On 2/22/22 19:00, Felix Natter wrote:
> 1. The LDAP client should support setting new password via LDAP
> Modify Password extended operation >
I tried with passwd(1), which currently ignores the ppolicy. Does
this mean it does not support an LDAP Modify Password *extended*
operation? If not, can I enable it?
passwd(1) is not even an LDAP client.
ldappasswd(1) is the right tool for the command-line but takes a DN to
specify the user's entry.
But for various reasons I usually disallow changing passwords from an
arbitrary system. I'd recommend to force users to use a decent central
password self-service web app.
Now I added olcPPolicyHashCleartext: TRUE to the ppolicy overlay:
But still, the password policy is not enforced with passwd(1).
passwd(1) should not even cause an LDAP modify operation to reach your
OpenLDAP server. Just in case you've added shadow: ldap in your
nsswitch.conf then remove that immediately because it's an ancient
> Processing simple bind requests are not affected by these
Bind request means login request, as opposed to password change request?
Sorry for the nitpicking but the term "login request" is blurry:
"Simple bind request" means literally a simple bind request as described
in RFC 4511:
This simple bind operation is used by NSS/PAM integration components
like nss-pam-ldapd or sssd (or my own aehostd for Æ-DIR) to let the PAM
stack check the user's password. Maybe this is what you call a "login
Could you please advise how to enforce the PP?
I already did. You have to use the right software.