[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Configuring ppolicy problem
- To: openldap-technical@openldap.org
- Subject: Re: Configuring ppolicy problem
- From: Guillaume Rousse <guillomovitch@gmail.com>
- Date: Wed, 29 Aug 2012 20:14:52 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=hY05IEI5HYs1ctmL/MeNElIsVGOhYQqjOT4N9RKBMTE=; b=B1lMhDbtOnzgBvBs7eC0YjwFwN0dVYm7iGka7BVK1JRaM7uqsw2A4KpdCtfDGt2WEp UQHu8MEUascWDfOuXHt9AEAfRMZYW1pU202wbq5ZZvUVchMKz7F7ygQm2E8ULHRqwMXU m/kVMU/mC0Zg7qjacJN6b8b+aa5cjwGl6SUaFxbXG7ljuSBJIrYVFf4AcsfL4niFz+4k FnR+2Mhcw4+Y0e1XTWEGda9RBLtY8cEuZd3Ow2nrDyiv1ANvhm+znE0+YSR2q4p4uT2/ 6uy9ee+PYWELe6b2x+DCejVcpoVXawz0Ah8IFPtl60O/eGfPUGffKcZ2JmNM2/U+yEbB Dilg==
- In-reply-to: <503E3798.5000301@gmail.com>
- References: <503BE6E7.4000809@gmail.com> <AEC8A374AE8AA74E85723C695791A2D090F0F57D52@CARNELIAN.ad.northcentral.edu> <503E3798.5000301@gmail.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120718 Thunderbird/14.0
Le 29/08/2012 17:39, cbulist a écrit :
Hi,
I got stuck with this problem. I'm able to change the user password
using shadowAccount objectClass but I can't do the same using pwdPolicy
objectClass.
It doesn't means anything: you don't change attributes using a object
class. Morevoer, you seem to be confusing two different concepts:
The shadowAccount object class is just a placeholder for unix-specific
attributes, that will get used client side by some specific ldap
clients, such as pam_ldap for instance. It is supposed to be used for
user entries, already instances of posixAccount object class.
The pwdPolicy object class is a placeholder for ldap-specifics
attributes, that will get honored on server side. It is supposed to be
the main class of a password policy entry, to be applied on user entries.
I set ppolicy attribute in order to get the password
expired message:
pwdExpireWarning 10
pwdMaxAge 15
pwdMustChange TRUE
pwdAllowUserChange TRUE
pwdLockout TRUE
On which object ?
slapd.conf:
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
access to attrs=userPassword
by self write
by users read
by anonymous auth
This is a quite dangereous setting, and defeat the whole purpose of
shadow passwords: all users can read other users password hashes.
--
BOFH excuse #68:
only available on a need to know basis