Hi Tizo,
Suposed that your users has to login in some linux/Unix machine using their LDAP accounts, I sugest you to create some binary or script to allow your users to change their passwords invoking ldappasswd command.
I mean, you can create a C program or shell script or even a PHP page, to validate some weaks in their passwords, like min length, capital letters, numbers, and so on.
After that, you can call ldappasswd command with all parameters (using system() call in a C source code) to change it. I know that this is not an elegant option, but it works.
Let me know if it works for you that I can post my C source code here to help you there.
See you
Gustavo
Date: Wed, 10 Jun 2009 18:54:14 -0300 From: tizo tizone@gmail.com Subject: Re: password change and ppolicy To: openldap-technical@openldap.org Message-ID: e55f48520906101454i3e5b4b59v2b755278cd34437@mail.gmail.com Content-Type: text/plain; charset="utf-8"
On Tue, Jun 9, 2009 at 12:12 PM, tizo tizone@gmail.com wrote:
Before starting this, I have been testing password changing with phpLDAPAdmin. The fact is that I could only change a user password with clear text. I guess that this behaviour happens because we have pwdCheckQulity setting in 2 in our default password policy. So, when the client (phpLDAPAdmin) tries to modify the password enconding it, the
server
(OpenLDAP) cannot check the min length of the password, as it is encoded, and then fails. I am guessing too, that phpLDAPAdmin is performing a
simple
modify operation to change the password, as it is stored in clear text. On the other hand, I could change passwords with ldappasswd withouth problem, and they are stored with SSHA. I know that this command uses RFC 3062.
tizo
On Fri, Jun 12, 2009 at 11:31 AM, Gustavo Mendes de Carvalho < gmcarvalho@gmail.com> wrote:
Hi Tizo,
Suposed that your users has to login in some linux/Unix machine using their LDAP accounts, I sugest you to create some binary or script to allow your users to change their passwords invoking ldappasswd command.
I mean, you can create a C program or shell script or even a PHP page, to validate some weaks in their passwords, like min length, capital letters, numbers, and so on.
After that, you can call ldappasswd command with all parameters (using system() call in a C source code) to change it. I know that this is not an elegant option, but it works.
Let me know if it works for you that I can post my C source code here to help you there.
See you
Gustavo
Gustavo,
Thanks for your help, but my problem was changing passwords from a JEE Application, and I could solve it with the class that I attached before.
Thanks again,
tizo
On Friday 12 June 2009 16:31:50 Gustavo Mendes de Carvalho wrote:
Hi Tizo,
Suposed that your users has to login in some linux/Unix machine using their LDAP accounts, I sugest you to create some binary or script to allow your users to change their passwords invoking ldappasswd command.
I mean, you can create a C program or shell script or even a PHP page,
Since PHP doesn't support LDAP controls, PHP is a bad choice for this.
to validate some weaks in their passwords, like min length, capital letters, numbers, and so on.
The best place to implement the password policy is on the LDAP server, since it is more flexible (multiple policies) and applies to all applications changing passwords.
I use the attached perl script as a CGI (to allow users to check and change their password).
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Gustavo Mendes de Carvalho -
tizo