[Date Prev][Date Next]
ppolicy pwdMinLenght, pwdAccountLockedTime and pwdLockoutDuration don't work as supposed
- To: firstname.lastname@example.org
- Subject: ppolicy pwdMinLenght, pwdAccountLockedTime and pwdLockoutDuration don't work as supposed
- From: Theo Alves <email@example.com>
- Date: Thu, 17 Mar 2011 20:31:16 -0300
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=nwTt6KSqRoJyBUAmyfFsQac2XkRbRx+XFWji908t+dM=; b=OvYIhL8IwUGe9NcFFGwhZ1TqR1axen7W+BHL1fJHy2HW4BfIzuw4Y0KOVvTdlMg1mv IMPt6t5M0sD15OXxN07+hRJZ5CNj2XM6YJuDfHMeRgRUqAc0C5EqIMnjArIrl4loFY5R aBs178oLPNr6w5phsRusH1Tw/2zkUYfgbCyVg=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=UOmGCTpVheNIblZH+hGaAD+ERw+T4lSsc+e1CTDzuHhVI9Os/LyhPZu92fXnY++scP imqtHGYYbhxjwUwizuyzIZ7zSSfbNIs9/gW1lvO9yM074YE5qdogUy0vIACWNWtTs4Bt IIuTvbxpsgclFEQBgyx+J74SDAVkjf+uCeAEo=
We have 40 machines on an educational informatics lab authenticating with LDAP. I am using python ldap module as management tool. I am experiencing two problems at now. The first one is when an user access ldap by python the ppolicy pwdMinLenght doesn't work. The user can freely put a password too short. That doesn't happen when using passwd. Check out the python code snip:
dn = 'uid=%s,ou=People,dc=example,dc=com' % 'user1'
con = ldap.initialize('ldapi:///')
con.bind_s(dn, raw_input('Password: ')) #getting the present password
con.passwd_s(dn, None, '1')
The to default_ppolicy entry pwdMinLenght is setted to 5, even so the code above works to regular users and they can put passwords too short.
The second thing is in the lab sometimes users should be disabled for time periods (2 weeks for instance). I guessed I could set pwdAccountLockedTime to now and pwdLockoutDuration to the duration and the user would be automatically unlocked after that time, but it doesn't look to work. I guess this directives are only valid when pwdFailureTime is setted by the authentication methods. Can someone confirm that I can't set manually pwdAccountLockedTime and pwdLockoutDuration to block user access to a determined period? What would be the alternatives?
I hope I haven't missed the answers because a lack of English skills. I have "googled" a lot about that, but nothing useful came up. The mail list archives search in openldap-technical doesn't return anything even when I try ldap, or ppolicy. I browsed some month archives but got nothing by the e-mail subjects.
Thanks in advance for any help and answers. I hope I have been understood and sorry about any mistakes I've made concerning the language.
O Pensamento Governa o Universo