[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PPolicy error.




On Mon, Oct 11, 2010 at 7:57 PM, Christian Manal <moenoel@informatik.uni-bremen.de> wrote:
Am 11.10.2010 16:06, schrieb Meghanand Acharekar:
> On Mon, Oct 11, 2010 at 7:08 PM, Christian Manal <
> moenoel@informatik.uni-bremen.de> wrote:
>
>> Am 11.10.2010 15:25, schrieb Meghanand Acharekar:
>>> On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal <
>>> moenoel@informatik.uni-bremen.de> wrote:
>>>
>>>> Am 11.10.2010 14:41, schrieb Meghanand Acharekar:
>>>>> Hi,
>>>>>
>>>>> I am using ppolicy overlay to enforce password policies.
>>>>> Following is my ppolicy configuration/ldif.
>>>>>
>>>>> dn: cn=policies,dc=example,dc=com
>>>>> objectClass: top
>>>>> objectClass: device
>>>>> objectClass: pwdPolicy
>>>>> cn: policies
>>>>> pwdAttribute: userPassword
>>>>> pwdMaxAge: 7516800
>>>>> pwdExpireWarning: 432000
>>>>> pwdInHistory: 6
>>>>> pwdCheckQuality: 1
>>>>> pwdMinLength: 8
>>>>> pwdMaxFailure: 4
>>>>> pwdLockout: TRUE
>>>>> pwdLockoutDuration: 1920
>>>>> pwdGraceAuthNLimit: 0
>>>>> pwdFailureCountInterval: 0
>>>>> pwdMustChange: TRUE
>>>>> pwdAllowUserChange: TRUE
>>>>> pwdSafeModify: FALSE
>>>>>
>>>>> while changing password on first login I got following error.
>>>>>
>>>>> WARNING: Your password has expired.
>>>>> You must change your password now and login again!
>>>>> Changing password for user prasad.
>>>>> Enter login(LDAP) password:
>>>>> New UNIX password:
>>>>> Retype new UNIX password:
>>>>> LDAP password information update failed: Constraint violation
>>>>> Password is too young to change
>>>>> passwd: Permission denied
>>>>> Connection to myhost closed.
>>>>>
>>>>> Thanks in advance
>>>>> Meghanand N Acharekar.
>>>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>> when you set 'pwdCheckQuality: 1', you require a module to actually
>>>> check the quality of the password. See slapo-ppolicy(5) and look at the
>>>> pwdPolicyChecker/pwdCheckModule parts.
>>>>
>>>>
>>>>
>>> Hello
>>>
>>> After setting pwdReset TRUE in user attribute, i'm getting another error.
>>>
>>> LDAP password information update failed: Constraint violation
>>> Password fails quality checking policy
>>> passwd: Permission denied
>>> Connection to myhost closed.
>>>
>>> Is it mandatory to use this module if we want to enforce password
>> policies.
>>> Any idea.
>>>
>>>
>>>> Regards,
>>>> Christian Manal
>>>>
>>>
>>
>> The 'Constraint violation' error means, that the new password does not
>> conform to the quality requirements, or in your case, the quality could
>> not be verified at all. As I said, if you want to use
>>
>>   pwdCheckQuality: 1
>>
>> you *need* a pwdCheckModule to run the password through, or you will
>> always get a constraint violation.
>>
>>
> Okies, if I use simple password it prompts me as follows.
>
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user test
> Enter login(LDAP) password:
> New UNIX password:
> BAD PASSWORD: it does not contain enough DIFFERENT characters
> New UNIX password:
> BAD PASSWORD: it is based on a dictionary word
> New UNIX password:
> Retype new UNIX password:
> LDAP password information update failed: Constraint violation
> Password fails quality checking policy
>

I think the "BAD PASSWORD" messages are coming from your PAM stack.
pam_cracklib, or something, may check the password quality, before
passing it to pam_ldap. But that doesn't have anything to do with the
quality checking of slapo-ppolicy.


Update.
I was not able to compile the check_password.c file,due to limited time.
Finally I removed pwdCheckQuality & pwdMinLen from ppolicy,
now had a configuration which relay on pam_cracklib on individual system for password quality checks and slapd-ppolicy for rest. 

I will further try compilation of check_password.c when find enough time ;) .

Thanks to all


> By the way I found check_password.c file here
> https://ltb-project.org/svn/openldap-ppolicy-check-password/trunk/
> I will compile it to generate check_password.so file and update you.
>
>
>> Regards,
>> Christian Manal
>>
>