My checklist:
1. RTFM slapo-ppolicy: done, 3 times; 2. check openldap version: 2.4, newly installed on Gentoo Linux; 3. check ppolicy overlay successfully loaded and being used: must be, because operational attribute like pwdFailureTime was maintained; 4. pwdAttribute setting: correct, value is "userPassword"; 5. pwdCheckQuality: correct, value is 2 (server always check password syntax); 6. pwdMinLength: correct, value is 6, server do not accept password short than 6 character; 7. ppolicy_default: correctly set, because change pwdMaxFailure on default entry does have effect; 8. the entry being operated doesn't have pwdPolicySubentry, so default should be applied: correct; 9. slapd server was restarted after all above check;
Test result: Still doesn't work:
$ldappasswd -vD uid=admin,st=jiangxi,o=LGOP -x -w secret -s 13456 ou=吉安市,st=jiangxi,o=LGOP ldap_initialize( <DEFAULT> ) Result: Success (0)
(expected not successful here because new password was too short)
I am stuck here. Do I miss something on my checklist?
Zhang Weiwu zhangweiwu@realss.com writes:
My checklist:
- RTFM slapo-ppolicy: done, 3 times;
- check openldap version: 2.4, newly installed on Gentoo Linux;
- check ppolicy overlay successfully loaded and being used: must be, because operational attribute like pwdFailureTime was maintained;
- pwdAttribute setting: correct, value is "userPassword";
- pwdCheckQuality: correct, value is 2 (server always check password syntax);
- pwdMinLength: correct, value is 6, server do not accept password short than 6 character;
- ppolicy_default: correctly set, because change pwdMaxFailure on default entry does have effect;
- the entry being operated doesn't have pwdPolicySubentry, so default should be applied: correct;
- slapd server was restarted after all above check;
Test result: Still doesn't work:
$ldappasswd -vD uid=admin,st=jiangxi,o=LGOP -x -w secret -s 13456 ou=吉安市,st=jiangxi,o=LGOP ldap_initialize( <DEFAULT> ) Result: Success (0)
(expected not successful here because new password was too short)
I am stuck here. Do I miss something on my checklist?
I presume that you changed userpassword as rootdn, bear in mind that rootdn bypasses all restrictions.
-Dieter
Dieter Kluenter wrote:
I presume that you changed userpassword as rootdn, bear in mind that rootdn bypasses all restrictions.
Thank you very much! You are right!
I guess I put this more complete checklist for "when pwdCheckQuality doesn't work" here for anyone who also stuck and finds this message from google:
checklist:
1. RTFM slapo-ppolicy: done, 3 times; 2. check openldap version: 2.4, newly installed on Gentoo Linux; 3. check ppolicy overlay successfully loaded and being used: must be, because operational attribute like pwdFailureTime was maintained; 4. pwdAttribute setting: correct, value is "userPassword"; 5. pwdCheckQuality: correct, value is 2 (server always check password syntax); 6. pwdMinLength: correct, value is 6, server do not accept password short than 6 character; 7. ppolicy_default: correctly set, because change pwdMaxFailure on default entry does have effect; 8. the entry being operated doesn't have pwdPolicySubentry, so default should be applied: correct; 9. slapd server was restarted after all above check: correct; 10. make sure you are not bound as rootdn in testing: checked; 11. make sure you are using ldappasswd(1) rather than ldapmodify(1): checked;
result: it works!
P. S. I know people are not generally as stupid as I am but for those really stupid would it be nice to have this checklist also in the F.A.Q? I know it's not really frequent, but it's easier to find it there.
Zhang Weiwu wrote:
Dieter Kluenter wrote:
I presume that you changed userpassword as rootdn, bear in mind that rootdn bypasses all restrictions.
Thank you very much! You are right!
I guess I put this more complete checklist for "when pwdCheckQuality doesn't work" here for anyone who also stuck and finds this message from google:
checklist:
- RTFM slapo-ppolicy: done, 3 times;
- check openldap version: 2.4, newly installed on Gentoo Linux;
- check ppolicy overlay successfully loaded and being used: must be, because operational attribute like pwdFailureTime was maintained;
- pwdAttribute setting: correct, value is "userPassword";
- pwdCheckQuality: correct, value is 2 (server always check password syntax);
- pwdMinLength: correct, value is 6, server do not accept password short than 6 character;
- ppolicy_default: correctly set, because change pwdMaxFailure on default entry does have effect;
- the entry being operated doesn't have pwdPolicySubentry, so default should be applied: correct;
- slapd server was restarted after all above check: correct;
- make sure you are not bound as rootdn in testing: checked;
- make sure you are using ldappasswd(1) rather than ldapmodify(1): checked;
result: it works!
P. S. I know people are not generally as stupid as I am but for those really stupid would it be nice to have this checklist also in the F.A.Q? I know it's not really frequent, but it's easier to find it there.
Please add this to http://www.openldap.org/faq/data/cache/1204.html
Thanks.
Gavin Henry wrote:
Zhang Weiwu wrote:
P. S. I know people are not generally as stupid as I am but for those really stupid would it be nice to have this checklist also in the F.A.Q? I know it's not really frequent, but it's easier to find it there.
Please add this to http://www.openldap.org/faq/data/cache/1204.html
I just did it with small text modification.
----- "Zhang Weiwu" zhangweiwu@realss.com wrote:
Gavin Henry wrote:
Zhang Weiwu wrote:
P. S. I know people are not generally as stupid as I am but for
those
really stupid would it be nice to have this checklist also in the
F.A.Q?
I know it's not really frequent, but it's easier to find it there.
Please add this to http://www.openldap.org/faq/data/cache/1204.html
I just did it with small text modification.
Thanks.
openldap-software@openldap.org