Re: exempt some users from OpenLDAP password policy

22 Apr 2018

      Dear All,
How can we disable password policy completely?
Thanks, 
Tayyab Saeed 
----- Original Message -----
From: "Dave Macias" davama@gmail.com 
To: "Tayyab Saeed" tayyab.saeed@nds.com.pk 
Cc: openldap-technical@openldap.org, "Matthieu Cerda" matthieu.cerda@nbs-system.com 
Sent: Thursday, April 19, 2018 5:36:04 PM 
Subject: Re: exempt some users from OpenLDAP password policy
What your ldap tree look like (the relevant parts, users, current ppolicy)?
As far as links, there are soo many out there. Just search for one that fits your enviroment 
Here is how to add a ppolicy in the first place. 
https://wiki.polaire.nl/doku.php?id=centos7_openldap_ppolicy
How to add ppolicy to specific objects: 
http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples
As Matthieu already mentioned, assuming you already have a ppolicy, then you would need to create a less restrictive policy and apply to specific users using the pwdPolicySubentry attribute
regards, 
dave
On Apr 15, 2018, 11:50 PM -0400, Tayyab Saeed < tayyab.saeed@nds.com.pk >, wrote:
Dear All,
I am sorry but still unable to configure the same, could anyone please share the complete steps / link so i can setup the same.
Thanks, 
Tayyab Saeed
From: "Dave Macias" < davama@gmail.com > 
To: "Matthieu Cerda" < matthieu.cerda@nbs-system.com > 
Cc: openldap-technical@openldap.org 
Sent: Friday, April 13, 2018 8:27:04 PM 
Subject: Re: exempt some users from OpenLDAP password policy
Here is an example which you can apply per-user which needs to be exempted:
dn: cn=ppolicy-exclude,ou=policies,dc=organization,dc=org 
cn: ppolicy-exclude 
objectClass: top 
objectClass: device 
objectClass: pwdPolicyChecker 
objectClass: pwdPolicy 
pwdAttribute: userPassword 
pwdAllowUserChange: TRUE 
pwdMustChange: FALSE 
pwdLockout: FALSE
On Fri, Apr 13, 2018 at 10:28 AM, Matthieu Cerda < matthieu.cerda@nbs-system.com > wrote:
<blockquote>
Hello,
You may either:
* Set a relaxed default password policy using olcPPolicyDefault / ppolicy_default (or no default policy at all) and set more restrictive password policies on some of your users by setting the pwdPolicySubentry attribute on their object 
    * Set a restrictive default password policy, and a relaxed ones on some of your users
Using one or the other depends on the proportions of exceptions you would generate: the less, the better
-- 
Matthieu CERDA 

Le 13/04/2018 à 11:38, Tayyab Saeed a écrit : 

<blockquote>

Dear Peter / ALL, 

Thanks a lot for your reply. 

So how can we exempt some users from password policy ? 

Is it possible in OpenLDAP or not ? 

Thanks, 
Tayyab Saeed 

From: "Peter Gietz" peter.gietz@daasi.de 
To: openldap-technical@openldap.org 
Sent: Friday, April 13, 2018 1:08:31 PM 
Subject: Re: exempt some users from OpenLDAP password policy 

Dear Tayyab, 

well the error message says most of it. 

The attribute pwdChangedTime is defined in sect. 5.3.2. of https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 as: 

... 

NO-USER-MODIFICATION 
USAGE directoryOperation ) 

Which means, that an LDAP client is not allowed to modify the values of this attribute, and that it is to be modified by the directory server only. 

And this makes perfectly sense, that the value is changed, if and only if the password is being changed. 

Cheers, 
Peter 

Am 12.04.2018 um 22:55 schrieb Tayyab Saeed: 

<blockquote>

Dear All, 

I have tried modifying pwdChangedTime & facing below error 

modifying entry 
"uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com" 
ldap_modify: Constraint violation (19) 
additional info: pwdChangedTime: no user modification allowed 

Thanks, 
Tayyab Saeed 

</blockquote>

--  
Matthieu Cerda
Infrastructure, BU Means @ NBS System 
</blockquote>

</blockquote>

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: exempt some users from OpenLDAP password policy