Password policy questions

[Ervin Hegedüs <airween@gmail.com>]

Hi,

looks like I've successfully configured the ppolicy overlay, but
I have some questions.

The relevant config:

olcModuleLoad: {0}ppolicy
structuralObjectClass: olcModuleList

dn: olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {2}ppolicy
olcPPolicyDefault: cn=default,ou=pwpolicies,dc=hu
olcPPolicyHashCleartext: FALSE
olcPPolicyUseLockout: FALSE

dn: cn=default,ou=pwpolicies,dc=hu
cn: default
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: device
pwdAllowUserChange: TRUE
pwdInHistory: 5
pwdMinLength: 10
pwdAttribute: userPassword
pwdCheckQuality: 0


When I change my passwd with ldappasswd, the history check works:

ldappasswd -H ldaps://dev-ldap-01:636 -W -D uid=airween,ou=Users,ou=company,dc=comp,DC=hu -S
New password: 
Re-enter new password: 
Enter LDAP Password: 
Result: Constraint violation (19)
Additional info: Password is in history of old passwords

but I can set up new password with less than 10 characters, eg
"abc". What em I missed?


I've never read it, but looks like the policy has effect only
when I'm changing passwd with 'ldappasswd', but when I'm using
ldapmodify, then I can bypass the rules

ldapmodify -H ldaps://dev-ldap-01:636 -D 'uid=airween,ou=Users,ou=company,dc=comp,dc=hu' -x -W -f file.ldif
modifying entry
"uid=airween,ou=Users,ou=company,dc=comp,DC=hu"

[DONE WITH PREV PASSWD]

Is it right?

How can I validate the policy for all methods?



Thanks,


a.