Re: exempt some users from OpenLDAP password policy

To: Peter Gietz <peter.gietz@daasi.de>

Subject: Re: exempt some users from OpenLDAP password policy

From: Tayyab Saeed <tayyab.saeed@nds.com.pk>

Date: Fri, 13 Apr 2018 14:38:01 +0500 (PKT)

Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=nds.com.pk; h=date:from:to :cc:message-id:in-reply-to:subject:mime-version:content-type; s= nds.com.pk; bh=3+jon/904f269lG2e3jhOztZeXM=; b=Ikti+BdbrlqEFpSx4 x/3JIHNzDHD6PTHtZeLPQYmfX8QLOKMchGkVSh3Cnl4nttXH/ztG5ZIfOs/kw74t JnhfqLbMaD6zWqM8QQisr1waOgaUWYeikZtDMJ7aEAOmHQM8DFZu3hOT/jie1+jb B24qLUvQ7riZjsrTU8yxrWuSUs=

In-reply-to: <df30c868-c6bf-9fc4-f403-5dc477008488@daasi.de>

Dear Peter / ALL,

Thanks a lot for your reply.

So how can we exempt some users from password policy ?

Is it possible in OpenLDAP or not ?

Thanks,

Tayyab Saeed

From: "Peter Gietz" <peter.gietz@daasi.de>
To: openldap-technical@openldap.org
Sent: Friday, April 13, 2018 1:08:31 PM
Subject: Re: exempt some users from OpenLDAP password policy

Dear Tayyab,

well the error message says most of it.

The attribute pwdChangedTime is defined in sect. 5.3.2. of https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 as:

...

NO-USER-MODIFICATION
USAGE directoryOperation )

Which means, that an LDAP client is not allowed to modify the values of this attribute, and that it is to be modified by the directory server only.

And this makes perfectly sense, that the value is changed, if and only if the password is being changed.

Cheers,
Peter

Am 12.04.2018 um 22:55 schrieb Tayyab Saeed:

Dear All,

I have tried modifying pwdChangedTime & facing below error

modifying entry
"uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com"
ldap_modify: Constraint violation (19)
additional info: pwdChangedTime: no user modification allowed

Thanks,

Tayyab Saeed