[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to make ldappasswd obey password policy restrictions?

To: Clément OUDOT <clem.oudot@gmail.com>
Subject: Re: How to make ldappasswd obey password policy restrictions?
From: Konstantin Boyandin <temmokan@gmail.com>
Date: Fri, 18 Feb 2011 13:32:28 +0600
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=lV7elAwx11F6pT2i9WReR6lWbI+SpZHJdCDrAMEBHX0=; b=US6fKVGkl/XzavnOgNp0bbF6fal9W5R47lS+BTsmtcn29I/zh3MdIeQYJPztyOIsyc TVY8yQNpyvcY3GeOYVpBZVWZiXvSlWaj6/jWswzHmmiRBKsl+/kpZXO5kSNF+ctliHH0 AJbNsG0sBesackbGfG7fwM4dK9gzHaVs6efjc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=Id528Q5XOxEnHtHvkyc9HjyiQ08Szf1EJlpZ+RBJR9hdgXIZiZ3gx6q7f75Sc/YulE APqFWiJP3Y5KcjxDD4i3uJF7F3z+IYnAujDuduN/q1SWX4ve7IBuhUgaH48wV6cRq6tf 7tbfUCSeXOn/MmKjMS0fNq/yffQhmCawvCLvE=
In-reply-to: <AANLkTi=0OsikBJPtc5SHTgnyzmK+djwgRgsjHYn=sEi9@mail.gmail.com>
References: <4D5E17C5.7000801@gmail.com> <AANLkTi=0OsikBJPtc5SHTgnyzmK+djwgRgsjHYn=sEi9@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14 Thunderbird/3.1.7

Hello Clement,

18.02.2011 13:28, Clément OUDOT writes:
> Hello Konstantin,
> 
> the rootdn bypass password policy, so do not use rootdn in your
> ldappasswd command.

Indeed, used the same dn in for authentication, password policy
prevented wrong action.

Thank you.
Sincerely,
Konstantin

> 
> Cllément.
> 
> 2011/2/18, Konstantin Boyandin <temmokan@gmail.com>:
>> Greetings,
>>
>> Given: OpenLDAP: 2.4.23, password policy module enabled, default
>> password policy loaded as
>>
>> dn: cn=default,ou=Policies,dc=example,dc=com
>> cn: default
>> objectClass: pwdPolicy
>> objectClass: person
>> objectClass: top
>> pwdAllowUserChange: TRUE
>> pwdAttribute: userPassword
>> pwdCheckQuality: 0
>> pwdExpireWarning: 600
>> pwdFailureCountInterval: 30
>> pwdGraceAuthNLimit: 5
>> pwdInHistory: 5
>> pwdLockout: TRUE
>> pwdLockoutDuration: 30
>> pwdMaxAge: 7776000
>> pwdMaxFailure: 5
>> pwdMinAge: 0
>> pwdMinLength: 5
>> pwdMustChange: FALSE
>> pwdSafeModify: FALSE
>> sn: dummy value
>>
>> Authentication is set via LDAP (.
>> The problem: when I try to set password via ldappassword, using command
>> like this:
>>
>> ldappasswd -e ppolicy -W -x -D "cn=Manager,dc=example,dc=com" \
>>  -H ldap://127.0.0.1/ -A -S "uid=testuser,ou=Users,dc=example,dc=com"
>>
>> it bypasses password policy settings - I can set the same password, can
>> set the previously used password. It doesn't matter whether I specify
>> '-e ppolicy' or not.
>>
>> However, when I try to change password with passwd (authentication is
>> set via LDAP, /etc/ldap.conf contains 'pam_password exop'):
>>
>> passwd testuser
>>
>> the password policy restrictions are in effect. I am not allowed to set
>> the same password, to set previous or similar password etc.
>>
>> Is it possible to make ldappaswd observe password policy restrictions?
>>
>> Thanks.
>> Sincerely,
>> Konstantin
>>

References:
- How to make ldappasswd obey password policy restrictions?
  - From: Konstantin Boyandin <temmokan@gmail.com>
- Re: How to make ldappasswd obey password policy restrictions?
  - From: Clément OUDOT <clem.oudot@gmail.com>

Prev by Date: Re: How to make ldappasswd obey password policy restrictions?
Next by Date: threads and concurrency
Index(es):
- Chronological
- Thread