[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: password policy user configuration
Gustavo, look this
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
You will see a nice example at
http://www.connexitor.com/forums/viewtopic.php?f=6&t=25
Att,
Jarbas
2008/5/10 Gustavo Mendes de Carvalho <gmcarvalho@gmail.com>:
> No tips or tricks ?
>
>
> ---
> Gustavo Mendes de Carvalho
> email: gmcarvalho@gmail.com
>
> -----Mensagem original-----
> De: Gustavo Mendes de Carvalho [mailto:gmcarvalho@gmail.com]
> Enviada em: quarta-feira, 7 de maio de 2008 17:59
> Para: openldap-technical@openldap.org
> Assunto: password policy user configuration
>
>
> Hi there,
>
> I already compiled last openldap stable version with this commands
>
> # ./configure
> --program-prefix=/usr/local/ldap
> --enable-bdb
> --enable-modules
> --enable-overlays=yes
> --enable-backends=yes
> --disable-ipv6
> --with-cyrus-sasl
> --with-tls
> --disable-sql
>
> # make depend; make; make install
>
> and after running make test command, I saw that everything was OK, so I can
> start slapd with ppolicy module included.
>
> When I include pwdPolicy objectclass in user configuration I can see several
> pwd parameters, but after set some values, I can't see this policy working.
> I mean, in my user bellow, I set "pwdInHistory = 6", but when I try to
> change their password, OpanLDAP do not check this value.
>
> Here is command used to change passwords. I can execute them as fast as I
> can copy and paste them
>
>
>
> ldappasswd -w test1234 -a test1234 -s 5432test -x -H ldap://192.168.248.164
> -D uid=test,ou=orgunit,o=org ldappasswd -w 5432test -a 5432test -s test1234
> -x -H ldap://192.168.248.164 -D uid=test,ou=orgunit,o=org
> ...
>
> I can execute this commands ad eternum, with no error messages from LDAP
> server telling me that my password is not OK. According with my
> configuration I would use 7 different passwords (6 in history +1 to
> change)
> And I can change this password faster than it expires (according with
> configuration bellow "pwdMinAge: 30" tells me to wait 30 seconds to change
> my password)
>
>
> User definition
> dn: uid=test,ou=orgunit,o=org
> objectClass: posixAccount
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: shadowAccount
> objectClass: person
> objectClass: pwdPolicy
> loginShell: /bin/bash
> givenName: test
> sn: test-test
> displayName: test test-test
> uid: test
> homeDirectory: /home/test
> shadowFlag: 0
> shadowMax: 35
> shadowWarning: 7
> shadowInactive: 99999
> shadowExpire: 99999
> cn: test test-test
> uidNumber: 12190
> gidNumber: 25023
> shadowMin: 10
> pwdAttribute: userPassword
> pwdMinAge: 30
> pwdMaxAge: 120
> pwdInHistory: 3
> pwdMinLength: 8
> pwdExpireWarning: 60
> pwdLockout: TRUE
> pwdLockoutDuration: 60
> pwdMaxFailure: 2
> pwdSafeModify: TRUE
> shadowLastChange: 14006
> pwdMustChange: FALSE
> userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>
>
> Does anybody already uses this pwd definitions ann can explain me if is it
> OK ? I already read man 5 slapo-ppolicy and I already execute slapindex -v
> after insert this parameters either. Man 5 does explain all parameters, and
> I set up them according with man explanation, but it does no work.
>
> Thanks in advance
>
> ---
> Gustavo Mendes de Carvalho
> e-mail: gmcarvalho@gmail.com
>
>
>