After nearly two weeks of going nuts trying to setup a password policy, I finally found part of the documentation that I was missing. Apparently "ppolicy" does not actualy enforce the policy you create. If I'm understanding the documentation correctly, it really only provides more of a transport to something else which can do it.
In particular the attribute pwdCheckModule, needs to point to a module which can enforce the policy. However no module seems to be provided.
What modules are other people using? I stumbled around and found password_check.so, which I am trying to setup now with partial success.
http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password
Anyone else have something better? One thing I need to do which I don't think this will help with, is storing the last x passwords.
Thanks, Dan
2013/4/10 D C dc12078@gmail.com
After nearly two weeks of going nuts trying to setup a password policy, I finally found part of the documentation that I was missing. Apparently "ppolicy" does not actualy enforce the policy you create. If I'm understanding the documentation correctly, it really only provides more of a transport to something else which can do it.
No, ppolicy overlay manages a lot of things, like password history, password min size, password expiration, etc.
In particular the attribute pwdCheckModule, needs to point to a module which can enforce the policy. However no module seems to be provided.
What modules are other people using? I stumbled around and found password_check.so, which I am trying to setup now with partial success.
http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password
This module adds some additional checks to the standard ppolicy overlay, like lower and upper cases characters.
Anyone else have something better? One thing I need to do which I don't think this will help with, is storing the last x passwords.
Just use the standard ppolicy overlay and set pwdInHistory attribute value.
Clément.
Thanks, Dan
I have tried using ppolicy, but it is not really doing anything. I can confirm that my policy is being used by flipping the "pwdSafeModify" attribute.
When set to true, users cannot change their password and they get a message saying that they need to send both the old and new password together.
Other than that, none of the other fields seem to have any effect.
Do you have a working example of ppolicy?
Thanks, Dan
On Wed, Apr 10, 2013 at 9:03 AM, Clément OUDOT clem.oudot@gmail.com wrote:
2013/4/10 D C dc12078@gmail.com
After nearly two weeks of going nuts trying to setup a password policy, I finally found part of the documentation that I was missing. Apparently "ppolicy" does not actualy enforce the policy you create. If I'm understanding the documentation correctly, it really only provides more of a transport to something else which can do it.
No, ppolicy overlay manages a lot of things, like password history, password min size, password expiration, etc.
In particular the attribute pwdCheckModule, needs to point to a module which can enforce the policy. However no module seems to be provided.
What modules are other people using? I stumbled around and found password_check.so, which I am trying to setup now with partial success.
http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password
This module adds some additional checks to the standard ppolicy overlay, like lower and upper cases characters.
Anyone else have something better? One thing I need to do which I don't think this will help with, is storing the last x passwords.
Just use the standard ppolicy overlay and set pwdInHistory attribute value.
Clément.
Thanks, Dan
2013/4/10 D C dc12078@gmail.com
I have tried using ppolicy, but it is not really doing anything. I can confirm that my policy is being used by flipping the "pwdSafeModify" attribute.
When set to true, users cannot change their password and they get a message saying that they need to send both the old and new password together.
Other than that, none of the other fields seem to have any effect.
Do you have a working example of ppolicy?
Are you sure your are not using the root account (rootdn) to change the password?
What version of OpenLDAP are you using?
Clément.
My mistake. I've had password policies on my mind so much lately, that I have been mostly focusing on the password strength portion of it, which I realize is not part of ppolicy itself.
I'm going through each attribute right now to do a thorough test of what is working and / or not working.
Server is openldap 2.4.23
Thanks, Dan
On Wed, Apr 10, 2013 at 9:14 AM, Clément OUDOT clem.oudot@gmail.com wrote:
2013/4/10 D C dc12078@gmail.com
I have tried using ppolicy, but it is not really doing anything. I can confirm that my policy is being used by flipping the "pwdSafeModify" attribute.
When set to true, users cannot change their password and they get a message saying that they need to send both the old and new password together.
Other than that, none of the other fields seem to have any effect.
Do you have a working example of ppolicy?
Are you sure your are not using the root account (rootdn) to change the password?
What version of OpenLDAP are you using?
Clément.
--On Wednesday, April 10, 2013 9:30 AM -0400 D C dc12078@gmail.com wrote:
Server is openldap 2.4.23
Seriously? You're using a version of OpenLDAP that is nearly 3 years old? Why would you do that to yourself?
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Clément OUDOT -
D C -
Quanah Gibson-Mount