[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PPolicy error.

To: Meghanand Acharekar <vasco.debian@gmail.com>
Subject: Re: PPolicy error.
From: Clément OUDOT <clem.oudot@gmail.com>
Date: Tue, 19 Oct 2010 15:35:45 +0200
Cc: Christian Manal <moenoel@informatik.uni-bremen.de>, openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=yevidbnbPrqn0TfNWBuzryfv/HftIZXv15a4Tcs3APM=; b=FoEnWfXgBRqR7o4/nk1gBwtKroXRsAWfyszveKbVcOwBoAIAs+zS3scgogLw9vQSay 47mX2E4IhdNp2PQT9Fp+evsUSjBo/2R4q5QJVyMfHg5KKFHXwlDEMOPkcOWX6rR1BsgB J8QTUAYsn+9MHWreltF526SYXyX+0qeFW7dOY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=XmkVws1d+XxdUdlw8EUQgRET7zH8UJrpnv2vVzQtGtJCVJyVwCQlAdWkOu6crmTlEi /pk0eET7B5wXdchxaIEqSIN1SVAkHe4gW3jlRiV62IfIAMYekMmsJEzGpZm45OD6Ud8I 0hNmTf7iq0zAxwTRlfdNNikNSaLgu9BPaSRsE=
In-reply-to: <AANLkTimisnuRZ61t73P+Ui5d3U=Oh=7BcX78sjytwYoO@mail.gmail.com>
References: <AANLkTikps_7gZ0vU_0ZCt6_fBpP2uBxhCt49P=_QM9cs@mail.gmail.com> <4CB30D41.6020906@informatik.uni-bremen.de> <AANLkTinRgPapEqGUCqDNNKbbdWStyoqb3FjTH=mU+dcy@mail.gmail.com> <4CB3134A.2070800@informatik.uni-bremen.de> <AANLkTikj4vs4UsTDK5=dP+XcHicijmimhqc9NduJd8eR@mail.gmail.com> <4CB31EE4.9040103@informatik.uni-bremen.de> <AANLkTimisnuRZ61t73P+Ui5d3U=Oh=7BcX78sjytwYoO@mail.gmail.com>

