[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to make ldappasswd obey password policy restrictions?



Hello Clement,

18.02.2011 13:28, Clément OUDOT writes:
> Hello Konstantin,
> 
> the rootdn bypass password policy, so do not use rootdn in your
> ldappasswd command.

Indeed, used the same dn in for authentication, password policy
prevented wrong action.

Thank you.
Sincerely,
Konstantin

> 
> Cllément.
> 
> 2011/2/18, Konstantin Boyandin <temmokan@gmail.com>:
>> Greetings,
>>
>> Given: OpenLDAP: 2.4.23, password policy module enabled, default
>> password policy loaded as
>>
>> dn: cn=default,ou=Policies,dc=example,dc=com
>> cn: default
>> objectClass: pwdPolicy
>> objectClass: person
>> objectClass: top
>> pwdAllowUserChange: TRUE
>> pwdAttribute: userPassword
>> pwdCheckQuality: 0
>> pwdExpireWarning: 600
>> pwdFailureCountInterval: 30
>> pwdGraceAuthNLimit: 5
>> pwdInHistory: 5
>> pwdLockout: TRUE
>> pwdLockoutDuration: 30
>> pwdMaxAge: 7776000
>> pwdMaxFailure: 5
>> pwdMinAge: 0
>> pwdMinLength: 5
>> pwdMustChange: FALSE
>> pwdSafeModify: FALSE
>> sn: dummy value
>>
>> Authentication is set via LDAP (.
>> The problem: when I try to set password via ldappassword, using command
>> like this:
>>
>> ldappasswd -e ppolicy -W -x -D "cn=Manager,dc=example,dc=com" \
>>  -H ldap://127.0.0.1/ -A -S "uid=testuser,ou=Users,dc=example,dc=com"
>>
>> it bypasses password policy settings - I can set the same password, can
>> set the previously used password. It doesn't matter whether I specify
>> '-e ppolicy' or not.
>>
>> However, when I try to change password with passwd (authentication is
>> set via LDAP, /etc/ldap.conf contains 'pam_password exop'):
>>
>> passwd testuser
>>
>> the password policy restrictions are in effect. I am not allowed to set
>> the same password, to set previous or similar password etc.
>>
>> Is it possible to make ldappaswd observe password policy restrictions?
>>
>> Thanks.
>> Sincerely,
>> Konstantin
>>