Hi!
Can someone explain what this message is actually saying: slapd[3990]: ppolicy_bind: Setting warning for password expiry for uid=testuser,ou=domain,dc=org = 0 seconds
Does this mean a user who mistyped his password before logged in successfully now?
I saw no change to the LDAP database after this message, so what is changed, and where is it cahnged? Also those "0 seconds" don't match my password policy, which looks like this (still testing):
-- objectClass: namedObject objectClass: pwdPolicy cn: PP-Default pwdAttribute: userPassword pwdMinAge: 30 pwdMaxAge: 86400000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 5 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 10 pwdFailureCountInterval: 1209600 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE --
I'm running SLES11 SP3...
Regards, Ulrich
Which OpenLDAP version?
You can search for the message in source file servers/slapd/overlays/ppolicy.c
Reading the comment setting warn = 0 should not happen.
Does uid=testuser,ou=domain,dc=org really have a correct 'pwdChanged' attribute value?
Ciao, Michael.
Ulrich Windl wrote:
Hi!
Can someone explain what this message is actually saying: slapd[3990]: ppolicy_bind: Setting warning for password expiry for uid=testuser,ou=domain,dc=org = 0 seconds
Does this mean a user who mistyped his password before logged in successfully now?
I saw no change to the LDAP database after this message, so what is changed, and where is it cahnged? Also those "0 seconds" don't match my password policy, which looks like this (still testing):
-- objectClass: namedObject objectClass: pwdPolicy cn: PP-Default pwdAttribute: userPassword pwdMinAge: 30 pwdMaxAge: 86400000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 5 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 10 pwdFailureCountInterval: 1209600 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE --
I'm running SLES11 SP3...
Regards, Ulrich
Michael Ströder michael@stroeder.com schrieb am 06.11.2014 um 09:16 in
Nachricht 545B2E53.7070404@stroeder.com:
Which OpenLDAP version?
You can search for the message in source file servers/slapd/overlays/ppolicy.c
Reading the comment setting warn = 0 should not happen.
Does uid=testuser,ou=domain,dc=org really have a correct 'pwdChanged' attribute value?
Hi!
You are on the right track: None of our users has a 'pwdChanged' attribute! Which is also not surprising, because I could not find that attribute in the objectclasses being used: objectClass: top objectClass: posixAccount objectClass: inetOrgPerson objectClass: shadowAccount
However I see these attributes being modified since ppolicy is active: pwdChangedTime pwdFailureTime pwdGraceUseTime pwdHistory
Could it be you meant "pwdChangedTime" instead? If so, could the problem be that that attribute is created only after ppolicy is active _and_ the user actually changed the password?
If so, an heuristic would be to assume the password is not older than createTimestamp if pwdChangedTime is missing.
Regards, Ulrich
Ciao, Michael.
Ulrich Windl wrote:
Hi!
Can someone explain what this message is actually saying: slapd[3990]: ppolicy_bind: Setting warning for password expiry for
uid=testuser,ou=domain,dc=org = 0 seconds
Does this mean a user who mistyped his password before logged in
successfully now?
I saw no change to the LDAP database after this message, so what is
changed,
and where is it cahnged? Also those "0 seconds" don't match my password policy, which looks like this (still testing):
-- objectClass: namedObject objectClass: pwdPolicy cn: PP-Default pwdAttribute: userPassword pwdMinAge: 30 pwdMaxAge: 86400000 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdExpireWarning: 604800 pwdGraceAuthNLimit: 5 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 10 pwdFailureCountInterval: 1209600 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE --
I'm running SLES11 SP3...
Regards, Ulrich
"Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de wrote
Michael Ströder michael@stroeder.com schrieb am 06.11.2014 um 09:16 in
Nachricht 545B2E53.7070404@stroeder.com:
Which OpenLDAP version?
You can search for the message in source file servers/slapd/overlays/ppolicy.c
Reading the comment setting warn = 0 should not happen.
Does uid=testuser,ou=domain,dc=org really have a correct 'pwdChanged' attribute value?
Hi!
You are on the right track: None of our users has a 'pwdChanged' attribute! Which is also not surprising, because I could not find that attribute in the objectclasses being used: objectClass: top objectClass: posixAccount objectClass: inetOrgPerson objectClass: shadowAccount
However I see these attributes being modified since ppolicy is active: pwdChangedTime pwdFailureTime pwdGraceUseTime pwdHistory
Could it be you meant "pwdChangedTime" instead?
Yes, I meant pwdChangedTime. Sorry for the typo.
If so, could the problem be that that attribute is created only after ppolicy is active _and_ the user actually changed the password?
Yes.
Just look into this particular entry mentioned in the log message.
If so, an heuristic would be to assume the password is not older than createTimestamp if pwdChangedTime is missing.
It's up to you whether you set pwdChangedTime in existing entries. It will be set when the user changes the password.
You can set it with a LDAP client using the Relax Rules Control with an identity which has manage privilege.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Ulrich Windl