thanks for the explanations.
Michael Ströder <michael(a)stroeder.com> writes:
On 2/22/22 19:00, Felix Natter wrote:
>> 1. The LDAP client should support setting new password via LDAP
>> Modify Password extended operation >
> I tried with passwd(1), which currently ignores the ppolicy. Does
> this mean it does not support an LDAP Modify Password *extended*
> operation? If not, can I enable it?
passwd(1) is not even an LDAP client.
ldappasswd(1) is the right tool for the command-line but takes a DN to
specify the user's entry.
I tried this (which would be fine as a solution):
ldappasswd -H ldap://<ip> -x -D \
cn=ldaptestuser1,ou=users,dc=company,dc=com -W -A -S
but it does not enforce the pwdMinLength:3 restriction of the PP.
But for various reasons I usually disallow changing passwords from
arbitrary system. I'd recommend to force users to use a decent central
password self-service web app.
I will look at whether it can be done with LAMPro.
> Now I added olcPPolicyHashCleartext: TRUE to the ppolicy
> But still, the password policy is not enforced with passwd(1).
passwd(1) should not even cause an LDAP modify operation to reach your
OpenLDAP server. Just in case you've added shadow: ldap in your
nsswitch.conf then remove that immediately because it's an ancient insecure
>> Processing simple bind requests are not affected by these
> Bind request means login request, as opposed to password change request?
Sorry for the nitpicking but the term "login request" is blurry:
"Simple bind request" means literally a simple bind request as described in
This simple bind operation is used by NSS/PAM integration components like
nss-pam-ldapd or sssd (or my own aehostd for Æ-DIR) to let the PAM stack
check the user's password. Maybe this is what you call a "login request".
> Could you please advise how to enforce the PP?
I already did. You have to use the right software.
Thanks and Best Regards,