[Date Prev][Date Next] [Chronological] [Thread] [Top]

Openldap doesn't force password change and other related problems

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Openldap doesn't force password change and other related problems
From: Francesco Belli <Francesco.Belli@vegaspace.com>
Date: Mon, 4 Mar 2013 11:26:06 +0000
Accept-language: en-GB, de-DE, en-US
Content-language: en-US
Thread-index: Ac4Yyw9M08kvP+K5T2+PUzV/jPik1Q==
Thread-topic: Openldap doesn't force password change and other related problems

Hello All,

I probably have something misconfigured on my openldap server, but it seems that this is not so easy to debug (for me). 

I use openldap 2.4.23 with ppolicy and accesslog overlays.

I have the following behaviours:
- when pwdMustChange and pwdReset are set to true, after login, user is not prompted to change the password, however if I run:

[def_auditor@localhost fbelli]$ ldapwhoami -x -e ppolicy -D uid=def_auditor,ou=people,dc=pippo,dc=com -w ****** -ZZ -H ldap://mkernel
ldap_bind: Success (0); Password must be changed (Password expires in 0 seconds)
dn:uid=def_auditor,ou=people,dc=pippo,dc=com

- When there are less of pwdExpireWarning seconds and user authenticates (bash shell or ldapsearch), it doesn't get any warning.

- When password is expired and user uses  one of his pwdGraceAuthNLimit, he doesn't get any warning (but it will get lockedout after).

It looks like that for some reason the openldap server doesn't send warnings back to the user. However if user tryes to change the password to one that doesn't match the policy, it gets the correct warnings.

Following there is my standard password policy:

dn: ou=Policies,dc=aivp,dc=vtp
ou: Policies
description: Directory policies.
objectClass: organizationalUnit

dn: cn=Standard,ou=Policies,dc=aivp,dc=vtp
cn: Standard
description: Standard password policy.
pwdAttribute: 2.5.4.35
pwdMinAge: 172800
pwdMaxAge: 5184000
pwdCheckQuality: 1
pwdCheckModule: check_password.so
pwdMinLength: 8
pwdExpireWarning: 604800
pwdGraceAuthNLimit: 1
pwdInHistory: 20
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdMaxFailure: 3
pwdFailureCountInterval: 1200
pwdMustChange: TRUE
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker

Overlay configuration:

dn: olcOverlay={2}ppolicy
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=Standard,ou=Policies,dc=aivp,dc=vtp
olcPPolicyUseLockout: TRUE
olcPPolicyHashCleartext: TRUE

And an example of an user when first inserted:

dn: uid=def_auditor,ou=people,dc=aivp,dc=vtp
cn: def_auditor
gidnumber: 601
homedirectory: /home/def_auditor
loginshell: /bin/bash
objectclass: account
objectclass: posixAccount
objectclass: top
uid: def_auditor
uidnumber: 634
userPassword:: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ=
pwdReset: TRUE

Thanks in advance for any advice

Best Regards,

Francesco Belli

Prev by Date: N-WAY replication cn=config and virtual IP
Next by Date: Re: Combining AD and Local DB into single 'virtual' tree
Index(es):
- Chronological
- Thread