[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Allow users to change ldap password with passwd



I have reinstalled openldap and applied slapo-ppolicy carefully looking at man pages and the configuration. 

How do I then apply this to existing openldap accounts?

Thank you,
Liz

From: Michael Ströder <michael@stroeder.com>
Date: Monday, September 28, 2015 at 10:57 PM
To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Allow users to change ldap password with passwd

Elizabeth,

sorry, your wording does not result in any valid interpretation on my side.
Especially you obfuscated too much.

To see what's really going on you should again carefully examine your
configuration, slapd logs and check the command-lines more carefully.

Ciao, Michael.

Real, Elizabeth (392K) wrote:
Michael,
I modified the command and was able to implement the password policy using:
# ldapadd -x -W -D cn=****,dc=****,dc=**** -f passwordPolicy.ldif
Verified the policy was applied:
# ldapsearch -x -D cn=****,dc=****,dc=**** -H ldap:// -b dc=****,dc=**** -W
# real, People, ****.****
dn: uid=real,ou=People,dc=****,dc=****
uid: real
homeDirectory: /home/real
memberUid: real
# policies, ****.****
dn: cn=policies,dc=cluster,dc=sec312
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn:: cG9saWNpZXMg
sn: policies
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 3600
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: FALSE
# search result
search: 2
result: 0 Success
# numResponses: 598
# numEntries: 597
TEST: I reset the password for user ‘real’ an ldap client using passwd, the password was successfully changed. However, the new user password did not change on the ldap server. It appears that the policy is not updating the ou where my user ‘real’ belongs to.
Maybe it’s got to do with my ldap tree and where I configured my password policy (cn=policies), this is how it is now:
dc=****, dc=****
cn=policies
ou=People
Thank you,
Liz
Date: Thursday, September 24, 2015 at 11:42 AM
Subject: Re: Allow users to change ldap password with passwd
Real, Elizabeth (392K) wrote:
I replaced ou with cn, tried loading the ldif and got this message:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=policies,dc=*****,dc=*****"
ldap_add: Insufficient access (50)
additional info: no write access to parent
I guess you want to use another bind-DN with -D when writing to your normal DB
backend / naming context dc=*****,dc=*****.
And defining -Y and -D together does not make sense. Please consult the man
page and look at various bind methods more closely.
Ciao, Michael.


--
Michael Ströder                 Klauprechtstr. 11
Dipl.-Inform.                   D-76137 Karlsruhe, Germany
Tel.: +49 721 8304316           Mobil: +49 170 2391920