[Date Prev][Date Next] [Chronological] [Thread] [Top]

RES: password policy user configuration



No tips or tricks ?


---
Gustavo Mendes de Carvalho
email: gmcarvalho@gmail.com

-----Mensagem original-----
De: Gustavo Mendes de Carvalho [mailto:gmcarvalho@gmail.com] 
Enviada em: quarta-feira, 7 de maio de 2008 17:59
Para: openldap-technical@openldap.org
Assunto: password policy user configuration

Hi there,

I already compiled last openldap stable version with this commands

# ./configure
--program-prefix=/usr/local/ldap
--enable-bdb
--enable-modules
--enable-overlays=yes
--enable-backends=yes
--disable-ipv6
--with-cyrus-sasl
--with-tls
--disable-sql

# make depend; make; make install

and after running make test command, I saw that everything was OK, so I can
start slapd with ppolicy module included.

When I include pwdPolicy objectclass in user configuration I can see several
pwd parameters, but after set some values, I can't see this policy working.
I mean, in my user bellow, I set "pwdInHistory = 6", but when I try to
change their password, OpanLDAP do not check this value.

Here is command used to change passwords. I can execute them as fast as I
can copy and paste them

ldappasswd -w test1234 -a test1234 -s 5432test -x -H ldap://192.168.248.164
-D uid=test,ou=orgunit,o=org ldappasswd -w 5432test -a 5432test -s test1234
-x -H ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org
...

I can execute this commands ad eternum, with no error messages from LDAP
server telling me that my password is not OK. According with my
configuration I would use 7 different passwords (6 in history +1 to
change)
And I can change this password faster than it expires (according with
configuration bellow "pwdMinAge: 30" tells me to wait 30 seconds to change
my password)


User definition
dn: uid=test,ou=orgunit,o=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: person
objectClass: pwdPolicy
loginShell: /bin/bash
givenName: test
sn: test-test
displayName: test test-test
uid: test
homeDirectory: /home/test
shadowFlag: 0
shadowMax: 35
shadowWarning: 7
shadowInactive: 99999
shadowExpire: 99999
cn: test test-test
uidNumber: 12190
gidNumber: 25023
shadowMin: 10
pwdAttribute: userPassword
pwdMinAge: 30
pwdMaxAge: 120
pwdInHistory: 3
pwdMinLength: 8
pwdExpireWarning: 60
pwdLockout: TRUE
pwdLockoutDuration: 60
pwdMaxFailure: 2
pwdSafeModify: TRUE
shadowLastChange: 14006
pwdMustChange: FALSE
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


Does anybody already uses this pwd definitions ann can explain me if is it
OK ? I already read man 5 slapo-ppolicy and I already execute slapindex -v
after insert this parameters either. Man 5 does explain all parameters, and
I set up them according with man explanation, but it does no work.

Thanks in advance

---
Gustavo Mendes de Carvalho
e-mail: gmcarvalho@gmail.com