Re: Password Policy Questions

To: Bram Cymet <bcymet@cbnco.com>

Subject: Re: Password Policy Questions

From: Clément OUDOT <clem.oudot@gmail.com>

Date: Mon, 18 Aug 2014 10:06:00 +0200

Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=iY1mtqrdpHZADmmPlfcCm1LsWBVKQ1x2Vs4X55i7MNk=; b=Ir6Bd59i/2tb2UBrmlUXY+8r3SHx4aM6BOi7tokhDnmFJw4WhvShhzuNW1F+ar/uFa qxBM1zeJY/6WbOFKKAwOOQRc16KGDXaMMWB4jRRcK+SpqoLSVQaxm/YSbvhoUsvCWwsb VS07gJYXE8HG0lu2VCoX5LsVQaLhpt+H0NJ7iKizXSlfBnjpUDaQGjCd9s5Ck4EV+Chp ELHbYgxMQPo7KiEIyfbWKF9QSh8+GIX5RjwC5Zjd3xJbyMsq58mSE1X/eN0y6gNZXrE2 Cz1frlpeF8F2xuMiVBCNJuaq9awpLS5fGVZ3/1aT25wDTR+vKs6fw0OYWTCK1N4lOzuF Y6Ew==

In-reply-to: <53E0FE94.8090908@cbnco.com>

References: <53DE34DD.5070601@cbnco.com> <53E0FE94.8090908@cbnco.com>

2014-08-05 17:56 GMT+02:00 Bram Cymet <bcymet@cbnco.com>:

I am getting a little further with this.

I have added

pwdLockOut = TRUE
pwdMaxFialure = 5
pwdMinLength = 8

Now if I try to log in with the wrong password it add a pwdFailureTime
attribute to the user as expected and after 5 I can't bind as that user
anymore. Then if I reset the password the user can log in again. So at
least something with the policy is working.

When I change the password however it allows passwords with less then 8
characters and pwdReset is still not set on the user's entry.

Any thoughts on what might be happening?

Hi,

1/ Password policy is not applied on password modification if the operation is done with the manager account

2/ Password size or strength is not verified if password is sent in hashed form, you need to send cleartext password to be able to check it

3/ pwdReset is not set to TRUE automatically, you need to set it by hand.

Clément.

References:

Password Policy Questions
- From: Bram Cymet <bcymet@cbnco.com>
Re: Password Policy Questions
- From: Bram Cymet <bcymet@cbnco.com>