2010/10/14 Meghanand Acharekar vasco.debian@gmail.com:
On Mon, Oct 11, 2010 at 7:57 PM, Christian Manal moenoel@informatik.uni-bremen.de wrote:
Am 11.10.2010 16:06, schrieb Meghanand Acharekar:
On Mon, Oct 11, 2010 at 7:08 PM, Christian Manal < moenoel@informatik.uni-bremen.de> wrote:
Am 11.10.2010 15:25, schrieb Meghanand Acharekar:
On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal < moenoel@informatik.uni-bremen.de> wrote:
Am 11.10.2010 14:41, schrieb Meghanand Acharekar: > Hi, > > I am using ppolicy overlay to enforce password policies. > Following is my ppolicy configuration/ldif. > > dn: cn=policies,dc=example,dc=com > objectClass: top > objectClass: device > objectClass: pwdPolicy > cn: policies > pwdAttribute: userPassword > pwdMaxAge: 7516800 > pwdExpireWarning: 432000 > pwdInHistory: 6 > pwdCheckQuality: 1 > pwdMinLength: 8 > pwdMaxFailure: 4 > pwdLockout: TRUE > pwdLockoutDuration: 1920 > pwdGraceAuthNLimit: 0 > pwdFailureCountInterval: 0 > pwdMustChange: TRUE > pwdAllowUserChange: TRUE > pwdSafeModify: FALSE > > while changing password on first login I got following error. > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user prasad. > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information update failed: Constraint violation > Password is too young to change > passwd: Permission denied > Connection to myhost closed. > > Thanks in advance > Meghanand N Acharekar. >
Hi,
when you set 'pwdCheckQuality: 1', you require a module to actually check the quality of the password. See slapo-ppolicy(5) and look at the pwdPolicyChecker/pwdCheckModule parts.
Hello
After setting pwdReset TRUE in user attribute, i'm getting another error.
LDAP password information update failed: Constraint violation Password fails quality checking policy passwd: Permission denied Connection to myhost closed.
Is it mandatory to use this module if we want to enforce password
policies.
Any idea.
Regards, Christian Manal
The 'Constraint violation' error means, that the new password does not conform to the quality requirements, or in your case, the quality could not be verified at all. As I said, if you want to use
pwdCheckQuality: 1
you *need* a pwdCheckModule to run the password through, or you will always get a constraint violation.
Okies, if I use simple password it prompts me as follows.
WARNING: Your password has expired. You must change your password now and login again! Changing password for user test Enter login(LDAP) password: New UNIX password: BAD PASSWORD: it does not contain enough DIFFERENT characters New UNIX password: BAD PASSWORD: it is based on a dictionary word New UNIX password: Retype new UNIX password: LDAP password information update failed: Constraint violation Password fails quality checking policy
I think the "BAD PASSWORD" messages are coming from your PAM stack. pam_cracklib, or something, may check the password quality, before passing it to pam_ldap. But that doesn't have anything to do with the quality checking of slapo-ppolicy.
Update. I was not able to compile the check_password.c file,due to limited time. Finally I removed pwdCheckQuality & pwdMinLen from ppolicy, now had a configuration which relay on pam_cracklib on individual system for password quality checks and slapd-ppolicy for rest. I will further try compilation of check_password.c when find enough time ;)
Hi,
you will find some documentation here: http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password
Clément.