[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Openldap doesn't force password change and other related problems
Hello All,
I probably have something misconfigured on my openldap server, but it seems that this is not so easy to debug (for me).
I use openldap 2.4.23 with ppolicy and accesslog overlays.
I have the following behaviours:
- when pwdMustChange and pwdReset are set to true, after login, user is not prompted to change the password, however if I run:
[def_auditor@localhost fbelli]$ ldapwhoami -x -e ppolicy -D uid=def_auditor,ou=people,dc=pippo,dc=com -w ****** -ZZ -H ldap://mkernel
ldap_bind: Success (0); Password must be changed (Password expires in 0 seconds)
dn:uid=def_auditor,ou=people,dc=pippo,dc=com
- When there are less of pwdExpireWarning seconds and user authenticates (bash shell or ldapsearch), it doesn't get any warning.
- When password is expired and user uses one of his pwdGraceAuthNLimit, he doesn't get any warning (but it will get lockedout after).
It looks like that for some reason the openldap server doesn't send warnings back to the user. However if user tryes to change the password to one that doesn't match the policy, it gets the correct warnings.
Following there is my standard password policy:
dn: ou=Policies,dc=aivp,dc=vtp
ou: Policies
description: Directory policies.
objectClass: organizationalUnit
dn: cn=Standard,ou=Policies,dc=aivp,dc=vtp
cn: Standard
description: Standard password policy.
pwdAttribute: 2.5.4.35
pwdMinAge: 172800
pwdMaxAge: 5184000
pwdCheckQuality: 1
pwdCheckModule: check_password.so
pwdMinLength: 8
pwdExpireWarning: 604800
pwdGraceAuthNLimit: 1
pwdInHistory: 20
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdMaxFailure: 3
pwdFailureCountInterval: 1200
pwdMustChange: TRUE
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
Overlay configuration:
dn: olcOverlay={2}ppolicy
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=Standard,ou=Policies,dc=aivp,dc=vtp
olcPPolicyUseLockout: TRUE
olcPPolicyHashCleartext: TRUE
And an example of an user when first inserted:
dn: uid=def_auditor,ou=people,dc=aivp,dc=vtp
cn: def_auditor
gidnumber: 601
homedirectory: /home/def_auditor
loginshell: /bin/bash
objectclass: account
objectclass: posixAccount
objectclass: top
uid: def_auditor
uidnumber: 634
userPassword:: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ=
pwdReset: TRUE
Thanks in advance for any advice
Best Regards,
Francesco Belli