2010/10/14 Meghanand Acharekar <vasco.debian@gmail.com>:
>
> On Mon, Oct 11, 2010 at 7:57 PM, Christian Manal
> <moenoel@informatik.uni-bremen.de> wrote:
>>
>> Am 11.10.2010 16:06, schrieb Meghanand Acharekar:
>> > On Mon, Oct 11, 2010 at 7:08 PM, Christian Manal <
>> > moenoel@informatik.uni-bremen.de> wrote:
>> >
>> >> Am 11.10.2010 15:25, schrieb Meghanand Acharekar:
>> >>> On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal <
>> >>> moenoel@informatik.uni-bremen.de> wrote:
>> >>>
>> >>>> Am 11.10.2010 14:41, schrieb Meghanand Acharekar:
>> >>>>> Hi,
>> >>>>>
>> >>>>> I am using ppolicy overlay to enforce password policies.
>> >>>>> Following is my ppolicy configuration/ldif.
>> >>>>>
>> >>>>> dn: cn=policies,dc=example,dc=com
>> >>>>> objectClass: top
>> >>>>> objectClass: device
>> >>>>> objectClass: pwdPolicy
>> >>>>> cn: policies
>> >>>>> pwdAttribute: userPassword
>> >>>>> pwdMaxAge: 7516800
>> >>>>> pwdExpireWarning: 432000
>> >>>>> pwdInHistory: 6
>> >>>>> pwdCheckQuality: 1
>> >>>>> pwdMinLength: 8
>> >>>>> pwdMaxFailure: 4
>> >>>>> pwdLockout: TRUE
>> >>>>> pwdLockoutDuration: 1920
>> >>>>> pwdGraceAuthNLimit: 0
>> >>>>> pwdFailureCountInterval: 0
>> >>>>> pwdMustChange: TRUE
>> >>>>> pwdAllowUserChange: TRUE
>> >>>>> pwdSafeModify: FALSE
>> >>>>>
>> >>>>> while changing password on first login I got following error.
>> >>>>>
>> >>>>> WARNING: Your password has expired.
>> >>>>> You must change your password now and login again!
>> >>>>> Changing password for user prasad.
>> >>>>> Enter login(LDAP) password:
>> >>>>> New UNIX password:
>> >>>>> Retype new UNIX password:
>> >>>>> LDAP password information update failed: Constraint violation
>> >>>>> Password is too young to change
>> >>>>> passwd: Permission denied
>> >>>>> Connection to myhost closed.
>> >>>>>
>> >>>>> Thanks in advance
>> >>>>> Meghanand N Acharekar.
>> >>>>>
>> >>>>
>> >>>>
>> >>>> Hi,
>> >>>>
>> >>>> when you set 'pwdCheckQuality: 1', you require a module to actually
>> >>>> check the quality of the password. See slapo-ppolicy(5) and look at
>> >>>> the
>> >>>> pwdPolicyChecker/pwdCheckModule parts.
>> >>>>
>> >>>>
>> >>>>
>> >>> Hello
>> >>>
>> >>> After setting pwdReset TRUE in user attribute, i'm getting another
>> >>> error.
>> >>>
>> >>> LDAP password information update failed: Constraint violation
>> >>> Password fails quality checking policy
>> >>> passwd: Permission denied
>> >>> Connection to myhost closed.
>> >>>
>> >>> Is it mandatory to use this module if we want to enforce password
>> >> policies.
>> >>> Any idea.
>> >>>
>> >>>
>> >>>> Regards,
>> >>>> Christian Manal
>> >>>>
>> >>>
>> >>
>> >> The 'Constraint violation' error means, that the new password does not
>> >> conform to the quality requirements, or in your case, the quality could
>> >> not be verified at all. As I said, if you want to use
>> >>
>> >>   pwdCheckQuality: 1
>> >>
>> >> you *need* a pwdCheckModule to run the password through, or you will
>> >> always get a constraint violation.
>> >>
>> >>
>> > Okies, if I use simple password it prompts me as follows.
>> >
>> > WARNING: Your password has expired.
>> > You must change your password now and login again!
>> > Changing password for user test
>> > Enter login(LDAP) password:
>> > New UNIX password:
>> > BAD PASSWORD: it does not contain enough DIFFERENT characters
>> > New UNIX password:
>> > BAD PASSWORD: it is based on a dictionary word
>> > New UNIX password:
>> > Retype new UNIX password:
>> > LDAP password information update failed: Constraint violation
>> > Password fails quality checking policy
>> >
>>
>> I think the "BAD PASSWORD" messages are coming from your PAM stack.
>> pam_cracklib, or something, may check the password quality, before
>> passing it to pam_ldap. But that doesn't have anything to do with the
>> quality checking of slapo-ppolicy.
>>
>
> Update.
> I was not able to compile the check_password.c file,due to limited time.
> Finally I removed pwdCheckQuality & pwdMinLen from ppolicy,
> now had a configuration which relay on pam_cracklib on individual system for
> password quality checks and slapd-ppolicy for rest.
> I will further try compilation of check_password.c when find enough time ;)

Hi,

you will find some documentation here:
http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password

Clément.

References:
- PPolicy error.
  - From: Meghanand Acharekar <vasco.debian@gmail.com>
- Re: PPolicy error.
  - From: Christian Manal <moenoel@informatik.uni-bremen.de>
- Re: PPolicy error.
  - From: Meghanand Acharekar <vasco.debian@gmail.com>
- Re: PPolicy error.
  - From: Christian Manal <moenoel@informatik.uni-bremen.de>
- Re: PPolicy error.
  - From: Meghanand Acharekar <vasco.debian@gmail.com>
- Re: PPolicy error.
  - From: Christian Manal <moenoel@informatik.uni-bremen.de>
- Re: PPolicy error.
  - From: Meghanand Acharekar <vasco.debian@gmail.com>

Prev by Date: Re: Sometimes getent missing users
Next by Date: ldapadd - no such object 32
Index(es):
- Chronological
- Thread