[Date Prev][Date Next] [Chronological] [Thread] [Top]

RES: password policy user configuration



Jarbas,

Thank you very much for your tip. It was really important to help me to fix
my bug and put it to work.


---
Gustavo Mendes de Carvalho
email: gmcarvalho@gmail.com

-----Mensagem original-----
De: Jarbas Peixoto Júnior [mailto:jarbas.junior@gmail.com] 
Enviada em: segunda-feira, 12 de maio de 2008 10:18
Para: Gustavo Mendes de Carvalho
Cc: openldap-technical@openldap.org
Assunto: Re: password policy user configuration

Gustavo, look this
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies

You will see a nice example at
http://www.connexitor.com/forums/viewtopic.php?f=6&t=25

Att,
Jarbas

2008/5/10 Gustavo Mendes de Carvalho <gmcarvalho@gmail.com>:
> No tips or tricks ?
>
>
>  ---
>  Gustavo Mendes de Carvalho
>  email: gmcarvalho@gmail.com
>
>  -----Mensagem original-----
>  De: Gustavo Mendes de Carvalho [mailto:gmcarvalho@gmail.com]  Enviada 
> em: quarta-feira, 7 de maio de 2008 17:59
>  Para: openldap-technical@openldap.org
>  Assunto: password policy user configuration
>
>
>  Hi there,
>
>  I already compiled last openldap stable version with this commands
>
>  # ./configure
>  --program-prefix=/usr/local/ldap
>  --enable-bdb
>  --enable-modules
>  --enable-overlays=yes
>  --enable-backends=yes
>  --disable-ipv6
>  --with-cyrus-sasl
>  --with-tls
>  --disable-sql
>
>  # make depend; make; make install
>
>  and after running make test command, I saw that everything was OK, so 
> I can  start slapd with ppolicy module included.
>
>  When I include pwdPolicy objectclass in user configuration I can see 
> several  pwd parameters, but after set some values, I can't see this
policy working.
>  I mean, in my user bellow, I set "pwdInHistory = 6", but when I try 
> to  change their password, OpanLDAP do not check this value.
>
>  Here is command used to change passwords. I can execute them as fast 
> as I  can copy and paste them
>
>
>
>  ldappasswd -w test1234 -a test1234 -s 5432test -x -H 
> ldap://192.168.248.164  -D uid=test,ou=orgunit,o=org ldappasswd -w 
> 5432test -a 5432test -s test1234  -x -H ldap://192.168.248.164 -D 
> uid=test,ou=orgunit,o=org  ...
>
>  I can execute this commands ad eternum, with no error messages from 
> LDAP  server telling me that my password is not OK. According with my  
> configuration I would use 7 different passwords (6 in history +1 to
>  change)
>  And I can change this password faster than it expires (according with  
> configuration bellow "pwdMinAge: 30" tells me to wait 30 seconds to 
> change  my password)
>
>
>  User definition
>  dn: uid=test,ou=orgunit,o=org
>  objectClass: posixAccount
>  objectClass: top
>  objectClass: inetOrgPerson
>  objectClass: shadowAccount
>  objectClass: person
>  objectClass: pwdPolicy
>  loginShell: /bin/bash
>  givenName: test
>  sn: test-test
>  displayName: test test-test
>  uid: test
>  homeDirectory: /home/test
>  shadowFlag: 0
>  shadowMax: 35
>  shadowWarning: 7
>  shadowInactive: 99999
>  shadowExpire: 99999
>  cn: test test-test
>  uidNumber: 12190
>  gidNumber: 25023
>  shadowMin: 10
>  pwdAttribute: userPassword
>  pwdMinAge: 30
>  pwdMaxAge: 120
>  pwdInHistory: 3
>  pwdMinLength: 8
>  pwdExpireWarning: 60
>  pwdLockout: TRUE
>  pwdLockoutDuration: 60
>  pwdMaxFailure: 2
>  pwdSafeModify: TRUE
>  shadowLastChange: 14006
>  pwdMustChange: FALSE
>  userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
>
>  Does anybody already uses this pwd definitions ann can explain me if 
> is it  OK ? I already read man 5 slapo-ppolicy and I already execute 
> slapindex -v  after insert this parameters either. Man 5 does explain 
> all parameters, and  I set up them according with man explanation, but it
does no work.
>
>  Thanks in advance
>
>  ---
>  Gustavo Mendes de Carvalho
>  e-mail: gmcarvalho@gmail.com
>
>
>