test
shadowFlag: 0
shadowMax: 35
shadowWarning: 7
shadowInactive: 99999
shadowExpire: 99999
cn: test test-test
uidNumber: 12190
gidNumber: 25023
shadowMin: 10
pwdAttribute: userPassword
pwdMinAge: 30
pwdMaxAge: 120
pwdInHistory: 3
pwdMinLength: 8
pwdExpireWarning: 60
pwdLockout: TRUE
pwdLockoutDuration: 60
pwdMaxFailure: 2
pwdSafeModify: TRUE
shadowLastChange: 14006
pwdMustChange: FALSE
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Does anybody already uses this pwd definitions ann can explain me if
is it OK ? I already read man 5 slapo-ppolicy and I already execute
slapindex -v after insert this parameters either. Man 5 does explain
all parameters, and I set up them according with man explanation, but
it does no work.
Thanks in advance
---
Gustavo Mendes de Carvalho
e-mail: gmcarvalho@gmail.com