* Do not use rootdn account to test ppolicy (rootdn bypass ppolicy)
-  i have a service account setup in /etc/pam_ldap.conf.
What should the proper acl be for this? 

* Do not hash password before modifying it (password in SSHA cannot be verified against min size for example)
- Ah. i'll change that to send in clear and try again.  However shouldn't this just make the check fail being that the hash will be longer then 12 chars?

* What client do you use to test?
pam_ldap, and apache directory studio (bind as regular user)


Thanks,
Dan


On Wed, Apr 10, 2013 at 12:34 PM, Clément OUDOT <clem.oudot@gmail.com> wrote:


2013/4/10 D C <dc12078@gmail.com>
Fair enough.  now I'm updated
$ rpm -qa |grep openldap
openldap-ltb-2.4.35-1.el6.x86_64
openldap-ltb-check-password-1.1-8.el6.x86_64

I dumped and reimported my database, and tried agian.  I dont see any difference.

TESTS:                      RESULT:

pwdSafeModify: FALSE        PASS:   Message: LDAP password information update failed: Insufficient access.   Must supply old password to be changed as well as new one
pwdAllowUserChange: FALSE   PASS:   Message: LDAP password information update failed: Insufficient access.   User alteration of password is not allowed
pwdMaxAge: 300              Not Tested.
pwdExpireWarning: 10        Not Tested.
pwdInHistory: 3             FAIL:   I can still flip between 2 passwords
pwdMinLength: 12            FAIL:   I can still set a 6 char password
pwdMustChange:              FAIL:   I am not forced to change passwd.
pwdMaxFailure: 2            FAIL:   Still allowed in after 3 failures





Several points:
* Do not use rootdn account to test ppolicy (rootdn bypass ppolicy)
* Do not hash password before modifying it (password in SSHA cannot be verified against min size for example)
* What client do you use to test?


Clément.