I have reinstalled openldap and applied slapo-ppolicy carefully looking at man pages and the configuration.
How do I then apply this to existing openldap accounts?
Thank you, Liz
From: Michael Ströder <michael@stroeder.commailto:michael@stroeder.com> Date: Monday, September 28, 2015 at 10:57 PM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: Re: Allow users to change ldap password with passwd
Elizabeth,
sorry, your wording does not result in any valid interpretation on my side. Especially you obfuscated too much.
To see what's really going on you should again carefully examine your configuration, slapd logs and check the command-lines more carefully.
Ciao, Michael.
Real, Elizabeth (392K) wrote: Michael, I modified the command and was able to implement the password policy using: # ldapadd -x -W -D cn=****,dc=****,dc=**** -f passwordPolicy.ldif Verified the policy was applied: # ldapsearch -x -D cn=****,dc=****,dc=**** -H ldap:// -b dc=****,dc=**** -W # real, People, ****.**** dn: uid=real,ou=People,dc=****,dc=**** uid: real homeDirectory: /home/real memberUid: real … … # policies, ****.**** dn: cn=policies,dc=cluster,dc=sec312 objectClass: pwdPolicy objectClass: person objectClass: top cn:: cG9saWNpZXMg sn: policies pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 3600 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: FALSE # search result search: 2 result: 0 Success # numResponses: 598 # numEntries: 597 TEST: I reset the password for user ‘real’ an ldap client using passwd, the password was successfully changed. However, the new user password did not change on the ldap server. It appears that the policy is not updating the ou where my user ‘real’ belongs to. Maybe it’s got to do with my ldap tree and where I configured my password policy (cn=policies), this is how it is now: dc=****, dc=**** cn=policies … … ou=People … … Thank you, Liz From: Michael Ströder <michael@stroeder.commailto:michael@stroeder.commailto:michael@stroeder.com> Date: Thursday, September 24, 2015 at 11:42 AM To: Elizabeth Real Chavez <Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.govmailto:Elizabeth.Real@jpl.nasa.gov>, "openldap-technical@openldap.orgmailto:openldap-technical@openldap.orgmailto:openldap-technical@openldap.org" <openldap-technical@openldap.orgmailto:openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Subject: Re: Allow users to change ldap password with passwd Real, Elizabeth (392K) wrote: I replaced ou with cn, tried loading the ldif and got this message: # ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=policies,dc=*****,dc=*****" ldap_add: Insufficient access (50) additional info: no write access to parent I guess you want to use another bind-DN with -D when writing to your normal DB backend / naming context dc=*****,dc=*****. And defining -Y and -D together does not make sense. Please consult the man page and look at various bind methods more closely. Ciao, Michael.
-- Michael Ströder Klauprechtstr. 11 Dipl.-Inform. D-76137 Karlsruhe, Germany Tel.: +49 721 8304316 Mobil: +49 170 2391920 E-Mail: michael@stroeder.commailto:michael@stroeder.com http://www.stroeder.com