On Thursday, 14 June 2007, Simon Gao wrote:
To help troubleshoot ppolicy issue, I set a client binding to provider directly. So far my tests show following attributes work as expected:
pwdLockout pwdLockoutDuration pwdMinAge pwdMaxAge pwdGraceAuthnLimit pwdAllowUserChange pwdMaxFailure
Following does not work for some reason:
pwdInHistory ppolicy does not check whether an old password exist in history or not; or maybe old password was not even being saved
False: $ ldapsearch -x -D $ROOTDN -w $ROOTPW "(uid=bgmilne)" pwdHistory|grep ^pwd pwdHistory: 20051024195301Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}due/1GRmi+/ pwdHistory: 20051024195320Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}WoTiMN/HvKb pwdHistory: 20051024200447Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}QcLPVL+c+Gg pwdHistory: 20051024200859Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}uLaheCI+c8r pwdHistory: 20051024200906Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}IA62ZoaOYL/ pwdHistory: 20051024201018Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}ZOo4R/MjzmT pwdHistory: 20051026152114Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}Xy2GA6wJSW0 pwdHistory: 20051129080907Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}ltRPSEWys6V pwdHistory: 20070615091512Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}7XFYw9QSbM/ pwdHistory: 20070615091738Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}jmJjm9PIMVL pwdHistory: 20070615092245Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}sraq4BVS46n
(I intentionally truncated these to not expose my test passwords). Note that most attibutes related to ppolicy are operational attributes, you either have to ask for them by name, or ask for all operational attributes (with '+').
Testing a password change with a password in my history:
$ ldappasswd -x -D uid=bgmilne,ou=People,$BASEDN -W -S New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password is in history of old passwords
pwdCheckQuality can only be set to 1 or disable it. This leads me to believe password syntax check does not work on server. This is confirmed with pwdMinLength failing to block password less than specified number of characters. Does it take an external module for pwdCheckQuality to work?
If you want to do anything besides check min and max lengths, you need a module.
However, pwdMinLength works for me (see below).
Note that depending on how you are changing passwords, the server might not have the opportunity to check this (set pwdCheckQuality to 2 if you don't want to allow methods where the server cannot check them).
or some built-in function with slapd supposed to take care of it?
pwdExpireWarning does not send out warning message to user about password expiration. What else is required to make this feature working?
Maybe you had more grace logins configured than you tried:
$ ldapwhoami -x -D uid=bgmilne,ou=People,$BASEDN -W -e ppolicy Enter LDAP Password: ldap_bind: Success (0) (Password expired, 4 grace logins remain) dn:uid=bgmilne,ou=People,ou=internal,dc=telkomsa,dc=net Result: Success (0)
[...]
$ ldapwhoami -x -D uid=bgmilne,ou=People,$BASEDN -W -e ppolicy Enter LDAP Password: ldap_bind: Invalid credentials (49); Password expired
$ ldapwhoami -x -D uid=bgmilne,ou=People,$BASEDN -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
pwdMinLength does not work.
It does, if pwdCheckQuality is 1 or 2:
$ ldappasswd -x -D uid=bgmilne,ou=People,$BASEDN -W -s qwertyu Enter LDAP Password: Result: Constraint violation (19) Additional info: Password fails quality checking policy
$ ldappasswd -x -D uid=bgmilne,ou=People,$BASEDN -W -s qwertyui Enter LDAP Password: Result: Success (0)
pwdSafeModify does not work if set to TRUE. How should one configure an client to send both existing and new password to provider?
Depends on the client. pam_ldap can be configured to do this, and I think the -a/-A/-t options to ldappasswd pertain to this.
Does anyone make above attributes working? Can you share your experience if you do?
I think the more applicable question is, "how are you testing?".
Regards, Buchan
Simon
- *Change pwdCheckQuality from default 2 to 1. Does this attribute
require check_password module to work? 2.3.35 does not seem including this module. Where can I find it?
- **Change pwdSafeModify from TRUE to FALSE. How to configure a
consumer's chain overlay to send both existing and new password to provider at the same time?