Re: ppolicy not verifying password length (not active !!)

To: Michael Ströder <michael@stroeder.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>, Rodrigo Coutinho <Rodrigo.Coutinho@ifap.pt>

Subject: Re: ppolicy not verifying password length (not active !!)

From: saurabh ohri <sam_ohri@yahoo.co.in>

Date: Thu, 6 Mar 2014 12:06:01 +0800 (SGT)

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.in; s=s1024; t=1394078761; bh=QA9XU7q694xkd2Iv79M+9LdMr3i7hb8gUQgltXHQnOc=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=nwhATWOm1Np4BYsuMD5ogNyzf5UVd1pB0gfj92b3q1YWI1TnBuEns2FDZ7y82o52wm3cIVrLtVGF4BVQ/DXTmCWJwTEUuNqh8wrAaH438BlX80AfXTcP7ip2lEonlSD+SI1fkhf5iubW0aQE91ZZyFHdvqoPOovav+eK0tuLh1w=

Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.in; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=3ZeYrhIKTTNG41kEpUIlT0tFWBRR9cdld7l4Dzf3fYtEeSFb5lyTCnEe7Xo1kPm+l3vM4j43Egx0Zrpf7oLqorLqOzQlj9sSPz6JppzFOszUH8cEnRUxszZpaZbzgqQr9OHnHIYp9DskJ6/VrwoZ8s1ShdUg7NlvCjgNgguT1pY=;

In-reply-to: <3c56bedeedab855f4bb89d8624ec7a79@srv1.stroeder.com>

References: <A4F542D25A8F5D4BA49A8F3BAEC8F07E05769631@singan07.inga.pt><CAK_oV4-Osaezsehq7nC_Q1q1XiC0wcfTQNhBu9W68zKtL_=y3g@mail.gmail.com><A4F542D25A8F5D4BA49A8F3BAEC8F07E05769692@singan07.inga.pt> <CAK_oV4_fDYQ82aJoqAkPq-dctTmGxn9OrX25WpUFdZGwp_RbfQ@mail.gmail.com>, <A4F542D25A8F5D4BA49A8F3BAEC8F07E057696F4@singan07.inga.pt> <3c56bedeedab855f4bb89d8624ec7a79@srv1.stroeder.com>

I Also stuck in this issue. My password policy was not working on openldap 2.4.23 so someone suggested me to upgrade as this is the older version. So i upgraded it to 2.4.39 but struggling to get SSL work for openssl.

really shock to see that there is no proper document for the installation and configuration. 2.4.39 have to be configured from source and not rpm so facing hell lot of issue.

Regards
Sam

On Wednesday, 5 March 2014 8:31 PM, Michael Ströder <michael@stroeder.com> wrote:

On Wed, 5 Mar 2014 11:33:51 +0000 Rodrigo Coutinho <Rodrigo.Coutinho@ifap.pt>
wrote
> Ok, thank you for the information, but I must confess that I am a bit
> shocked, as that implies I can have a directory full of non compliant
> passwords.
>
> So, that begs the question: How do we prevent this ? What is the
> normal/standard way ?

Mantra to be repeated thousands of times:

Never use rootdn to bind.

> Should one create another user with administrative privileges and use it to
> change passwords when needed ?

Yes.

Ciao, Michael.