Elizabeth, sorry, your wording does not result in any valid interpretation on my side. Especially you obfuscated too much. To see what's really going on you should again carefully examine your configuration, slapd logs and check the command-lines more carefully. Ciao, Michael. Real, Elizabeth (392K) wrote: > Michael, > > I modified the command and was able to implement the password policy using: > # ldapadd -x -W -D cn=****,dc=****,dc=**** -f passwordPolicy.ldif > > Verified the policy was applied: > # ldapsearch -x -D cn=****,dc=****,dc=**** -H ldap:// -b dc=****,dc=**** -W > > # real, People, ****.**** > dn: uid=real,ou=People,dc=****,dc=**** > uid: real > homeDirectory: /home/real > memberUid: real > … > … > # policies, ****.**** > dn: cn=policies,dc=cluster,dc=sec312 > objectClass: pwdPolicy > objectClass: person > objectClass: top > cn:: cG9saWNpZXMg > sn: policies > pwdAllowUserChange: TRUE > pwdAttribute: userPassword > pwdCheckQuality: 2 > pwdExpireWarning: 3600 > pwdInHistory: 10 > pwdLockout: TRUE > pwdLockoutDuration: 0 > pwdMaxAge: 7776000 > pwdMaxFailure: 5 > pwdMinAge: 0 > pwdMinLength: 8 > pwdMustChange: FALSE > pwdSafeModify: FALSE > > # search result > search: 2 > result: 0 Success > > # numResponses: 598 > # numEntries: 597 > > TEST: I reset the password for user ‘real’ an ldap client using passwd, the password was successfully changed. However, the new user password did not change on the ldap server. It appears that the policy is not updating the ou where my user ‘real’ belongs to. > > Maybe it’s got to do with my ldap tree and where I configured my password policy (cn=policies), this is how it is now: > > dc=****, dc=**** > cn=policies > … > … > ou=People > … > … > > Thank you, > Liz > > > From: Michael Ströder <michael@stroeder.com<mailto:michael@stroeder.com>> > Date: Thursday, September 24, 2015 at 11:42 AM > To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.gov<mailto:Elizabeth.Real@jpl.nasa.gov>>, "openldap-technical@openldap.org<mailto:openldap-technical@openldap.org>" <openldap-technical@openldap.org<mailto:openldap-technical@openldap.org>> > Subject: Re: Allow users to change ldap password with passwd > > Real, Elizabeth (392K) wrote: > I replaced ou with cn, tried loading the ldif and got this message: > # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > adding new entry "cn=policies,dc=*****,dc=*****" > ldap_add: Insufficient access (50) > additional info: no write access to parent > > I guess you want to use another bind-DN with -D when writing to your normal DB > backend / naming context dc=*****,dc=*****. > > And defining -Y and -D together does not make sense. Please consult the man > page and look at various bind methods more closely. > > Ciao, Michael. > > > -- Michael Ströder Klauprechtstr. 11 Dipl.-Inform. D-76137 Karlsruhe, Germany Tel.: +49 721 8304316 Mobil: +49 170 2391920 E-Mail: michael@stroeder.com http://www.stroeder.com
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature