[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring ppolicy problem

To: openldap-technical@openldap.org
Subject: Re: Configuring ppolicy problem
From: cbulist <cbulist@gmail.com>
Date: Wed, 29 Aug 2012 13:52:04 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=THJir8rMxoGwqUnuOBxRQfFgsSzCUMlhor1w/7pWfIw=; b=k/Zdr9DgngfetSik/OEaDBwU2mCvhCFsYLeTcdVULgGf4wl08KDUAjnY5VMcJWRLJd hueuXaf4Kg+RKY2ljQowTOaiokEIY308T8VrDfP0W0ZwsUAMF4DGyjcw9M2pZY0wy3jU 4PIfUDmKhDb3+TkqCkLpJf6e7PJJme4wJQkpNOMeDczmYXFYE6mpmUcYwZS/Vb7HlhOK gity6J030IDFWVZQTo/sw6JFCi6IsXxGPBY76mmF3cniQdCz+68cUicMpNe9u/PN8WJq zBF199aIqfWMvZ6g1W5MsrY/N5yQ9QyD0rEUAuEYBruvKruwxMPqHw9XefrexsbViSdj GTYg==
In-reply-to: <503E5C1C.4010202@gmail.com>
References: <503BE6E7.4000809@gmail.com> <AEC8A374AE8AA74E85723C695791A2D090F0F57D52@CARNELIAN.ad.northcentral.edu> <503E3798.5000301@gmail.com> <503E5C1C.4010202@gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.24) Gecko/20111108 Fedora/3.1.16-1.fc14 Thunderbird/3.1.16

Thanks Clement and Guillaume for your reply.

This is my operational attributes for my user:

dn: cn=user1,ou=policies,dc=samle,dc=com
objectClass: pwdPolicy
objectClass: top
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: user1
pwdAttribute: userPassword
sn: user1
uid: user1
pwdAllowUserChange: TRUE
pwdExpireWarning: 10
pwdLockout: TRUE
pwdMaxAge: 15
pwdMustChange: TRUE


Guillaume:

I know that my access configuration is dangereous but how I am testing Ijust want to be sure don't block anything.If I understood your concept I can't use pwdPolicy for unix account. Isthere any way to control password history with shadowAccount?..


Thanks!






On 08/29/2012 01:14 PM, Guillaume Rousse wrote:

Le 29/08/2012 17:39, cbulist a écrit :
Hi,

I got stuck with this problem. I'm able to change the user password
using shadowAccount objectClass but I can't do the same using pwdPolicy
objectClass.
It doesn't means anything: you don't change attributes using a objectclass. Morevoer, you seem to be confusing two different concepts:
The shadowAccount object class is just a placeholder for unix-specificattributes, that will get used client side by some specific ldapclients, such as pam_ldap for instance. It is supposed to be used foruser entries, already instances of posixAccount object class.
The pwdPolicy object class is a placeholder for ldap-specificsattributes, that will get honored on server side. It is supposed to bethe main class of a password policy entry, to be applied on user entries.
I set ppolicy attribute in order to get the password
expired message:

pwdExpireWarning 10
pwdMaxAge 15
pwdMustChange TRUE
pwdAllowUserChange TRUE
pwdLockout TRUE
On which object ?
slapd.conf:

include    /etc/openldap/schema/ppolicy.schema

moduleload    ppolicy.la

access to attrs=userPassword
  by self write
  by users read
  by anonymous auth
This is a quite dangereous setting, and defeat the whole purpose ofshadow passwords: all users can read other users password hashes.

Follow-Ups:
- Re: Configuring ppolicy problem
  - From: Guillaume Rousse <guillomovitch@gmail.com>

References:
- Configuring ppolicy problem
  - From: cbulist <cbulist@gmail.com>
- RE: Configuring ppolicy problem
  - From: Andy Poirier <atpoirie@northcentral.edu>
- Re: Configuring ppolicy problem
  - From: cbulist <cbulist@gmail.com>
- Re: Configuring ppolicy problem
  - From: Guillaume Rousse <guillomovitch@gmail.com>

Prev by Date: Re: Configuring ppolicy problem
Next by Date: Re: Configuring ppolicy problem
Index(es):
- Chronological
- Thread