Hi,
looks like I've successfully configured the ppolicy overlay, but I have some questions.
The relevant config:
olcModuleLoad: {0}ppolicy structuralObjectClass: olcModuleList
dn: olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {2}ppolicy olcPPolicyDefault: cn=default,ou=pwpolicies,dc=hu olcPPolicyHashCleartext: FALSE olcPPolicyUseLockout: FALSE
dn: cn=default,ou=pwpolicies,dc=hu cn: default objectClass: pwdPolicy objectClass: pwdPolicyChecker objectClass: device pwdAllowUserChange: TRUE pwdInHistory: 5 pwdMinLength: 10 pwdAttribute: userPassword pwdCheckQuality: 0
When I change my passwd with ldappasswd, the history check works:
ldappasswd -H ldaps://dev-ldap-01:636 -W -D uid=airween,ou=Users,ou=company,dc=comp,DC=hu -S New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password is in history of old passwords
but I can set up new password with less than 10 characters, eg "abc". What em I missed?
I've never read it, but looks like the policy has effect only when I'm changing passwd with 'ldappasswd', but when I'm using ldapmodify, then I can bypass the rules
ldapmodify -H ldaps://dev-ldap-01:636 -D 'uid=airween,ou=Users,ou=company,dc=comp,dc=hu' -x -W -f file.ldif modifying entry "uid=airween,ou=Users,ou=company,dc=comp,DC=hu"
[DONE WITH PREV PASSWD]
Is it right?
How can I validate the policy for all methods?
Thanks,
a.
--On Thursday, September 20, 2018 6:49 PM +0200 Ervin Hegedüs airween@gmail.com wrote:
Is it right?
Yes. ppolicy is only triggered by password changes that use the LDAPv3 Password Modify (RFC 3062) extended operation.
How can I validate the policy for all methods?
See above.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hi Quanah,
thanks for reply,
On Thu, Sep 20, 2018 at 09:42:02AM -0700, Quanah Gibson-Mount wrote:
--On Thursday, September 20, 2018 6:49 PM +0200 Ervin Hegedüs airween@gmail.com wrote:
Is it right?
Yes. ppolicy is only triggered by password changes that use the LDAPv3 Password Modify (RFC 3062) extended operation.
so, it means that the users can bypass with a simple ldapmodify?
How can I validate the policy for all methods?
See above.
but then why history stored and evaulated, but length doesn't?
a.
Hi Ryan,
On Thu, Sep 20, 2018 at 10:18:35AM -0700, Ryan Tandy wrote:
On Thu, Sep 20, 2018 at 05:49:11PM +0200, Ervin Hegedüs wrote:
but I can set up new password with less than 10 characters, eg "abc". What em I missed?
You explicitly told it not to check quality:
pwdCheckQuality: 0
right, then is it mean that the length of password is part of quality, but the history isn't?
Thanks,
a.
openldap-technical@openldap.org
-
Ervin Hegedüs -
Quanah Gibson-Mount -
Ryan Tandy