Am Fri, 18 Feb 2011 12:55:01 +0600 schrieb Konstantin Boyandin temmokan@gmail.com:
Greetings,
Given: OpenLDAP: 2.4.23, password policy module enabled, default password policy loaded as
dn: cn=default,ou=Policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 0 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 30 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
Authentication is set via LDAP (. The problem: when I try to set password via ldappassword, using command like this:
ldappasswd -e ppolicy -W -x -D "cn=Manager,dc=example,dc=com" \ -H ldap://127.0.0.1/ -A -S "uid=testuser,ou=Users,dc=example,dc=com"
rootdn bypasses all restrictions.
it bypasses password policy settings - I can set the same password, can set the previously used password. It doesn't matter whether I specify '-e ppolicy' or not.
However, when I try to change password with passwd (authentication is set via LDAP, /etc/ldap.conf contains 'pam_password exop'):
passwd testuser
the password policy restrictions are in effect. I am not allowed to set the same password, to set previous or similar password etc.
Is it possible to make ldappaswd observe password policy restrictions?
Yes, do not bind as rootdn.
-Dieter