[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Password Policy Questions
I am getting a little further with this.
I have added
pwdLockOut = TRUE
pwdMaxFialure = 5
pwdMinLength = 8
Now if I try to log in with the wrong password it add a pwdFailureTime
attribute to the user as expected and after 5 I can't bind as that user
anymore. Then if I reset the password the user can log in again. So at
least something with the policy is working.
When I change the password however it allows passwords with less then 8
characters and pwdReset is still not set on the user's entry.
Any thoughts on what might be happening?
Thanks,
Bram
On 2014-08-03, 9:10 AM, Bram Cymet wrote:
> Hi,
>
> It looks like the password policy overlay will do exactly what I need it
> to I just can't get it to work.
>
> I have applied the overlay my directory.
> I have a default policy set that has:
>
> pwdAttribute set to userPassword
> and
> pwdMustChange set to TRUE.
>
> However when I change a user's password either with an ldapmodify or the
> ldappassword command that user is still able to bind to the directory
> just fine. I was assuming that a bind attempt would return an error
> saying that the user had to change their password or is this not the
> expected behavior?
>
> Also I have tried adding pwdReset = TRUE to my user's object but it
> complains the pwdReset is not allowed in the schema. Is there a specific
> objectclass that I have to add to my user entries?
>
> I have also tried creating a schema with pwdReset and pwdPolicySubentry
> but when I add that schema it complains that these are operational
> attributes.
>
> I have upped the logging and when I user tries to bind I see:
>
> Aug 3 08:57:08 devauth slapd[30441]: conn=1017 fd=17 ACCEPT from
> IP=10.20.48.66:55519 (IP=0.0.0.0:389)
> Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND
> dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" method=128
> Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry:
> "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn"
> Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry:
> "cn=websales_password_policy,ou=test_websales_users,dc=ls,dc=cbn"
> Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: result not in
> cache (userPassword)
> Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access to
> "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" "userPassword"
> requested
> Aug 3 08:57:08 devauth slapd[30441]: => acl_get: [2] attr userPassword
> Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: access to entry
> "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn", attr
> "userPassword" requested
> Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: to value by "", (=0)
> Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: self
> Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: *
> Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] applying
> auth(=xd) (stop)
> Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] mask: auth(=xd)
> Aug 3 08:57:08 devauth slapd[30441]: => slap_access_allowed: auth
> access granted by auth(=xd)
> Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access
> granted by auth(=xd)
> Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND
> dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" mech=SIMPLE
> ssf=0
>
> So it looks to me like the default policy has been applied but nothing
> happens when a password is reset by an administrator.
>
> So I think I am missing something fundamental here. I have a few
> questions that I think will help me to narrow down my problem though.
>
> 1) What is the best way to debug an overlay?
>
> 2) Is there a proper way for an administrator to change a password so
> that the pwdReset flag is set on the user (or whatever is supposed to
> happen so that the user needs to reset their password on their next bind)
>
> 3) Is it enough to have a password policy with just pwdAttribute and
> pwdMustChange set or are there other values that need to be set to make
> this work.
>
> 4) Are there any extra object classes that have to added to my user
> entries for the password policies to work?
>
> 5) I would like users to have to reset their password on first bind do
> I need to set something on object creation?
>
> 6) Anything else I might be missing?
>
> Any help would be awesome.
>
> Thanks,
>
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
613-608-9752