[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PPolicy error.



Am 11.10.2010 15:25, schrieb Meghanand Acharekar:
> On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal <
> moenoel@informatik.uni-bremen.de> wrote:
> 
>> Am 11.10.2010 14:41, schrieb Meghanand Acharekar:
>>> Hi,
>>>
>>> I am using ppolicy overlay to enforce password policies.
>>> Following is my ppolicy configuration/ldif.
>>>
>>> dn: cn=policies,dc=example,dc=com
>>> objectClass: top
>>> objectClass: device
>>> objectClass: pwdPolicy
>>> cn: policies
>>> pwdAttribute: userPassword
>>> pwdMaxAge: 7516800
>>> pwdExpireWarning: 432000
>>> pwdInHistory: 6
>>> pwdCheckQuality: 1
>>> pwdMinLength: 8
>>> pwdMaxFailure: 4
>>> pwdLockout: TRUE
>>> pwdLockoutDuration: 1920
>>> pwdGraceAuthNLimit: 0
>>> pwdFailureCountInterval: 0
>>> pwdMustChange: TRUE
>>> pwdAllowUserChange: TRUE
>>> pwdSafeModify: FALSE
>>>
>>> while changing password on first login I got following error.
>>>
>>> WARNING: Your password has expired.
>>> You must change your password now and login again!
>>> Changing password for user prasad.
>>> Enter login(LDAP) password:
>>> New UNIX password:
>>> Retype new UNIX password:
>>> LDAP password information update failed: Constraint violation
>>> Password is too young to change
>>> passwd: Permission denied
>>> Connection to myhost closed.
>>>
>>> Thanks in advance
>>> Meghanand N Acharekar.
>>>
>>
>>
>> Hi,
>>
>> when you set 'pwdCheckQuality: 1', you require a module to actually
>> check the quality of the password. See slapo-ppolicy(5) and look at the
>> pwdPolicyChecker/pwdCheckModule parts.
>>
>>
>>
> Hello
> 
> After setting pwdReset TRUE in user attribute, i'm getting another error.
> 
> LDAP password information update failed: Constraint violation
> Password fails quality checking policy
> passwd: Permission denied
> Connection to myhost closed.
> 
> Is it mandatory to use this module if we want to enforce password policies.
> Any idea.
> 
> 
>> Regards,
>> Christian Manal
>>
> 

The 'Constraint violation' error means, that the new password does not
conform to the quality requirements, or in your case, the quality could
not be verified at all. As I said, if you want to use

   pwdCheckQuality: 1

you *need* a pwdCheckModule to run the password through, or you will
always get a constraint violation.


Regards,
Christian Manal