[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pwdCheckQuality doesn't work

Zhang Weiwu wrote:
Dieter Kluenter wrote:
I presume that you changed userpassword as rootdn, bear in mind that
rootdn bypasses all restrictions.
Thank you very much! You are right!

I guess I put this more complete checklist for "when pwdCheckQuality
doesn't work" here for anyone who also stuck and finds this message from


   1. RTFM slapo-ppolicy: done, 3 times;
   2. check openldap version: 2.4, newly installed on Gentoo Linux;
   3. check ppolicy overlay successfully loaded and being used: must be,
      because operational attribute like pwdFailureTime was maintained;
   4. pwdAttribute setting: correct, value is "userPassword";
   5. pwdCheckQuality: correct, value is 2 (server always check password
   6. pwdMinLength: correct, value is 6, server do not accept password
      short than 6 character;
   7. ppolicy_default: correctly set, because change pwdMaxFailure on
      default entry does have effect;
   8. the entry being operated doesn't have pwdPolicySubentry, so
      default should be applied: correct;
   9. slapd server was restarted after all above check: correct;
  10. make sure you are not bound as rootdn in testing: checked;
  11. make sure you are using ldappasswd(1) rather than ldapmodify(1): checked;

result: it works!

P. S. I know people are not generally as stupid as I am but for those really stupid would it be nice to have this checklist also in the F.A.Q? I know it's not really frequent, but it's easier to find it there.

Please add this to http://www.openldap.org/faq/data/cache/1204.html


Kind Regards,

Gavin Henry.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).