[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: How to make ldappasswd obey password policy restrictions?
Am Fri, 18 Feb 2011 12:55:01 +0600
schrieb Konstantin Boyandin <temmokan@gmail.com>:
> Greetings,
>
> Given: OpenLDAP: 2.4.23, password policy module enabled, default
> password policy loaded as
>
> dn: cn=default,ou=Policies,dc=example,dc=com
> cn: default
> objectClass: pwdPolicy
> objectClass: person
> objectClass: top
> pwdAllowUserChange: TRUE
> pwdAttribute: userPassword
> pwdCheckQuality: 0
> pwdExpireWarning: 600
> pwdFailureCountInterval: 30
> pwdGraceAuthNLimit: 5
> pwdInHistory: 5
> pwdLockout: TRUE
> pwdLockoutDuration: 30
> pwdMaxAge: 7776000
> pwdMaxFailure: 5
> pwdMinAge: 0
> pwdMinLength: 5
> pwdMustChange: FALSE
> pwdSafeModify: FALSE
> sn: dummy value
>
> Authentication is set via LDAP (.
> The problem: when I try to set password via ldappassword, using
> command like this:
>
> ldappasswd -e ppolicy -W -x -D "cn=Manager,dc=example,dc=com" \
> -H ldap://127.0.0.1/ -A -S "uid=testuser,ou=Users,dc=example,dc=com"
rootdn bypasses all restrictions.
> it bypasses password policy settings - I can set the same password,
> can set the previously used password. It doesn't matter whether I
> specify '-e ppolicy' or not.
>
> However, when I try to change password with passwd (authentication is
> set via LDAP, /etc/ldap.conf contains 'pam_password exop'):
>
> passwd testuser
>
> the password policy restrictions are in effect. I am not allowed to
> set the same password, to set previous or similar password etc.
>
> Is it possible to make ldappaswd observe password policy restrictions?
Yes, do not bind as rootdn.
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E