Re: exempt some users from OpenLDAP password policy

Hello,

Well, you might want to take a look at the recent thread "removing ppolicy overlay" (especially Frank Swasey's latest answer).

If you do not want to go through the hassle of editing your LDAP database to remove all ppolicy attributes, you may leave the password policy overlay enabled without any default policy set, which would be basically the same as having it disabled since no policy would be enforced.

For this to work, you will want to check if there is no "pwdPolicySubentry" attribute somewhere, that would explicitely enable a password policy on the object.

Have a nice day,

--

Matthieu CERDA

Le 23/04/2018 à 07:22, Tayyab Saeed a écrit :

Dear All,

How can we disable password policy completely?

Thanks, Tayyab Saeed

---

*From: *"Dave Macias" davama@gmail.com *To: *"Tayyab Saeed" tayyab.saeed@nds.com.pk *Cc: *openldap-technical@openldap.org, "Matthieu Cerda" matthieu.cerda@nbs-system.com *Sent: *Thursday, April 19, 2018 5:36:04 PM *Subject: *Re: exempt some users from OpenLDAP password policy

What your ldap tree look like (the relevant parts, users, current ppolicy)? As far as links, there are soo many out there. Just search for one that fits your enviroment Here is how to add a ppolicy in the first place.  https://wiki.polaire.nl/doku.php?id=centos7_openldap_ppolicy

How to add ppolicy to specific objects: http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples

As Matthieu already mentioned, assuming you already have a ppolicy, then you would need to create a less restrictive policy and apply to specific users using the pwdPolicySubentry attribute

regards, dave

On Apr 15, 2018, 11:50 PM -0400, Tayyab Saeed <tayyab.saeed@nds.com.pk mailto:tayyab.saeed@nds.com.pk>, wrote:

Dear All,

I am sorry but still unable to configure the same, could anyone
please share the complete steps / link so i can setup the same.

Thanks,
Tayyab Saeed
------------------------------------------------------------------------
*From:* "Dave Macias" <davama@gmail.com <mailto:davama@gmail.com>>
*To:* "Matthieu Cerda" <matthieu.cerda@nbs-system.com
<mailto:matthieu.cerda@nbs-system.com>>
*Cc:* openldap-technical@openldap.org
<mailto:openldap-technical@openldap.org>
*Sent:* Friday, April 13, 2018 8:27:04 PM
*Subject:* Re: exempt some users from OpenLDAP password policy

Here is an example which you can apply per-user which needs to be
exempted:

dn: cn=ppolicy-exclude,ou=policies,dc=organization,dc=org
cn: ppolicy-exclude
objectClass: top
objectClass: device
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdMustChange: FALSE
pwdLockout: FALSE


On Fri, Apr 13, 2018 at 10:28 AM, Matthieu Cerda
<matthieu.cerda@nbs-system.com
<mailto:matthieu.cerda@nbs-system.com>> wrote:

    Hello,


    You may either:

      * Set a relaxed default password policy using
        olcPPolicyDefault / ppolicy_default (or no default policy
        at all) and set more restrictive password policies on some
        of your users by setting the pwdPolicySubentry attribute
        on their object
      * Set a restrictive default password policy, and a relaxed
        ones on some of your users

    Using one or the other depends on the proportions of
    exceptions you would generate: the less, the better

    --

    Matthieu CERDA


    Le 13/04/2018 <tel:13/04/2018> à 11:38, Tayyab Saeed a écrit :

        Dear Peter / ALL,

        Thanks a lot for your reply.

        So how can we exempt some users from password policy ?

        Is it possible in OpenLDAP or not ?

        Thanks,
        Tayyab Saeed
        ------------------------------------------------------------------------
        *From:* "Peter Gietz" <peter.gietz@daasi.de>
        <mailto:peter.gietz@daasi.de>
        *To:* openldap-technical@openldap.org
        <mailto:openldap-technical@openldap.org>
        *Sent:* Friday, April 13, 2018 1:08:31 PM
        *Subject:* Re: exempt some users from OpenLDAP password policy

        Dear Tayyab,


        well the error message says most of it.


        The attribute pwdChangedTime is defined in sect. 5.3.2. of
        https://tools.ietf.org/html/draft-behera-ldap-password-policy-10
        as:

        ...

        NO-USER-MODIFICATION
        USAGE directoryOperation )


        Which means, that an LDAP client is not allowed to modify
        the values of this attribute, and that it is to be
        modified by the directory server only.

        And this makes perfectly sense, that the value is changed,
        if and only if the password is being changed.

        Cheers,
        Peter

        Am 12.04.2018 um 22:55 schrieb Tayyab Saeed:

            Dear All,

            I have tried modifying pwdChangedTime & facing below error

             modifying entry 
             "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com"
             ldap_modify: Constraint violation (19)
                 additional info: pwdChangedTime: no user
            modification allowed

            Thanks,
            Tayyab Saeed




    -- Matthieu Cerda Infrastructure, BU Means @ NBS System