[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to make ldappasswd obey password policy restrictions?

To: Konstantin Boyandin <temmokan@gmail.com>
Subject: Re: How to make ldappasswd obey password policy restrictions?
From: Clément OUDOT <clem.oudot@gmail.com>
Date: Fri, 18 Feb 2011 08:28:55 +0100
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=XsStuUwSsrN7At7phnoqTPYr/zywLTIherzsCFmkn1M=; b=mWDazUMLv7h1U6k02BkXlR4j4Gn2EzUto0TUrtrVKwAoJVRN6S2q56BfjboK84FIgZ Rwgty/byn1xJnd+Z7QCyafVuyBL6GhzStHKq32YvGZpGgDzk0KU8vhN6RnxbX5PDJcF6 iR3hLsxsZTZEiK5Nuvn4mA/hontkIu6MZB0P0=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=fPLak5BX1rVQ2UiGfupprIEf4WTdPOMAzoGulIgcI6yz2lelg0uuqFnT1pJYpLgPc8 GaV/Pl4OVcLDtqkcNLj19QmPzEAIiVZ1/y1nsm8Zied7BdS+IgPaMil0DwW9QHGfBlzo p20mbia20sO4bq5KfZQS2y8WskTS5gHMaKThA=
In-reply-to: <4D5E17C5.7000801@gmail.com>
References: <4D5E17C5.7000801@gmail.com>

Hello Konstantin,

the rootdn bypass password policy, so do not use rootdn in your
ldappasswd command.

Cllément.

2011/2/18, Konstantin Boyandin <temmokan@gmail.com>:
> Greetings,
>
> Given: OpenLDAP: 2.4.23, password policy module enabled, default
> password policy loaded as
>
> dn: cn=default,ou=Policies,dc=example,dc=com
> cn: default
> objectClass: pwdPolicy
> objectClass: person
> objectClass: top
> pwdAllowUserChange: TRUE
> pwdAttribute: userPassword
> pwdCheckQuality: 0
> pwdExpireWarning: 600
> pwdFailureCountInterval: 30
> pwdGraceAuthNLimit: 5
> pwdInHistory: 5
> pwdLockout: TRUE
> pwdLockoutDuration: 30
> pwdMaxAge: 7776000
> pwdMaxFailure: 5
> pwdMinAge: 0
> pwdMinLength: 5
> pwdMustChange: FALSE
> pwdSafeModify: FALSE
> sn: dummy value
>
> Authentication is set via LDAP (.
> The problem: when I try to set password via ldappassword, using command
> like this:
>
> ldappasswd -e ppolicy -W -x -D "cn=Manager,dc=example,dc=com" \
>  -H ldap://127.0.0.1/ -A -S "uid=testuser,ou=Users,dc=example,dc=com"
>
> it bypasses password policy settings - I can set the same password, can
> set the previously used password. It doesn't matter whether I specify
> '-e ppolicy' or not.
>
> However, when I try to change password with passwd (authentication is
> set via LDAP, /etc/ldap.conf contains 'pam_password exop'):
>
> passwd testuser
>
> the password policy restrictions are in effect. I am not allowed to set
> the same password, to set previous or similar password etc.
>
> Is it possible to make ldappaswd observe password policy restrictions?
>
> Thanks.
> Sincerely,
> Konstantin
>

Follow-Ups:
- Re: How to make ldappasswd obey password policy restrictions?
  - From: Konstantin Boyandin <temmokan@gmail.com>

References:
- How to make ldappasswd obey password policy restrictions?
  - From: Konstantin Boyandin <temmokan@gmail.com>

Prev by Date: Re: Ppolicy does not seem to work
Next by Date: Re: How to make ldappasswd obey password policy restrictions?
Index(es):
- Chronological
- Thread