[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PPolicy error.



2010/10/14 Meghanand Acharekar <vasco.debian@gmail.com>:
>
> On Mon, Oct 11, 2010 at 7:57 PM, Christian Manal
> <moenoel@informatik.uni-bremen.de> wrote:
>>
>> Am 11.10.2010 16:06, schrieb Meghanand Acharekar:
>> > On Mon, Oct 11, 2010 at 7:08 PM, Christian Manal <
>> > moenoel@informatik.uni-bremen.de> wrote:
>> >
>> >> Am 11.10.2010 15:25, schrieb Meghanand Acharekar:
>> >>> On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal <
>> >>> moenoel@informatik.uni-bremen.de> wrote:
>> >>>
>> >>>> Am 11.10.2010 14:41, schrieb Meghanand Acharekar:
>> >>>>> Hi,
>> >>>>>
>> >>>>> I am using ppolicy overlay to enforce password policies.
>> >>>>> Following is my ppolicy configuration/ldif.
>> >>>>>
>> >>>>> dn: cn=policies,dc=example,dc=com
>> >>>>> objectClass: top
>> >>>>> objectClass: device
>> >>>>> objectClass: pwdPolicy
>> >>>>> cn: policies
>> >>>>> pwdAttribute: userPassword
>> >>>>> pwdMaxAge: 7516800
>> >>>>> pwdExpireWarning: 432000
>> >>>>> pwdInHistory: 6
>> >>>>> pwdCheckQuality: 1
>> >>>>> pwdMinLength: 8
>> >>>>> pwdMaxFailure: 4
>> >>>>> pwdLockout: TRUE
>> >>>>> pwdLockoutDuration: 1920
>> >>>>> pwdGraceAuthNLimit: 0
>> >>>>> pwdFailureCountInterval: 0
>> >>>>> pwdMustChange: TRUE
>> >>>>> pwdAllowUserChange: TRUE
>> >>>>> pwdSafeModify: FALSE
>> >>>>>
>> >>>>> while changing password on first login I got following error.
>> >>>>>
>> >>>>> WARNING: Your password has expired.
>> >>>>> You must change your password now and login again!
>> >>>>> Changing password for user prasad.
>> >>>>> Enter login(LDAP) password:
>> >>>>> New UNIX password:
>> >>>>> Retype new UNIX password:
>> >>>>> LDAP password information update failed: Constraint violation
>> >>>>> Password is too young to change
>> >>>>> passwd: Permission denied
>> >>>>> Connection to myhost closed.
>> >>>>>
>> >>>>> Thanks in advance
>> >>>>> Meghanand N Acharekar.
>> >>>>>
>> >>>>
>> >>>>
>> >>>> Hi,
>> >>>>
>> >>>> when you set 'pwdCheckQuality: 1', you require a module to actually
>> >>>> check the quality of the password. See slapo-ppolicy(5) and look at
>> >>>> the
>> >>>> pwdPolicyChecker/pwdCheckModule parts.
>> >>>>
>> >>>>
>> >>>>
>> >>> Hello
>> >>>
>> >>> After setting pwdReset TRUE in user attribute, i'm getting another
>> >>> error.
>> >>>
>> >>> LDAP password information update failed: Constraint violation
>> >>> Password fails quality checking policy
>> >>> passwd: Permission denied
>> >>> Connection to myhost closed.
>> >>>
>> >>> Is it mandatory to use this module if we want to enforce password
>> >> policies.
>> >>> Any idea.
>> >>>
>> >>>
>> >>>> Regards,
>> >>>> Christian Manal
>> >>>>
>> >>>
>> >>
>> >> The 'Constraint violation' error means, that the new password does not
>> >> conform to the quality requirements, or in your case, the quality could
>> >> not be verified at all. As I said, if you want to use
>> >>
>> >>   pwdCheckQuality: 1
>> >>
>> >> you *need* a pwdCheckModule to run the password through, or you will
>> >> always get a constraint violation.
>> >>
>> >>
>> > Okies, if I use simple password it prompts me as follows.
>> >
>> > WARNING: Your password has expired.
>> > You must change your password now and login again!
>> > Changing password for user test
>> > Enter login(LDAP) password:
>> > New UNIX password:
>> > BAD PASSWORD: it does not contain enough DIFFERENT characters
>> > New UNIX password:
>> > BAD PASSWORD: it is based on a dictionary word
>> > New UNIX password:
>> > Retype new UNIX password:
>> > LDAP password information update failed: Constraint violation
>> > Password fails quality checking policy
>> >
>>
>> I think the "BAD PASSWORD" messages are coming from your PAM stack.
>> pam_cracklib, or something, may check the password quality, before
>> passing it to pam_ldap. But that doesn't have anything to do with the
>> quality checking of slapo-ppolicy.
>>
>
> Update.
> I was not able to compile the check_password.c file,due to limited time.
> Finally I removed pwdCheckQuality & pwdMinLen from ppolicy,
> now had a configuration which relay on pam_cracklib on individual system for
> password quality checks and slapd-ppolicy for rest.
> I will further try compilation of check_password.c when find enough time ;)

Hi,

you will find some documentation here:
http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password

Clément.