1:27 p.m.
I have some issues with ppolicy. It seems it recognizes expiration dates
(I know this from looking in the logs, but it does not warn the user
their password is expiring soon), properly locks out accounts with too
many failed logins but it cannot seem to force a password change when
pwdReset is set to TRUE, nor does it prevent logins when the password
has expired. Any help would be greatly appreciated. I'll post the things
of importance below. Please let me know if anything else would help.
[root@ldapserver ~]# ldapsearch -x -LLL cn=default
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: 2.5.4.35
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdSafeModify: FALSE
pwdLockoutDuration: 900
pwdExpireWarning: 432000
pwdGraceAuthNLimit: 1
pwdAllowUserChange: TRUE
pwdMaxAge: 7776000
From slapd.conf
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
ppolicy_use_lockout
11:39 p.m.
Bryan Payne skrev, on 19-02-2008 22:27:
I have some issues with ppolicy. It seems it recognizes expiration
dates
(I know this from looking in the logs, but it does not warn the user
their password is expiring soon), properly locks out accounts with too
many failed logins but it cannot seem to force a password change when
pwdReset is set to TRUE, nor does it prevent logins when the password
has expired. Any help would be greatly appreciated. I'll post the things
of importance below. Please let me know if anything else would help.
[root@ldapserver ~]# ldapsearch -x -LLL cn=default
dn: cn=default,ou=policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: 2.5.4.35
pwdInHistory: 6
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 4
pwdLockout: TRUE
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdSafeModify: FALSE
pwdLockoutDuration: 900
pwdExpireWarning: 432000
pwdGraceAuthNLimit: 1
pwdAllowUserChange: TRUE
pwdMaxAge: 7776000
From slapd.conf
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=com"
ppolicy_use_lockout
Most of the above looks kosher; my main site is running ppolicy on
OpenLDAP 2.3.33 up to 2.3.39 Buchan rpms on Red Hat RHEL5 and all the
above work. However:
1: I've found that each posixAccount has to have the operational
attribute pwdPolicySubentry. Although this is an operational attribute,
it is (the only?) such that is user modifiable. In this (as in many
other) respects gq is indispensable as GUI.
2: I've found that extensive use has to be made of pam_ldap to get the
best out of ppolicy (for example password strength).
3: It would help if you detailed OS and OL versions, so's one could know
whether to contribute help or not.
Bets,
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl
5764
days inactive
5765
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Bryan Payne -
Tony Earnshaw