On Mon, Oct 11, 2010 at 7:08 PM, Christian Manal <moenoel@informatik.uni-bremen.de> wrote:
Am 11.10.2010 15:25, schrieb Meghanand Acharekar:
> On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal <
> moenoel@informatik.uni-bremen.de> wrote:
>
>> Am 11.10.2010 14:41, schrieb Meghanand Acharekar:
>>> Hi,
>>>
>>> I am using ppolicy overlay to enforce password policies.
>>> Following is my ppolicy configuration/ldif.
>>>
>>> dn: cn=policies,dc=example,dc=com
>>> objectClass: top
>>> objectClass: device
>>> objectClass: pwdPolicy
>>> cn: policies
>>> pwdAttribute: userPassword
>>> pwdMaxAge: 7516800
>>> pwdExpireWarning: 432000
>>> pwdInHistory: 6
>>> pwdCheckQuality: 1
>>> pwdMinLength: 8
>>> pwdMaxFailure: 4
>>> pwdLockout: TRUE
>>> pwdLockoutDuration: 1920
>>> pwdGraceAuthNLimit: 0
>>> pwdFailureCountInterval: 0
>>> pwdMustChange: TRUE
>>> pwdAllowUserChange: TRUE
>>> pwdSafeModify: FALSE
>>>
>>> while changing password on first login I got following error.
>>>
>>> WARNING: Your password has expired.
>>> You must change your password now and login again!
>>> Changing password for user prasad.
>>> Enter login(LDAP) password:
>>> New UNIX password:
>>> Retype new UNIX password:
>>> LDAP password information update failed: Constraint violation
>>> Password is too young to change
>>> passwd: Permission denied
>>> Connection to myhost closed.
>>>
>>> Thanks in advance
>>> Meghanand N Acharekar.
>>>
>>
>>
>> Hi,
>>
>> when you set 'pwdCheckQuality: 1', you require a module to actually
>> check the quality of the password. See slapo-ppolicy(5) and look at the
>> pwdPolicyChecker/pwdCheckModule parts.
>>
>>
>>
> Hello
>
> After setting pwdReset TRUE in user attribute, i'm getting another error.
>
> LDAP password information update failed: Constraint violation
> Password fails quality checking policy
> passwd: Permission denied
> Connection to myhost closed.
>
> Is it mandatory to use this module if we want to enforce password policies.
> Any idea.
>
>
>> Regards,
>> Christian Manal
>>
>

The 'Constraint violation' error means, that the new password does not
conform to the quality requirements, or in your case, the quality could
not be verified at all. As I said, if you want to use

  pwdCheckQuality: 1

you *need* a pwdCheckModule to run the password through, or you will
always get a constraint violation.


Okies, if I use simple password it prompts me as follows.

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user test
Enter login(LDAP) password: 
New UNIX password: 
BAD PASSWORD: it does not contain enough DIFFERENT characters
New UNIX password: 
BAD PASSWORD: it is based on a dictionary word
New UNIX password: 
Retype new UNIX password: 
LDAP password information update failed: Constraint violation
Password fails quality checking policy
 
By the way I found check_password.c file here 
https://ltb-project.org/svn/openldap-ppolicy-check-password/trunk/
I will compile it to generate check_password.so file and update you.


Regards,
Christian Manal