Greetings,
Given: OpenLDAP: 2.4.23, password policy module enabled, default password policy loaded as
dn: cn=default,ou=Policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 0 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 30 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
Authentication is set via LDAP (. The problem: when I try to set password via ldappassword, using command like this:
ldappasswd -e ppolicy -W -x -D "cn=Manager,dc=example,dc=com" \ -H ldap://127.0.0.1/ -A -S "uid=testuser,ou=Users,dc=example,dc=com"
it bypasses password policy settings - I can set the same password, can set the previously used password. It doesn't matter whether I specify '-e ppolicy' or not.
However, when I try to change password with passwd (authentication is set via LDAP, /etc/ldap.conf contains 'pam_password exop'):
passwd testuser
the password policy restrictions are in effect. I am not allowed to set the same password, to set previous or similar password etc.
Is it possible to make ldappaswd observe password policy restrictions?
Thanks. Sincerely, Konstantin
Hello Konstantin,
the rootdn bypass password policy, so do not use rootdn in your ldappasswd command.
Cllément.
2011/2/18, Konstantin Boyandin temmokan@gmail.com:
Greetings,
Given: OpenLDAP: 2.4.23, password policy module enabled, default password policy loaded as
dn: cn=default,ou=Policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 0 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 30 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
Authentication is set via LDAP (. The problem: when I try to set password via ldappassword, using command like this:
ldappasswd -e ppolicy -W -x -D "cn=Manager,dc=example,dc=com" \ -H ldap://127.0.0.1/ -A -S "uid=testuser,ou=Users,dc=example,dc=com"
it bypasses password policy settings - I can set the same password, can set the previously used password. It doesn't matter whether I specify '-e ppolicy' or not.
However, when I try to change password with passwd (authentication is set via LDAP, /etc/ldap.conf contains 'pam_password exop'):
passwd testuser
the password policy restrictions are in effect. I am not allowed to set the same password, to set previous or similar password etc.
Is it possible to make ldappaswd observe password policy restrictions?
Thanks. Sincerely, Konstantin
Am Fri, 18 Feb 2011 12:55:01 +0600 schrieb Konstantin Boyandin temmokan@gmail.com:
Greetings,
Given: OpenLDAP: 2.4.23, password policy module enabled, default password policy loaded as
dn: cn=default,ou=Policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 0 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 30 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
Authentication is set via LDAP (. The problem: when I try to set password via ldappassword, using command like this:
ldappasswd -e ppolicy -W -x -D "cn=Manager,dc=example,dc=com" \ -H ldap://127.0.0.1/ -A -S "uid=testuser,ou=Users,dc=example,dc=com"
rootdn bypasses all restrictions.
it bypasses password policy settings - I can set the same password, can set the previously used password. It doesn't matter whether I specify '-e ppolicy' or not.
However, when I try to change password with passwd (authentication is set via LDAP, /etc/ldap.conf contains 'pam_password exop'):
passwd testuser
the password policy restrictions are in effect. I am not allowed to set the same password, to set previous or similar password etc.
Is it possible to make ldappaswd observe password policy restrictions?
Yes, do not bind as rootdn.
-Dieter
Hello Clement,
18.02.2011 13:28, Clément OUDOT writes:
Hello Konstantin,
the rootdn bypass password policy, so do not use rootdn in your ldappasswd command.
Indeed, used the same dn in for authentication, password policy prevented wrong action.
Thank you. Sincerely, Konstantin
Cllément.
2011/2/18, Konstantin Boyandin temmokan@gmail.com:
Greetings,
Given: OpenLDAP: 2.4.23, password policy module enabled, default password policy loaded as
dn: cn=default,ou=Policies,dc=example,dc=com cn: default objectClass: pwdPolicy objectClass: person objectClass: top pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 0 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 30 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value
Authentication is set via LDAP (. The problem: when I try to set password via ldappassword, using command like this:
ldappasswd -e ppolicy -W -x -D "cn=Manager,dc=example,dc=com" \ -H ldap://127.0.0.1/ -A -S "uid=testuser,ou=Users,dc=example,dc=com"
it bypasses password policy settings - I can set the same password, can set the previously used password. It doesn't matter whether I specify '-e ppolicy' or not.
However, when I try to change password with passwd (authentication is set via LDAP, /etc/ldap.conf contains 'pam_password exop'):
passwd testuser
the password policy restrictions are in effect. I am not allowed to set the same password, to set previous or similar password etc.
Is it possible to make ldappaswd observe password policy restrictions?
Thanks. Sincerely, Konstantin
openldap-technical@openldap.org
-
Clément OUDOT -
Dieter Kluenter -
Konstantin Boyandin