[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with "force user to password reset at first login

To: PRAJITH <prajithpalakkuda@gmail.com>
Subject: Re: Problem with "force user to password reset at first login
From: Rajagopal Rc <rajagopal.rc@tcs.com>
Date: Tue, 24 Nov 2015 11:40:19 +0530
Cc: openldap-technical <openldap-technical-bounces@openldap.org>, openldap-technical@openldap.org
In-reply-to: <CAOj0toAKZ8VzfSviLg9KKP-egcmq_27De=tVWS2BJbh++ukugw@mail.gmail.com>
References: <OF66A82D46.FCC4502E-ON65257F03.002A9F5A-65257F03.002ABF62@tcs.com> <CAOj0toAKZ8VzfSviLg9KKP-egcmq_27De=tVWS2BJbh++ukugw@mail.gmail.com>

Hi Prajith,

Please find the details,

1) let us know the client application are you using.
Apache Directory Studio, Version: 2.0.0.v20150606-M9
2) Paste here your slapd.conf file.
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
#include /usr/share/doc/openssh-ldap-6.4p1/openssh-lpk-openldap.schema

# Added for policy
include /etc/openldap/schema/ppolicy.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath /usr/lib64/openldap

# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la

moduleload ppolicy.la
moduleload syncprov.la
moduleload accesslog.la
moduleload auditlog.la

#logging level
loglevel -1
logfile /var/log/slapd.log
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.

#TLSCipherSuite SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
TLSProtocolMin 3.2
TLSCipherSuite HIGH:MEDIUM:+TLSv1.2:!RC4
TLSCertificateFile /etc/openldap/cacerts/ldapsrv.crt
TLSCertificateKeyFile /etc/openldap/cacerts/ldap.key
TLSCACertificateFile /etc/openldap/cacerts/ca.crt

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

disallow bind_anon

access to attrs=userPassword
by self write
by dn.base="cn=mirrormode,dc=rnd,dc=com" read
by dn.base="cn=binduser,dc=rnd,dc=com" read
by * auth

access to *
by dn.base="cn=mirrormode,dc=rnd,dc=com" read
by dn.base="cn=binduser,dc=rnd,dc=com" read
by * break

access to *
by dn="cn=Manager,dc=rnd,dc=com"
by users read
by self write
by * auth

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database bdb

# DIT will act as a provider
overlay syncprov

suffix "dc=rnd,dc=com"
rootdn "cn=Manager,dc=rnd,dc=com"
rootpw {SSHA}KOXKk4vkP1X3nF2GY09MQXiaAdxkLyk7

# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=rnd,dc=com"
ppolicy_use_lockout

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub

Thanks & Regards
Raj

From: PRAJITH <prajithpalakkuda@gmail.com>
To: Rajagopal Rc <rajagopal.rc@tcs.com>
Cc: openldap-technical@openldap.org
Date: 11/22/2015 09:55 AM
Subject: Re: Problem with "force user to password reset at first login
Sent by: "openldap-technical" <openldap-technical-bounces@openldap.org>

Hi Rajagopal,

Can you confirm the below points?

1) let us know the client application are you using.
2) Paste here your slapd.conf file.

On 20 November 2015 at 13:16, Rajagopal Rc <rajagopal.rc@tcs.com> wrote:
Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator.

Thanks & Regards
Raj
Tata Consultancy Services
Mailto: rajagopal.rc@tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you

References:
- Problem with "force user to password reset at first login
  - From: Rajagopal Rc <rajagopal.rc@tcs.com>
- Re: Problem with "force user to password reset at first login
  - From: PRAJITH <prajithpalakkuda@gmail.com>

Prev by Date: Re: Trying to set up multimaster syncrepl, error attribute 'olcTLSCertificateFile' not allowed , why?
Next by Date: Re: Multiple certificates in slapd
Index(es):
- Chronological
- Thread