Version: 2.3.39
I am working with the policy overlay and ran into a little issue with the password history. I have pwdInHistory set to 3 in the password policy dn. When I change the password, the pwdHistory is updated, but, the policy doesn't seem to be enforced (as I can keep reusing anying of the three passwords). In the logs, I see the following:
Feb 8 15:59:11 dirdev1 slapd[3947]: => bdb_entry_get: ndn: "cn=default password policy,ou=config,dc=moody,dc=edu" Feb 8 15:59:11 dirdev1 slapd[3947]: => bdb_entry_get: oc: "(null)", at: "(null)" Feb 8 15:59:11 dirdev1 slapd[3947]: bdb_dn2entry("cn=default password policy,ou=config,dc=moody,dc=edu") Feb 8 15:59:11 dirdev1 slapd[3947]: => bdb_dn2id("ou=config,dc=moody,dc=edu") Feb 8 15:59:11 dirdev1 slapd[3947]: <= bdb_dn2id: got id=0x00000004 Feb 8 15:59:11 dirdev1 slapd[3947]: => bdb_dn2id("cn=default password policy,ou=config,dc=moody,dc=edu") Feb 8 15:59:11 dirdev1 slapd[3947]: <= bdb_dn2id: got id=0x00000014 Feb 8 15:59:11 dirdev1 slapd[3947]: entry_decode: "cn=Default Password Policy,ou=config,dc=moody,dc=edu" Feb 8 15:59:11 dirdev1 slapd[3947]: <= entry_decode(cn=Default Password Policy,ou=config,dc=moody,dc=edu) Feb 8 15:59:11 dirdev1 slapd[3947]: => bdb_entry_get: found entry: "cn=default password policy,ou=config,dc=moody,dc=edu" Feb 8 15:59:11 dirdev1 slapd[3947]: bdb_entry_get: rc=0
And then it happily changes the user's password.
--- slapd.conf --- [removed stuff]
# Load dynamic backend modules: modulepath /opt/BENTEST/libexec/openldap moduleload back_bdb.la moduleload ppolicy.la [removed stuff]
database bdb suffix "dc=moody,dc=edu" rootdn "cn=Directory Manager,dc=moody,dc=edu" rootpw fall directory /opt/BENTEST/var/openldap-data/dc=moody,dc=edu
# password policy overlay ppolicy ppolicy_default "cn=Default Password Policy,ou=config,dc=moody,dc=edu" ppolicy_use_lockout --------- What am I missing?
--- Benji Spencer System Administrator Ph: 312-329-2288
openldap-software@openldap.org