[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Password policy messages - how can I pass back
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: Password policy messages - how can I pass back
- From: Ervin Hegedüs <airween@gmail.com>
- Date: Wed, 10 Oct 2018 20:16:10 +0200
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:mime-version:content-disposition :user-agent; bh=HhA7IFOny/yBJN1G7RmRotBlCJAipZ2vilWL/MYIUIw=; b=dOpo/O03909rLEDNlwnYC9vyTduq1nWXuLUw3jpRPv1AR6pJ8KY3SohDOQJOO/0WAk FkvTbB6Dp1/T8B9WOHwwOFtrlhuC8VIVJW7H9ZqDRAg7u5pbhyn8ug3Pe7CSv9zudvm/ 1uHPVdwrP4M6+1/29UXEx2KKlrHJeU+DyZgCQxs4roOdJuxKr2eRQBQk2upfhdBa1tHe Xx702PZfDL+OmBjtQc93O9AeF5Mes9R7ej5DhTKco/WhsDGjk7Y9KBtDD5ai19qA+63J b3CMf8SCkQO1SxJxv1WOdd+AKC9TE8CJel+WYk3EnpyG8875pZn7B9kA0nhlhHrpoy9s UITg==
- User-agent: Mutt/1.5.24 (2015-08-30)
Hi there,
there is a password policy external module with this config:
dn: cn=default,ou=pwpolicies,dc=hu
cn: default
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: device
pwdAllowUserChange: TRUE
pwdInHistory: 5
pwdMinLength: 10
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdCheckModule: pwdCheckModule-poc.so
I've grabbed this source:
https://github.com/bindle/bofh-pwdCheckModules
Everything works as well: I can change the password with
ldappasswd tool, or ldap_exop() in PHP - the policy check works
in both cases.
I just have one question: is there any way to send back to the
client the error message?
I mean:
# /usr/bin/ldappasswd -H ldaps://dev-ldap-01 -w "secret" -D "UID="dminuser,dc=hu" -s "abcdefghijkl" "uid=airween,ou=Users,dc=hu"
Result: Constraint violation (19)
There isn't any detailed information, what's the reason why the
policy module drops the request, but I can see that in the logfile:
Oct 10 20:05:21 dev-ldap-01 slapd[16312]: check_password_quality: module error: (pwdCheckModule-poc.so) Passwords less than 16 characters require at least 3 traits (upper case, lower case, digits, or special characters).[1]
Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: conn=1742 op=1 p=3
Oct 10 20:05:21 dev-ldap-01 slapd[16312]: send_ldap_result: err=19 matched="" text="Passwords less than 16 characters require at least 3 traits (upper case, lower case, digits, or special characters)"
It would be very good to catch this message at client side.
Is it possible?
Note, that in PHP side I'm using:
ldap_get_option($ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $_err);
and $_err variable is empty.
When I send the old password, which exists in history, I got:
ldappasswd -H ldaps://... ... ... -s "oldpasswd" "uid=airween,..."
Result: Constraint violation (19)
Additional info: Password is not being changed from existing value
in PHP:
"Password is not being changed from existing value"
In syslog I can see:
Oct 10 20:09:36 dev-ldap-01 slapd[16312]: send_ldap_result: err=19 matched="" text="Password is not being changed from existing value"
Oct 10 20:09:36 dev-ldap-01 slapd[16312]: send_ldap_extended: err=19 oid= len=0
Oct 10 20:09:36 dev-ldap-01 slapd[16312]: send_ldap_response: msgid=2 tag=120 err=19
Oct 10 20:09:36 dev-ldap-01 slapd[16312]: conn=1743 op=1 RESULT oid= err=19 text=Password is not being changed from existing value
Should I fill some member of Entry struct in 3rd argument in
policy module?
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
....................................................^^^^^^^^^^^^^^
Thanks,
a.