Hi Prajith,
Please find the details,
1) let us know the client application are you using.
Apache
Directory Studio, Version:
2.0.0.v20150606-M9
2) Paste here your slapd.conf file.
#
# See slapd.conf(5) for
details on configuration options.
# This file should NOT
be world readable.
#
include
/etc/openldap/schema/core.schema
include
/etc/openldap/schema/cosine.schema
include
/etc/openldap/schema/inetorgperson.schema
include
/etc/openldap/schema/nis.schema
include
/etc/openldap/schema/misc.schema
#include
/usr/share/doc/openssh-ldap-6.4p1/openssh-lpk-openldap.schema
# Added for policy
include
/etc/openldap/schema/ppolicy.schema
# Allow LDAPv2 client
connections. This is NOT the default.
allow bind_v2
# Do not enable referrals
until AFTER you have a working directory
# service AND an understanding
of referrals.
#referral ldap://root.openldap.org
pidfile
/var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend
modules:
# modulepath /usr/lib64/openldap
# Modules available in
openldap-servers-overlays RPM package
# Module syncprov.la is
now statically linked with slapd and there
# is no need to load it
here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
moduleload ppolicy.la
moduleload syncprov.la
moduleload accesslog.la
moduleload auditlog.la
#logging level
loglevel -1
logfile /var/log/slapd.log
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# modules available in
openldap-servers-sql RPM package:
# moduleload back_sql.la
# The next three lines
allow use of TLS for encrypting connections using a
# dummy test certificate
which you can generate by changing to
# /etc/pki/tls/certs,
running "make slapd.pem", and fixing permissions on
# slapd.pem so that the
ldap user or group can read it. Your client software
# may balk at self-signed
certificates, however.
#TLSCipherSuite SECURE256:!AES-128-CBC:!ARCFOUR-128:!CAMELLIA-128-CBC:!3DES-CBC:!CAMELLIA-128-CBC
TLSProtocolMin 3.2
TLSCipherSuite HIGH:MEDIUM:+TLSv1.2:!RC4
TLSCertificateFile /etc/openldap/cacerts/ldapsrv.crt
TLSCertificateKeyFile
/etc/openldap/cacerts/ldap.key
TLSCACertificateFile /etc/openldap/cacerts/ca.crt
# Sample security restrictions
# Require integrity
protection (prevent hijacking)
# Require 112-bit
(3DES or better) encryption for updates
# Require 63-bit
encryption for simple bind
# security ssf=1 update_ssf=112
simple_bind=64
# Sample access control
policy:
# Root DSE: allow
anyone to read it
# Subschema (sub)entry
DSE: allow anyone to read it
# Other DSEs:
#
Allow self write access
#
Allow authenticated users read access
#
Allow anonymous users to authenticate
# Directives needed
to implement policy:
# access to dn.base=""
by * read
# access to dn.base="cn=Subschema"
by * read
# access to *
# by self write
# by users read
# by anonymous
auth
#
# if no access controls
are present, the default policy
# allows anyone and everyone
to read anything but restricts
# updates to rootdn. (e.g.,
"access to * by * read")
#
# rootdn can always read
and write EVERYTHING!
disallow bind_anon
access to attrs=userPassword
by
self write
by
dn.base="cn=mirrormode,dc=rnd,dc=com" read
by
dn.base="cn=binduser,dc=rnd,dc=com" read
by
* auth
access to *
by
dn.base="cn=mirrormode,dc=rnd,dc=com" read
by
dn.base="cn=binduser,dc=rnd,dc=com" read
by
* break
access to *
by
dn="cn=Manager,dc=rnd,dc=com"
by
users read
by
self write
by
* auth
#######################################################################
# ldbm and/or bdb database
definitions
#######################################################################
database bdb
# DIT will act as a provider
overlay syncprov
suffix "dc=rnd,dc=com"
rootdn "cn=Manager,dc=rnd,dc=com"
rootpw {SSHA}KOXKk4vkP1X3nF2GY09MQXiaAdxkLyk7
# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=rnd,dc=com"
ppolicy_use_lockout
# The database directory
MUST exist prior to running slapd AND
# should only be accessible
by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
for this database
index objectClass
eq,pres
index ou,cn,mail,surname,givenname
eq,pres,sub
index uidNumber,gidNumber,loginShell
eq,pres
index uid,memberUid
eq,pres,sub
index nisMapName,nisMapEntry
eq,pres,sub
Thanks & Regards
Raj
From:
PRAJITH <prajithpalakkuda@gmail.com>
To:
Rajagopal Rc <rajagopal.rc@tcs.com>
Cc:
openldap-technical@openldap.org
Date:
11/22/2015 09:55 AM
Subject:
Re: Problem
with "force user to password reset at first login
Sent by:
"openldap-technical"
<openldap-technical-bounces@openldap.org>
Hi Rajagopal,
Can you confirm the below points?
1) let us know the client application are you using.
2) Paste here your slapd.conf file.
On 20 November 2015 at 13:16, Rajagopal Rc <rajagopal.rc@tcs.com>
wrote:
Hi,
I am trying to force users to change their password at first login or after
password reset by administrator.
Tried following:
1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non
of the
users get prompt to change their password at first login.
2) used the 'pwdReset TRUE' attribute in users attributes, and it won't
prompt
to change the password and didn't allow to login
i observe below messages in log
"slapd[12684]: connection restricted to password changing only
slapd[12684]: send_ldap_result: err=50 matched="" text="Operations
are
restricted to bind/unbind/abandon/StartTLS/modify password"
slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password"
Please help me configure the option to force all users to change their
password
at first login or after pwd reset by administrator.
Thanks & Regards
Raj
Tata Consultancy Services
Mailto: rajagopal.rc@tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you