[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: pwdPolicy pwdMustChange enforcement

To: openldap-software@OpenLDAP.org
Subject: Re: pwdPolicy pwdMustChange enforcement
From: Andreas Hasenack <ahasenack@terra.com.br>
Date: Mon, 13 Feb 2006 20:03:57 -0200
Content-disposition: inline
In-reply-to: <43F0DD27.4040503@symas.com>
References: <20060213182254.GK4225@conectiva.com.br> <43F0DD27.4040503@symas.com>
User-agent: Mutt/1.5.11

On Mon, Feb 13, 2006 at 11:25:27AM -0800, Howard Chu wrote:
> Andreas Hasenack wrote:
> >How is the pwdMustChange policy supposed to be applied to ldap clients?
> >Doesn't this need support in the client? I'm sure ldapsearch(1), for
> >example, can't change the userPassword attribute, but it can
> >authenticate without problems. So how is this policy going to be
> >enforced?
> 
> Try it and see.
>  ldapsearch -x -D uid=someuser,dc=example,dc=com -w mustchange -b 
> dc=example,dc=com

Can't get it to work. Here is my config (2.3.19 + Quanah's patches):

Policy entry:
dn: cn=default,ou=policies,dc=exemplo,dc=com,dc=br
cn: default
objectClass: pwdPolicy
objectClass: organizationalRole
pwdAttribute: userPassword
pwdMinLength: 6
pwdMustChange: TRUE
pwdCheckQuality: 1

slapd.conf:
include         /usr/share/openldap/schema/core.schema
include         /usr/share/openldap/schema/cosine.schema
include         /usr/share/openldap/schema/inetorgperson.schema
include         /usr/share/openldap/schema/nis.schema
include         /usr/share/openldap/schema/ppolicy.schema
pidfile         /var/run/ldap/slapd.pid
argsfile        /var/run/ldap/slapd.args
loglevel 256
modulepath /usr/lib/openldap
moduleload ppolicy.la
database        bdb
suffix          "dc=exemplo,dc=com,dc=br"
rootdn          "cn=root,ou=Pessoas,dc=exemplo,dc=com,dc=br"
directory       /var/lib/ldap
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout
ppolicy_default cn=default,ou=policies,dc=exemplo,dc=com,dc=br
index           objectClass     eq
index           sn,cn,uid       eq,sub
index           telephoneNumber eq,sub
index           uidNumber,gidNumber     eq
access to attrs=userPassword
        by anonymous auth
        by self write
        by * none
access to *
        by * read
authz-regexp ^uid=([^,]+),cn=digest-md5,cn=auth$
        cn=$1,ou=Pessoas,dc=exemplo,dc=com,dc=br


My commands:

updating the password as rootdn:
$ ldapmodify -U root -Y digest-md5
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: root
SASL SSF: 128
SASL installing layers
dn: cn=benjamin,ou=pessoas,dc=exemplo,dc=com,dc=br
changetype: modify
replace: userPassword
userPassword: secret

modifying entry "cn=benjamin,ou=pessoas,dc=exemplo,dc=com,dc=br"


I'm indeed rootdn:
$ ldapwhoami -U root -Y digest-md5
SASL/DIGEST-MD5 authentication started
Please enter your password:
SASL username: root
SASL SSF: 128
SASL installing layers
dn:cn=root,ou=pessoas,dc=exemplo,dc=com,dc=br
Result: Success (0)

authenticated search just works:
$ ldapsearch -x -LLL -D cn=benjamin,ou=pessoas,dc=exemplo,dc=com,dc=br -w secret cn=benjamin
dn: cn=benjamin,ou=Pessoas,dc=exemplo,dc=com,dc=br
cn: benjamin
sn: sisko
objectClass: person
telephoneNumber: 999-9999
telephoneNumber: 123-1133
userPassword:: e1NTSEF9YU5kNkpqdC9GNjR5emUrYVhsNkFpczE3SGFLZ0ZOMXY=

What's missing?

Follow-Ups:
- Re: pwdPolicy pwdMustChange enforcement
  - From: Howard Chu <hyc@symas.com>

References:
- pwdPolicy pwdMustChange enforcement
  - From: Andreas Hasenack <ahasenack@terra.com.br>
- Re: pwdPolicy pwdMustChange enforcement
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: pwdPolicy pwdMustChange enforcement
Next by Date: Re: pwdPolicy pwdMustChange enforcement
Index(es):
- Chronological
- Thread