To help troubleshoot ppolicy issue, I set a client binding to provider directly. So far my tests show following attributes work as expected:
pwdLockout pwdLockoutDuration pwdMinAge pwdMaxAge pwdGraceAuthnLimit pwdAllowUserChange pwdMaxFailure
Following does not work for some reason:
pwdInHistory ppolicy does not check whether an old password exist in history or not; or maybe old password was not even being saved
pwdCheckQuality can only be set to 1 or disable it. This leads me to believe password syntax check does not work on server. This is confirmed with pwdMinLength failing to block password less than specified number of characters. Does it take an external module for pwdCheckQuality to work? or some built-in function with slapd supposed to take care of it?
pwdExpireWarning does not send out warning message to user about password expiration. What else is required to make this feature working?
pwdMinLength does not work.
pwdSafeModify does not work if set to TRUE. How should one configure an client to send both existing and new password to provider?
Does anyone make above attributes working? Can you share your experience if you do?
Simon
- *Change pwdCheckQuality from default 2 to 1. Does this attribute
require check_password module to work? 2.3.35 does not seem including this module. Where can I find it?
- **Change pwdSafeModify from TRUE to FALSE. How to configure a
consumer's chain overlay to send both existing and new password to provider at the same time?