Hi!
In the past I was using some LDAP administrator account to reset a user's password (using "ldappasswd -H $server -x -ZZ -D $admin -W "$DN""), and the system output the new password. But after having created a special account that ist to be used to reset passwords only, the same command failed with Result: Constraint violation (19) Additional info: Password fails quality checking policy
So it seems the admin account circumvents the password policy restrictions, while the special account does not.
But the main reason I'm writing this is that the passwords generated by ldappasswd do not seem to fulfill today's requirements (too short, basically). However 2.4 is very old, and it seems the current ldappasswd does no longer create automatic passwords (reading https://git.openldap.org/openldap/openldap/-/blob/master/clients/tools/ldapp...).
Regards, Ulrich
On Tue, Oct 08, 2024 at 08:59:05AM +0000, Windl, Ulrich wrote:
Hi!
In the past I was using some LDAP administrator account to reset a user's password (using "ldappasswd -H $server -x -ZZ -D $admin -W "$DN""), and the system output the new password. But after having created a special account that ist to be used to reset passwords only, the same command failed with Result: Constraint violation (19) Additional info: Password fails quality checking policy
Hi Ulrich, yes, it seems the (generated) "Password fails quality checking policy".
So it seems the admin account circumvents the password policy restrictions, while the special account does not.
ppolicy since 2.5 has a notion of a password administrator (those that have 'manage' access to the userPassword attribute) who are the only ones exempt from things like quality checking.
There are other changes in ppolicy behaviour when password administrator action is involved, I strongly encourage you read the latest ppolicy draft[0].
But the main reason I'm writing this is that the passwords generated by ldappasswd do not seem to fulfill today's requirements (too short, basically).
However 2.4 is very old, and it seems the current ldappasswd does no longer create automatic passwords (reading ldappasswd.c).
ldappasswd never generated them, it is the server that does so and it currently has no way of adjusting how a new password is generated to comply with the configured policy.
[0]. https://tools.ietf.org/html/draft-behera-ldap-password-policy
Regards,
openldap-technical@openldap.org