5:41 a.m.
After nearly two weeks of going nuts trying to setup a password policy, I
finally found part of the documentation that I was missing. Apparently
"ppolicy" does not actualy enforce the policy you create. If I'm
understanding the documentation correctly, it really only provides more of
a transport to something else which can do it.
In particular the attribute pwdCheckModule, needs to point to a module
which can enforce the policy. However no module seems to be provided.
What modules are other people using? I stumbled around and found
password_check.so, which I am trying to setup now with partial success.
http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password
Anyone else have something better? One thing I need to do which I don't
think this will help with, is storing the last x passwords.
Thanks,
Dan
6:03 a.m.
2013/4/10 D C <dc12078(a)gmail.com>
After nearly two weeks of going nuts trying to setup a password
policy, I
finally found part of the documentation that I was missing. Apparently
"ppolicy" does not actualy enforce the policy you create. If I'm
understanding the documentation correctly, it really only provides more of
a transport to something else which can do it.
No, ppolicy overlay manages a lot of things, like password history,
password min size, password expiration, etc.
In particular the attribute pwdCheckModule, needs to point to a module
which can enforce the policy. However no module seems to be provided.
What modules are other people using? I stumbled around and found
password_check.so, which I am trying to setup now with partial success.
http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password
This module adds some additional checks to the standard ppolicy overlay,
like lower and upper cases characters.
Anyone else have something better? One thing I need to do which I
don't
think this will help with, is storing the last x passwords.
Just use the standard ppolicy overlay and set pwdInHistory attribute value.
Clément.
Thanks,
Dan
6:12 a.m.
I
have tried using ppolicy, but it is not really doing anything.
I can confirm that my policy is being used by flipping the "pwdSafeModify"
attribute.
When set to true, users cannot change their password and they get a
message saying that they need to send both the old and new password
together.
Other than that, none of the other fields seem to have any effect.
Do you have a working example of ppolicy?
Thanks,
Dan
On Wed, Apr 10, 2013 at 9:03 AM, Clément OUDOT <clem.oudot(a)gmail.com> wrote:
2013/4/10 D C <dc12078(a)gmail.com>
> After nearly two weeks of going nuts trying to setup a password policy, I
> finally found part of the documentation that I was missing. Apparently
> "ppolicy" does not actualy enforce the policy you create. If I'm
> understanding the documentation correctly, it really only provides more of
> a transport to something else which can do it.
>
No, ppolicy overlay manages a lot of things, like password history,
password min size, password expiration, etc.
>
> In particular the attribute pwdCheckModule, needs to point to a module
> which can enforce the policy. However no module seems to be provided.
>
> What modules are other people using? I stumbled around and found
> password_check.so, which I am trying to setup now with partial success.
>
> http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password
>
>
This module adds some additional checks to the standard ppolicy overlay,
like lower and upper cases characters.
> Anyone else have something better? One thing I need to do which I don't
> think this will help with, is storing the last x passwords.
>
>
Just use the standard ppolicy overlay and set pwdInHistory attribute value.
Clément.
> Thanks,
> Dan
>
6:14 a.m.
2013/4/10 D C <dc12078(a)gmail.com>
I
have tried using ppolicy, but it is not really doing anything.
I can confirm that my policy is being used by flipping the "pwdSafeModify"
attribute.
When set to true, users cannot change their password and they get a
message saying that they need to send both the old and new password
together.
Other than that, none of the other fields seem to have any effect.
Do you have a working example of ppolicy?
Are you sure your are not using the root account (rootdn) to change the
password?
What version of OpenLDAP are you using?
Clément.
6:30 a.m.
My mistake. I've had password policies on my mind so much lately, that I
have been mostly focusing on the password strength portion of it, which I
realize is not part of ppolicy itself.
I'm going through each attribute right now to do a thorough test of what is
working and / or not working.
Server is openldap 2.4.23
Thanks,
Dan
On Wed, Apr 10, 2013 at 9:14 AM, Clément OUDOT <clem.oudot(a)gmail.com> wrote:
2013/4/10 D C <dc12078(a)gmail.com>
> I
> have tried using ppolicy, but it is not really doing anything.
> I can confirm that my policy is being used by flipping the
> "pwdSafeModify" attribute.
>
> When set to true, users cannot change their password and they get a
> message saying that they need to send both the old and new password
> together.
>
> Other than that, none of the other fields seem to have any effect.
>
> Do you have a working example of ppolicy?
>
Are you sure your are not using the root account (rootdn) to change the
password?
What version of OpenLDAP are you using?
Clément.
7:41 a.m.
--On Wednesday, April 10, 2013 9:30 AM -0400 D C <dc12078(a)gmail.com> wrote:
Server is openldap 2.4.23
Seriously? You're using a version of OpenLDAP that is nearly 3 years old?
Why would you do that to yourself?
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
3896
days inactive
3896
days old
openldap-technical@openldap.org
5 comments
3 participants
participants (3)
-
Clément OUDOT -
D C -
Quanah Gibson-Mount