--_000_73687a3a63cc4dd6950d893d7e7e73e9THSONEA01HUB06Ponegrp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
1. See below the contents of our password policy:
# Search scope: sub
# Search filter: (objectClass=3D*)
# Total entries: 1
#
# Generated by LDAP Account Manager
(http://www.ldap-account-manager.org) on October 27, 2017 10:48 am # Versio= n: 5.5
version: 1
# Entry 1: cn=3DpasswordDefault,ou=3Dpolicies,dc=3Dthales,dc=3Dcom
dn: cn=3DpasswordDefault,ou=3Dpolicies,dc=3Dthales,dc=3Dcom
cn: passwordDefault
createtimestamp: 20171004124029Z
creatorsname: dc=3DManager,dc=3Dthales,dc=3Dcom
entrycsn: 20171004124029.795969Z#000000#000#000000
entrydn: cn=3DpasswordDefault,ou=3Dpolicies,dc=3Dthales,dc=3Dcom
entryuuid: f3031268-3d4c-1037-9198-453c4b052276
hassubordinates: FALSE
modifiersname: dc=3DManager,dc=3Dthales,dc=3Dcom
modifytimestamp: 20171004124029Z
objectclass: top
objectclass: device
objectclass: pwdPolicy
objectclass: pwdPolicyChecker
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckmodule: check_password.so
pwdcheckquality: 2
pwdexpirewarning: 0
pwdfailurecountinterval: 0
pwdgraceauthnlimit: 0
pwdinhistory: 4
pwdlockout: TRUE
pwdlockoutduration: 0
pwdmaxage: 7776000
pwdmaxfailure: 3
pwdminage: 0
pwdminlength: 8
pwdmustchange: FALSE
pwdsafemodify: FALSE
structuralobjectclass: device
subschemasubentry: cn=3DSubschema
-----------------
2. we are using the lamcms from www.ldap-account-manager.orghttp://www.lda= p-account-manager.org. In the web interface there is a "Unlock account" bu= tton which we use. I suppose they are using the php ldap_modify() method in= order to remove the 'pwdAccountLockedTime' field. Of course, temporary mod= ifying their sources and trying to remove also the pwdFailureTime generates= the following error:
"Was unable to remove attributes from DN: cn=3Dtest1,ou=3Dusers,dc=3Dthales= ,dc=3Dcom.
LDAP error, server says: Constraint violation - pwdFailureTime: no user mod= ification allowed"
We've contact also guys from ldap-account-manager.org but they said they ca= n't do anything on their side and suggested to contact you.
Kind regards, Mihai
--_000_73687a3a63cc4dd6950d893d7e7e73e9THSONEA01HUB06Ponegrp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr= osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:= //www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV=3D"Content-Type" CONTENT= =3D"text/html; charset=3Dus-ascii"><meta name=3DGenerator content=3D"Micros= oft Word 14 (filtered medium)"><style><!-- /* Font Definitions */ @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif";} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} p.MsoPlainText, li.MsoPlainText, div.MsoPlainText {mso-style-priority:99; mso-style-link:"Plain Text Char"; margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Arial","sans-serif";} span.EmailStyle17 {mso-style-type:personal-compose; font-family:"Arial","sans-serif"; color:windowtext;} span.PlainTextChar {mso-style-name:"Plain Text Char"; mso-style-priority:99; mso-style-link:"Plain Text"; font-family:"Arial","sans-serif";} .MsoChpDefault {mso-style-type:export-only; font-family:"Calibri","sans-serif";} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} --></style><!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue vli= nk=3Dpurple><div class=3DWordSection1><p class=3DMsoPlainText>1. See below = the contents of our password policy:<o:p></o:p></p><p class=3DMsoPlainText>= # Search scope: sub<o:p></o:p></p><p class=3DMsoPlainText># Search filter: = (objectClass=3D*)<o:p></o:p></p><p class=3DMsoPlainText># Total entries: 1<= o:p></o:p></p><p class=3DMsoPlainText>#<o:p></o:p></p><p class=3DMsoPlainTe= xt># Generated by LDAP Account Manager<o:p></o:p></p><p class=3DMsoPlainTex= t>(<a href=3D"http://www.ldap-account-manager.org%22%3Ehttp://www.ldap-account-= manager.org</a>) on October 27, 2017 10:48 am # Version: 