Hi Buchan,
I'm not trying to manage password policies through php. I just had a problem to give the rights of changing passwords to a user. i figured it out now by modifying the acl's.
Here is a sample of my slapd.conf:
>>CUT<<<<<<<<<<<<<
# Default password policy overlay ppolicy ppolicy_default cn=default,ou=policies,o=others,dc=domain,dc=tld ppolicy_hash_cleartext overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
# The base of your directory in database #1 suffix "dc=domain,dc=tld"
# rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. # rootdn "cn=admin,dc=domain,dc=tld" rootdn "cn=admin,dc=domain,dc=tld" rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>CUT<<<<<<<<<<<<
# org1 administrators have all the rights on the subtree ou=Users,o=org1,dc=domain,dc=tld access to dn.subtree="ou=Users,o=org1,dc=domain,dc=tld" attrs=userPassword,shadowLastChange by dn="cn=admin.org1,o=others,dc=domain,dc=tld" write by dn="cn=admin,dc=domain,dc=tld" write by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read by anonymous auth by self write by * none
access to dn.subtree="ou=Users,o=org1,dc=domain,dc=tld" by dn="cn=admin.org1,o=others,dc=domain,dc=tld" manage by dn="cn=admin,dc=domain,dc=tld" write by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read by anonymous read by * none
# org2 administrators have all the rights on the subtree ou=Users,o=org2,dc=domain,dc=tld access to dn.subtree="ou=Users,o=org2,dc=domain,dc=tld" attrs=userPassword,shadowLastChange by dn="cn=admin.org2,o=others,dc=domain,dc=tld" write by dn="cn=admin,dc=domain,dc=tld" write by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read by anonymous auth by self write by * none
access to dn.subtree="ou=Users,o=org2,dc=domain,dc=tld" by dn="cn=admin.org2,o=others,dc=domain,dc=tld" manage by dn="cn=admin,dc=domain,dc=tld" write by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read by anonymous read by * none
#### access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=domain,dc=tld" write by dn="cn=auth,o=others,dc=domain,dc=tld" read by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read by anonymous auth by self write by * none
And my password policy : ldapsearch -Wx -H ldaps://ldap.domain.tld -D cn=admin,dc=domain,dc=tld -b o=others,dc=domain,dc=tld cn=default Enter LDAP Password: # extended LDIF # # LDAPv3 # base <o=others,dc=domain,dc=tld> with scope subtree # filter: cn=default # requesting: ALL #
# default, policies, others, domain.tld dn: cn=default,ou=policies,o=others,dc=domain,dc=tld pwdAttribute: userPassword pwdLockout: TRUE pwdLockoutDuration: 10800 pwdMaxFailure: 5 objectClass: pwdPolicy objectClass: organizationalRole cn: default pwdAllowUserChange: TRUE pwdMinLength: 8 pwdMaxAge: 15552000 pwdExpireWarning: 15120000 pwdCheckQuality: 2 pwdInHistory: 4
Now it works, sorry i should have provided you more information. I'll do it next time.
Regards, Grifith
----- Mail Original ----- De: "Buchan Milne" bgmilne@staff.telkomsa.net À: openldap-technical@openldap.org Cc: "Smaïne Kahlouch" smainklh@free.fr Envoyé: Vendredi 5 Février 2010 11h02:22 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne Objet: Re: ppolicy : managing passwords by another user than root
On Monday, 1 February 2010 21:37:11 Smaïne Kahlouch wrote:
Could somebody help me please ?
With what?
I'm asking a last time then i would have to use my root account within my php code :/ (no secure at all)
Assuming your message is relevant to the subject of this thread, php is a dead end, as it has no password policy control. I have some perl scripts to manage password-policy changes.
Regards, Buchan
openldap-technical@openldap.org
-
smainklh@free.fr