Hi,
It looks like the password policy overlay will do exactly what I need it to I just can't get it to work.
I have applied the overlay my directory. I have a default policy set that has:
pwdAttribute set to userPassword and pwdMustChange set to TRUE.
However when I change a user's password either with an ldapmodify or the ldappassword command that user is still able to bind to the directory just fine. I was assuming that a bind attempt would return an error saying that the user had to change their password or is this not the expected behavior?
Also I have tried adding pwdReset = TRUE to my user's object but it complains the pwdReset is not allowed in the schema. Is there a specific objectclass that I have to add to my user entries?
I have also tried creating a schema with pwdReset and pwdPolicySubentry but when I add that schema it complains that these are operational attributes.
I have upped the logging and when I user tries to bind I see:
Aug 3 08:57:08 devauth slapd[30441]: conn=1017 fd=17 ACCEPT from IP=10.20.48.66:55519 (IP=0.0.0.0:389) Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" method=128 Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry: "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry: "cn=websales_password_policy,ou=test_websales_users,dc=ls,dc=cbn" Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: result not in cache (userPassword) Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access to "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" "userPassword" requested Aug 3 08:57:08 devauth slapd[30441]: => acl_get: [2] attr userPassword Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: access to entry "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn", attr "userPassword" requested Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: to value by "", (=0) Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: self Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: * Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] applying auth(=xd) (stop) Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] mask: auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: => slap_access_allowed: auth access granted by auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access granted by auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" mech=SIMPLE ssf=0
So it looks to me like the default policy has been applied but nothing happens when a password is reset by an administrator.
So I think I am missing something fundamental here. I have a few questions that I think will help me to narrow down my problem though.
1) What is the best way to debug an overlay?
2) Is there a proper way for an administrator to change a password so that the pwdReset flag is set on the user (or whatever is supposed to happen so that the user needs to reset their password on their next bind)
3) Is it enough to have a password policy with just pwdAttribute and pwdMustChange set or are there other values that need to be set to make this work.
4) Are there any extra object classes that have to added to my user entries for the password policies to work?
5) I would like users to have to reset their password on first bind do I need to set something on object creation?
6) Anything else I might be missing?
Any help would be awesome.
Thanks,