[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password Policy Questions

To: <openldap-technical@openldap.org>
Subject: Re: Password Policy Questions
From: Bram Cymet <bcymet@cbnco.com>
Date: Tue, 5 Aug 2014 11:56:04 -0400
In-reply-to: <53DE34DD.5070601@cbnco.com>
References: <53DE34DD.5070601@cbnco.com>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0

I am getting a little further with this.

I have added

pwdLockOut = TRUE
pwdMaxFialure = 5
pwdMinLength = 8

Now if I try to log in with the wrong password it add a pwdFailureTime
attribute to the user as expected and after 5 I can't bind as that user
anymore. Then if I reset the password the user can log in again. So at
least something with the policy is working.

When I change the password however it allows passwords with less then 8
characters and pwdReset is still not set on the user's entry.

Any thoughts on what might be happening?

Thanks,

Bram

On 2014-08-03, 9:10 AM, Bram Cymet wrote:
> Hi,
> 
> It looks like the password policy overlay will do exactly what I need it
> to I just can't get it to work.
> 
> I have applied the overlay my directory.
> I have a default policy set that has:
> 
> pwdAttribute set to userPassword
> and
> pwdMustChange set to TRUE.
> 
> However when I change a user's password either with an ldapmodify or the
> ldappassword command that user is still able to bind to the directory
> just fine. I was assuming that a bind attempt would return an error
> saying that the user had to change their password or is this not the
> expected behavior?
> 
> Also I have tried adding pwdReset = TRUE to my user's object but it
> complains the pwdReset is not allowed in the schema. Is there a specific
> objectclass that I have to add to my user entries?
> 
> I have also tried creating a schema with pwdReset and pwdPolicySubentry
> but when I add that schema it complains that these are operational
> attributes.
> 
> I have upped the logging and when I user tries to bind I see:
> 
> Aug  3 08:57:08 devauth slapd[30441]: conn=1017 fd=17 ACCEPT from
> IP=10.20.48.66:55519 (IP=0.0.0.0:389)
> Aug  3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND
> dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" method=128
> Aug  3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry:
> "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn"
> Aug  3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry:
> "cn=websales_password_policy,ou=test_websales_users,dc=ls,dc=cbn"
> Aug  3 08:57:08 devauth slapd[30441]: => access_allowed: result not in
> cache (userPassword)
> Aug  3 08:57:08 devauth slapd[30441]: => access_allowed: auth access to
> "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" "userPassword"
> requested
> Aug  3 08:57:08 devauth slapd[30441]: => acl_get: [2] attr userPassword
> Aug  3 08:57:08 devauth slapd[30441]: => acl_mask: access to entry
> "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn", attr
> "userPassword" requested
> Aug  3 08:57:08 devauth slapd[30441]: => acl_mask: to value by "", (=0)
> Aug  3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: self
> Aug  3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: *
> Aug  3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] applying
> auth(=xd) (stop)
> Aug  3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] mask: auth(=xd)
> Aug  3 08:57:08 devauth slapd[30441]: => slap_access_allowed: auth
> access granted by auth(=xd)
> Aug  3 08:57:08 devauth slapd[30441]: => access_allowed: auth access
> granted by auth(=xd)
> Aug  3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND
> dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" mech=SIMPLE
> ssf=0
> 
> So it looks to me like the default policy has been applied but nothing
> happens when a password is reset by an administrator.
> 
> So I think I am missing something fundamental here. I have a few
> questions that I think will help me to narrow down my problem though.
> 
> 1) What is the best way to debug an overlay?
> 
> 2) Is there a proper way for an administrator to change a password so
> that the pwdReset flag is set on the user (or whatever is supposed to
> happen so that the user needs to reset their password on their next bind)
> 
> 3) Is it enough to have a password policy with just pwdAttribute and
> pwdMustChange set or are there other values that need to be set to make
> this work.
> 
> 4) Are there any extra object classes that have to added to my user
> entries for the password policies to work?
> 
> 5) I would like users to have to reset their password on first bind do
> I need to set something on object creation?
> 
> 6) Anything else I might be missing?
> 
> Any help would be awesome.
> 
> Thanks,
> 


-- 
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
613-608-9752

Follow-Ups:
- Re: Password Policy Questions
  - From: Clément OUDOT <clem.oudot@gmail.com>

References:
- Password Policy Questions
  - From: Bram Cymet <bcymet@cbnco.com>

Prev by Date: Re: ACL doesn't work on my Centos 6
Next by Date: Re: ACL for object creation in subtree with specific attributes and object classes
Index(es):
- Chronological
- Thread