Password Policy Questions

[Bram Cymet <bcymet@cbnco.com>]

Hi,

It looks like the password policy overlay will do exactly what I need it
to I just can't get it to work.

I have applied the overlay my directory.
I have a default policy set that has:

pwdAttribute set to userPassword
and
pwdMustChange set to TRUE.

However when I change a user's password either with an ldapmodify or the
ldappassword command that user is still able to bind to the directory
just fine. I was assuming that a bind attempt would return an error
saying that the user had to change their password or is this not the
expected behavior?

Also I have tried adding pwdReset = TRUE to my user's object but it
complains the pwdReset is not allowed in the schema. Is there a specific
objectclass that I have to add to my user entries?

I have also tried creating a schema with pwdReset and pwdPolicySubentry
but when I add that schema it complains that these are operational
attributes.

I have upped the logging and when I user tries to bind I see:

Aug  3 08:57:08 devauth slapd[30441]: conn=1017 fd=17 ACCEPT from
IP=10.20.48.66:55519 (IP=0.0.0.0:389)
Aug  3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND
dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" method=128
Aug  3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry:
"uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn"
Aug  3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry:
"cn=websales_password_policy,ou=test_websales_users,dc=ls,dc=cbn"
Aug  3 08:57:08 devauth slapd[30441]: => access_allowed: result not in
cache (userPassword)
Aug  3 08:57:08 devauth slapd[30441]: => access_allowed: auth access to
"uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" "userPassword"
requested
Aug  3 08:57:08 devauth slapd[30441]: => acl_get: [2] attr userPassword
Aug  3 08:57:08 devauth slapd[30441]: => acl_mask: access to entry
"uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn", attr
"userPassword" requested
Aug  3 08:57:08 devauth slapd[30441]: => acl_mask: to value by "", (=0)
Aug  3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: self
Aug  3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: *
Aug  3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] applying
auth(=xd) (stop)
Aug  3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] mask: auth(=xd)
Aug  3 08:57:08 devauth slapd[30441]: => slap_access_allowed: auth
access granted by auth(=xd)
Aug  3 08:57:08 devauth slapd[30441]: => access_allowed: auth access
granted by auth(=xd)
Aug  3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND
dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" mech=SIMPLE
ssf=0

So it looks to me like the default policy has been applied but nothing
happens when a password is reset by an administrator.

So I think I am missing something fundamental here. I have a few
questions that I think will help me to narrow down my problem though.

1) What is the best way to debug an overlay?

2) Is there a proper way for an administrator to change a password so
that the pwdReset flag is set on the user (or whatever is supposed to
happen so that the user needs to reset their password on their next bind)

3) Is it enough to have a password policy with just pwdAttribute and
pwdMustChange set or are there other values that need to be set to make
this work.

4) Are there any extra object classes that have to added to my user
entries for the password policies to work?

5) I would like users to have to reset their password on first bind do
I need to set something on object creation?

6) Anything else I might be missing?

Any help would be awesome.

Thanks,

-- 
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
613-608-9752