[Date Prev][Date Next] [Chronological] [Thread] [Top]

How to make ldappasswd obey password policy restrictions?

To: "'openldap-technical@openldap.org'" <openldap-technical@openldap.org>
Subject: How to make ldappasswd obey password policy restrictions?
From: Konstantin Boyandin <temmokan@gmail.com>
Date: Fri, 18 Feb 2011 12:55:01 +0600
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:x-enigmail-version:content-type:content-transfer-encoding; bh=UtNlNpFyPnk/yRhRr5plqHlO3Kvacd07jaxKrZ+hauY=; b=riNLgMX8Ol8de+NXDe2fqmsWs6L1g1QBjgBu7TjDpPwXjnHkAh9Sz8cZ/GqOpkFKs1 AZR78G6DH/QlZKAIS/ZsruVN83oEUbtKGa79Qwokc+2kaDQuXmWT5MtWGvUmFFGIXk39 ppn2b53OWrEO0l0yL5kAKiRJu9vWLLZ8cmVms=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:content-type:content-transfer-encoding; b=I3xYGYBdztmrBN5w6gATdyad2pqAEJclo4UktAb75KfytRurZsRtvb08L9TP+G/UsF DlJHHyLenAi4XWHqeWAn6k/eLHxQWKrccnIe9VZq+owB0q8NC19qaJfDab9PCXu6pfgg aQK3ZvH+1th4Lu+3HqTb9dCMu/r2IDiBeddDs=
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Thunderbird/3.1.7

Greetings,

Given: OpenLDAP: 2.4.23, password policy module enabled, default
password policy loaded as

dn: cn=default,ou=Policies,dc=example,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 0
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 30
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value

Authentication is set via LDAP (.
The problem: when I try to set password via ldappassword, using command
like this:

ldappasswd -e ppolicy -W -x -D "cn=Manager,dc=example,dc=com" \
 -H ldap://127.0.0.1/ -A -S "uid=testuser,ou=Users,dc=example,dc=com"

it bypasses password policy settings - I can set the same password, can
set the previously used password. It doesn't matter whether I specify
'-e ppolicy' or not.

However, when I try to change password with passwd (authentication is
set via LDAP, /etc/ldap.conf contains 'pam_password exop'):

passwd testuser

the password policy restrictions are in effect. I am not allowed to set
the same password, to set previous or similar password etc.

Is it possible to make ldappaswd observe password policy restrictions?

Thanks.
Sincerely,
Konstantin

Follow-Ups:
- Re: How to make ldappasswd obey password policy restrictions?
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: How to make ldappasswd obey password policy restrictions?
  - From: Dieter Kluenter <dieter@dkluenter.de>

Prev by Date: Re: Does anybody succeed to setup SASL(digest-md5) authentication with mysql database and latest openldap-server??
Next by Date: BDB performance issue
Index(es):
- Chronological
- Thread