Re: What can I use for pwdCheckModule?

[D C <dc12078@gmail.com>]

* Do not use rootdn account to test ppolicy (rootdn bypass ppolicy)

- Âi have a service account setup in /etc/pam_ldap.conf.

What should the proper acl be for this?Â

* Do not hash password before modifying it (password in SSHA cannot be verified against min size for example)

- Ah. i'll change that to send in clear and try again. ÂHowever shouldn't this just make the check fail being that the hash will be longer then 12 chars?

* What client do you use to test?

pam_ldap, and apache directory studio (bind as regular user)

Thanks,

Dan

On Wed, Apr 10, 2013 at 12:34 PM, ClÃment OUDOT <clem.oudot@gmail.com> wrote:

2013/4/10 D C <dc12078@gmail.com>

Fair enough. Ânow I'm updated

$ rpm -qa |grep openldap

openldap-ltb-2.4.35-1.el6.x86_64

openldap-ltb-check-password-1.1-8.el6.x86_64

I dumped and reimported my database, and tried agian.ÂÂI dont see any difference.

TESTS: Â Â Â Â Â Â Â Â Â Â ÂRESULT:

pwdSafeModify: FALSE Â Â Â ÂPASS: Â Message: LDAP password information update failed: Insufficient access. Â Must supply old password to be changed as well as new one

pwdAllowUserChange: FALSE Â PASS: Â Message: LDAP password information update failed: Insufficient access. Â User alteration of password is not allowed

pwdMaxAge: 300 Â Â Â Â Â Â ÂNot Tested.

pwdExpireWarning: 10 Â Â Â ÂNot Tested.

pwdInHistory: 3 Â Â Â Â Â Â FAIL: Â I can still flip between 2 passwords

pwdMinLength: 12 Â Â Â Â Â ÂFAIL: Â I can still set a 6 char password

pwdMustChange: Â Â Â Â Â Â ÂFAIL: Â I am not forced to change passwd.

pwdMaxFailure: 2 Â Â Â Â Â ÂFAIL: Â Still allowed in after 3 failures

Several points:
* Do not use rootdn account to test ppolicy (rootdn bypass ppolicy)
* Do not hash password before modifying it (password in SSHA cannot be verified against min size for example)
* What client do you use to test?


ClÃment.