Hello All,
I probably have something misconfigured on my openldap server, but it seems that this is not so easy to debug (for me).
I use openldap 2.4.23 with ppolicy and accesslog overlays.
I have the following behaviours: - when pwdMustChange and pwdReset are set to true, after login, user is not prompted to change the password, however if I run:
[def_auditor@localhost fbelli]$ ldapwhoami -x -e ppolicy -D uid=def_auditor,ou=people,dc=pippo,dc=com -w ****** -ZZ -H ldap://mkernel ldap_bind: Success (0); Password must be changed (Password expires in 0 seconds) dn:uid=def_auditor,ou=people,dc=pippo,dc=com
- When there are less of pwdExpireWarning seconds and user authenticates (bash shell or ldapsearch), it doesn't get any warning.
- When password is expired and user uses one of his pwdGraceAuthNLimit, he doesn't get any warning (but it will get lockedout after).
It looks like that for some reason the openldap server doesn't send warnings back to the user. However if user tryes to change the password to one that doesn't match the policy, it gets the correct warnings.
Following there is my standard password policy:
dn: ou=Policies,dc=aivp,dc=vtp ou: Policies description: Directory policies. objectClass: organizationalUnit
dn: cn=Standard,ou=Policies,dc=aivp,dc=vtp cn: Standard description: Standard password policy. pwdAttribute: 2.5.4.35 pwdMinAge: 172800 pwdMaxAge: 5184000 pwdCheckQuality: 1 pwdCheckModule: check_password.so pwdMinLength: 8 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 1 pwdInHistory: 20 pwdLockout: TRUE pwdLockoutDuration: 900 pwdMaxFailure: 3 pwdFailureCountInterval: 1200 pwdMustChange: TRUE objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker
Overlay configuration:
dn: olcOverlay={2}ppolicy objectClass: olcPPolicyConfig objectClass: olcOverlayConfig olcOverlay: ppolicy olcPPolicyDefault: cn=Standard,ou=Policies,dc=aivp,dc=vtp olcPPolicyUseLockout: TRUE olcPPolicyHashCleartext: TRUE
And an example of an user when first inserted:
dn: uid=def_auditor,ou=people,dc=aivp,dc=vtp cn: def_auditor gidnumber: 601 homedirectory: /home/def_auditor loginshell: /bin/bash objectclass: account objectclass: posixAccount objectclass: top uid: def_auditor uidnumber: 634 userPassword:: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ= pwdReset: TRUE
Thanks in advance for any advice
Best Regards,
Francesco Belli
openldap-technical@openldap.org