[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring ppolicy problem



Guillaume,

I did a test with your suggestion and now It is working when I change the pwdMaxAge to some short time as 15 seconds but I don't receive any message invite me to change the password or any warning message for expiration time.
I see the follow message in debug mode:

uid=user1,ou=People,dc=sample,dc=com  has an expired password

I set the attributes in default Policies:

pwsGraceAuthNLimit: 2
pwdAllowUserChange: TRUE
pwdExpireWarning: 10
pwdLockout: TRUE
pwdMaxAge: 15
pwdMustChange: TRUE

In my ldap client I have set:
pam_lookup_policy yes

Do I have to change something in PAM?

Thanks in advance!

On 08/29/2012 03:59 PM, Guillaume Rousse wrote:
Le 29/08/2012 20:52, cbulist a écrit :
Thanks Clement and Guillaume for your reply.

This is my operational attributes for my user:

dn: cn=user1,ou=policies,dc=samle,dc=com
objectClass: pwdPolicy
objectClass: top
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: user1
pwdAttribute: userPassword
sn: user1
uid: user1
pwdAllowUserChange: TRUE
pwdExpireWarning: 10
pwdLockout: TRUE
pwdMaxAge: 15
pwdMustChange: TRUE
Those are plain attributes, not *operational* attributes.

Guillaume:
I know that my access configuration is dangereous but how I am testing I
just want to be sure don't block anything.
If I understood your concept I can't use pwdPolicy for unix account. Is
there any way to control password history with shadowAccount?..
Not with shadowAccount, but with password policy. Just create a pwdPolicy object, instance of pwdPolicy class, and apply it to either all your users, through slapd.conf ppolicy_default setting, or just to some of your users, through its operational pwdPolicySubentry attribute.

Basically, you should have distinct user and policy objects, such as:

dn: cn=user1,ou=users,dc=samle,dc=com
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: user1
sn: user1
uid: user1
userPassword: XXXX

dn: cn=default,ou=policies,dc=samle,dc=com
objectClass: pwdPolicy
objectClass: top
pwdAllowUserChange: TRUE
pwdExpireWarning: 10
pwdLockout: TRUE
pwdMaxAge: 15
pwdMustChange: TRUE