Hi Buchan,
I'm not trying to manage password policies through php. I just had a problem to give the rights of changing passwords to a user.
i figured it out now by modifying the acl's.
Here is a sample of my slapd.conf:
>>>>>>>>CUT<<<<<<<<<<<<<
# Default password policy
overlay ppolicy
ppolicy_default cn=default,ou=policies,o=others,dc=domain,dc=tld
ppolicy_hash_cleartext
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
# The base of your directory in database #1
suffix "dc=domain,dc=tld"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn "cn=admin,dc=domain,dc=tld"
rootdn "cn=admin,dc=domain,dc=tld"
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>CUT<<<<<<<<<<<<
# org1 administrators have all the rights on the subtree ou=Users,o=org1,dc=domain,dc=tld
access to dn.subtree="ou=Users,o=org1,dc=domain,dc=tld" attrs=userPassword,shadowLastChange
by dn="cn=admin.org1,o=others,dc=domain,dc=tld" write
by dn="cn=admin,dc=domain,dc=tld" write
by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
by anonymous auth
by self write
by * none
access to dn.subtree="ou=Users,o=org1,dc=domain,dc=tld"
by dn="cn=admin.org1,o=others,dc=domain,dc=tld" manage
by dn="cn=admin,dc=domain,dc=tld" write
by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
by anonymous read
by * none
# org2 administrators have all the rights on the subtree ou=Users,o=org2,dc=domain,dc=tld
access to dn.subtree="ou=Users,o=org2,dc=domain,dc=tld" attrs=userPassword,shadowLastChange
by dn="cn=admin.org2,o=others,dc=domain,dc=tld" write
by dn="cn=admin,dc=domain,dc=tld" write
by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
by anonymous auth
by self write
by * none
access to dn.subtree="ou=Users,o=org2,dc=domain,dc=tld"
by dn="cn=admin.org2,o=others,dc=domain,dc=tld" manage
by dn="cn=admin,dc=domain,dc=tld" write
by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
by anonymous read
by * none
####
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=domain,dc=tld" write
by dn="cn=auth,o=others,dc=domain,dc=tld" read
by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
by anonymous auth
by self write
by * none
And my password policy :
ldapsearch -Wx -H ldaps://ldap.domain.tld -D cn=admin,dc=domain,dc=tld -b o=others,dc=domain,dc=tld cn=default
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=others,dc=domain,dc=tld> with scope subtree
# filter: cn=default
# requesting: ALL
#
# default, policies, others, domain.tld
dn: cn=default,ou=policies,o=others,dc=domain,dc=tld
pwdAttribute: userPassword
pwdLockout: TRUE
pwdLockoutDuration: 10800
pwdMaxFailure: 5
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAllowUserChange: TRUE
pwdMinLength: 8
pwdMaxAge: 15552000
pwdExpireWarning: 15120000
pwdCheckQuality: 2
pwdInHistory: 4
Now it works, sorry i should have provided you more information. I'll do it next time.
Regards,
Grifith
----- Mail Original -----
De: "Buchan Milne" <bgmilne(a)staff.telkomsa.net>
À: openldap-technical(a)openldap.org
Cc: "Smaïne Kahlouch" <smainklh(a)free.fr>
Envoyé: Vendredi 5 Février 2010 11h02:22 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: ppolicy : managing passwords by another user than root
On Monday, 1 February 2010 21:37:11 Smaïne Kahlouch wrote:
> Could somebody help me please ?
With what?
> I'm asking a last time then i would have to use my root account within
> my php code :/ (no secure at all)
Assuming your message is relevant to the subject of this thread, php is a dead
end, as it has no password policy control. I have some perl scripts to manage
password-policy changes.
Regards,
Buchan