[Date Prev][Date Next] [Chronological] [Thread] [Top]

password policy user configuration

To: openldap-technical@openldap.org
Subject: password policy user configuration
From: "Gustavo Mendes de Carvalho" <gmcarvalho@gmail.com>
Date: Wed, 7 May 2008 17:58:46 -0300
Content-disposition: inline

Hi there,

I already compiled last openldap stable version with this commands

# ./configure
--program-prefix=/usr/local/ldap
--enable-bdb
--enable-modules
--enable-overlays=yes
--enable-backends=yes
--disable-ipv6
--with-cyrus-sasl
--with-tls
--disable-sql

# make depend; make; make install

and after running make test command, I saw that everything was OK, so
I can start slapd with ppolicy module included.

When I include pwdPolicy objectclass in user configuration I can see
several pwd parameters, but after set some values, I can't see this
policy working. I mean, in my user bellow, I set "pwdInHistory = 6",
but when I try to change their password, OpanLDAP do not check this
value.

Here is command used to change passwords

ldappasswd -w test1234 -a test1234 -s 5432test -x -H
ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org
ldappasswd -w 5432test -a 5432test -s test1234 -x -H
ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org

I can execute this commands ad eternum, with no error messages from
LDAP server telling me that my password is not OK. According with my
configuration I would use 7 different passwords (6 in history +1 to
change)
And I can change this password faster than it expires (according with
configuration bellow "pwdMinAge: 30" tells me to wait 30 seconds to
change my password)


User definition
dn: uid=test,ou=orgunit,o=org
objectClass: posixAccount
objectClass: top
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: person
objectClass: pwdPolicy
loginShell: /bin/bash
givenName: test
sn: test-test
displayName: test test-test
uid: test
homeDirectory: /home/test
shadowFlag: 0
shadowMax: 35
shadowWarning: 7
shadowInactive: 99999
shadowExpire: 99999
cn: test test-test
uidNumber: 12190
gidNumber: 25023
shadowMin: 10
pwdAttribute: userPassword
pwdMinAge: 30
pwdMaxAge: 120
pwdInHistory: 3
pwdMinLength: 8
pwdExpireWarning: 60
pwdLockout: TRUE
pwdLockoutDuration: 60
pwdMaxFailure: 2
pwdSafeModify: TRUE
shadowLastChange: 14006
pwdMustChange: FALSE
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


Does anybody already uses this pwd definitions ann can explain me if
is it OK ? I already read man 5 slapo-ppolicy and I already execute
slapindex -v after insert this parameters either. Man 5 does explain
all parameters, and I set up them according with man explanation, but
it does no work.

Thanks in advance

---
Gustavo Mendes de Carvalho
e-mail: gmcarvalho@gmail.com

Follow-Ups:
- RES: password policy user configuration
  - From: "Gustavo Mendes de Carvalho" <gmcarvalho@gmail.com>

Prev by Date: Re: Examples of back-meta with more than one AD domains
Next by Date: Re: change berkeley version
Index(es):
- Chronological
- Thread