5.5<o:p></o:p></p>= <p class=3DMsoPlainText><o:p> </o:p></p><p class=3DMsoPlainText>versio= n: 1<o:p></o:p></p><p class=3DMsoPlainText><o:p> </o:p></p><p class=3D= MsoPlainText># Entry 1: cn=3DpasswordDefault,ou=3Dpolicies,dc=3Dthales,dc= =3Dcom<o:p></o:p></p><p class=3DMsoPlainText>dn: cn=3DpasswordDefault,ou=3D= policies,dc=3Dthales,dc=3Dcom<o:p></o:p></p><p class=3DMsoPlainText>cn: pas= swordDefault<o:p></o:p></p><p class=3DMsoPlainText>createtimestamp: 2017100= 4124029Z<o:p></o:p></p><p class=3DMsoPlainText>creatorsname: dc=3DManager,d= c=3Dthales,dc=3Dcom<o:p></o:p></p><p class=3DMsoPlainText>entrycsn: 2017100= 4124029.795969Z#000000#000#000000<o:p></o:p></p><p class=3DMsoPlainText>ent= rydn: cn=3DpasswordDefault,ou=3Dpolicies,dc=3Dthales,dc=3Dcom<o:p></o:p></p=
<p class=3DMsoPlainText>entryuuid: f3031268-3d4c-1037-9198-453c4b052276<o:=
p></o:p></p><p class=3DMsoPlainText>hassubordinates: FALSE<o:p></o:p></p><p= class=3DMsoPlainText>modifiersname: dc=3DManager,dc=3Dthales,dc=3Dcom<o:p>= </o:p></p><p class=3DMsoPlainText>modifytimestamp: 20171004124029Z<o:p></o:= p></p><p class=3DMsoPlainText>objectclass: top<o:p></o:p></p><p class=3DMso= PlainText>objectclass: device<o:p></o:p></p><p class=3DMsoPlainText>objectc= lass: pwdPolicy<o:p></o:p></p><p class=3DMsoPlainText>objectclass: pwdPolic= yChecker<o:p></o:p></p><p class=3DMsoPlainText>pwdallowuserchange: TRUE<o:p=
</o:p></p><p class=3DMsoPlainText>pwdattribute: userPassword<o:p></o:p></p=
<p class=3DMsoPlainText>pwdcheckmodule: check_password.so<o:p></o:p></p><p=
class=3DMsoPlainText>pwdcheckquality: 2<o:p></o:p></p><p class=3DMsoPlainT= ext>pwdexpirewarning: 0<o:p></o:p></p><p class=3DMsoPlainText>pwdfailurecou= ntinterval: 0<o:p></o:p></p><p class=3DMsoPlainText>pwdgraceauthnlimit: 0<o= :p></o:p></p><p class=3DMsoPlainText>pwdinhistory: 4<o:p></o:p></p><p class= =3DMsoPlainText>pwdlockout: TRUE<o:p></o:p></p><p class=3DMsoPlainText>pwdl= ockoutduration: 0<o:p></o:p></p><p class=3DMsoPlainText>pwdmaxage: 7776000<= o:p></o:p></p><p class=3DMsoPlainText>pwdmaxfailure: 3<o:p></o:p></p><p cla= ss=3DMsoPlainText>pwdminage: 0<o:p></o:p></p><p class=3DMsoPlainText>pwdmin= length: 8<o:p></o:p></p><p class=3DMsoPlainText>pwdmustchange: FALSE<o:p></= o:p></p><p class=3DMsoPlainText>pwdsafemodify: FALSE<o:p></o:p></p><p class= =3DMsoPlainText>structuralobjectclass: device<o:p></o:p></p><p class=3DMsoP= lainText>subschemasubentry: cn=3DSubschema<o:p></o:p></p><p class=3DMsoPlai= nText><o:p> </o:p></p><p class=3DMsoPlainText>-----------------<o:p></= o:p></p><p class=3DMsoPlainText>2. we are using the lamcms from <a href=3D"= http://www.ldap-account-manager.org%22%3Ewww.ldap-account-manager.org</a>. In t= he web interface there is a "Unlock account" button which we use.= I suppose they are using the php ldap_modify() method in order to remove t= he 'pwdAccountLockedTime' field. Of course, temporary modifying their sourc= es and trying to remove also the pwdFailureTime generates the following err= or: <o:p></o:p></p><p class=3DMsoPlainText>"Was unable to remove attri= butes from DN: cn=3Dtest1,ou=3Dusers,dc=3Dthales,dc=3Dcom.<o:p></o:p></p><p= class=3DMsoPlainText>LDAP error, server says: Constraint violation - pwdFa= ilureTime: no user modification allowed"<o:p></o:p></p><p class=3DMsoP= lainText>We've contact also guys from ldap-account-manager.org but they sai= d they can't do anything on their side and suggested to contact you.<o:p></= o:p></p><p class=3DMsoNormal><span style=3D'font-family:"Arial","sans-serif= "'><o:p> </o:p></span></p><p class=3DMsoNormal><span style=3D'font-fam= ily:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=3DMsoNormal>= Kind regards,<o:p></o:p></p><p class=3DMsoNormal>Mihai<o:p></o:p></p><p cla= ss=3DMsoNormal><o:p> </o:p></p></div></body></html>=
--_000_73687a3a63cc4dd6950d893d7e7e73e9THSONEA01HUB06Ponegrp_--
-
mihai.munteanu@thalesgroup.com