I am getting a little further with this.
I have added
pwdLockOut = TRUE pwdMaxFialure = 5 pwdMinLength = 8
Now if I try to log in with the wrong password it add a pwdFailureTime attribute to the user as expected and after 5 I can't bind as that user anymore. Then if I reset the password the user can log in again. So at least something with the policy is working.
When I change the password however it allows passwords with less then 8 characters and pwdReset is still not set on the user's entry.
Any thoughts on what might be happening?
Thanks,
Bram
On 2014-08-03, 9:10 AM, Bram Cymet wrote:
Hi,
It looks like the password policy overlay will do exactly what I need it to I just can't get it to work.
I have applied the overlay my directory. I have a default policy set that has:
pwdAttribute set to userPassword and pwdMustChange set to TRUE.
However when I change a user's password either with an ldapmodify or the ldappassword command that user is still able to bind to the directory just fine. I was assuming that a bind attempt would return an error saying that the user had to change their password or is this not the expected behavior?
Also I have tried adding pwdReset = TRUE to my user's object but it complains the pwdReset is not allowed in the schema. Is there a specific objectclass that I have to add to my user entries?
I have also tried creating a schema with pwdReset and pwdPolicySubentry but when I add that schema it complains that these are operational attributes.
I have upped the logging and when I user tries to bind I see:
Aug 3 08:57:08 devauth slapd[30441]: conn=1017 fd=17 ACCEPT from IP=10.20.48.66:55519 (IP=0.0.0.0:389) Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" method=128 Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry: "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry: "cn=websales_password_policy,ou=test_websales_users,dc=ls,dc=cbn" Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: result not in cache (userPassword) Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access to "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" "userPassword" requested Aug 3 08:57:08 devauth slapd[30441]: => acl_get: [2] attr userPassword Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: access to entry "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn", attr "userPassword" requested Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: to value by "", (=0) Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: self Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: * Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] applying auth(=xd) (stop) Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] mask: auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: => slap_access_allowed: auth access granted by auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access granted by auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" mech=SIMPLE ssf=0
So it looks to me like the default policy has been applied but nothing happens when a password is reset by an administrator.
So I think I am missing something fundamental here. I have a few questions that I think will help me to narrow down my problem though.
What is the best way to debug an overlay?
Is there a proper way for an administrator to change a password so
that the pwdReset flag is set on the user (or whatever is supposed to happen so that the user needs to reset their password on their next bind)
- Is it enough to have a password policy with just pwdAttribute and
pwdMustChange set or are there other values that need to be set to make this work.
- Are there any extra object classes that have to added to my user
entries for the password policies to work?
- I would like users to have to reset their password on first bind do
I need to set something on object creation?
- Anything else I might be missing?
Any help would be awesome.
Thanks,