Hi,
It looks like the password policy overlay will do exactly what I need it to I just can't get it to work.
I have applied the overlay my directory. I have a default policy set that has:
pwdAttribute set to userPassword and pwdMustChange set to TRUE.
However when I change a user's password either with an ldapmodify or the ldappassword command that user is still able to bind to the directory just fine. I was assuming that a bind attempt would return an error saying that the user had to change their password or is this not the expected behavior?
Also I have tried adding pwdReset = TRUE to my user's object but it complains the pwdReset is not allowed in the schema. Is there a specific objectclass that I have to add to my user entries?
I have also tried creating a schema with pwdReset and pwdPolicySubentry but when I add that schema it complains that these are operational attributes.
I have upped the logging and when I user tries to bind I see:
Aug 3 08:57:08 devauth slapd[30441]: conn=1017 fd=17 ACCEPT from IP=10.20.48.66:55519 (IP=0.0.0.0:389) Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" method=128 Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry: "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry: "cn=websales_password_policy,ou=test_websales_users,dc=ls,dc=cbn" Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: result not in cache (userPassword) Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access to "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" "userPassword" requested Aug 3 08:57:08 devauth slapd[30441]: => acl_get: [2] attr userPassword Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: access to entry "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn", attr "userPassword" requested Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: to value by "", (=0) Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: self Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: * Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] applying auth(=xd) (stop) Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] mask: auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: => slap_access_allowed: auth access granted by auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access granted by auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" mech=SIMPLE ssf=0
So it looks to me like the default policy has been applied but nothing happens when a password is reset by an administrator.
So I think I am missing something fundamental here. I have a few questions that I think will help me to narrow down my problem though.
1) What is the best way to debug an overlay?
2) Is there a proper way for an administrator to change a password so that the pwdReset flag is set on the user (or whatever is supposed to happen so that the user needs to reset their password on their next bind)
3) Is it enough to have a password policy with just pwdAttribute and pwdMustChange set or are there other values that need to be set to make this work.
4) Are there any extra object classes that have to added to my user entries for the password policies to work?
5) I would like users to have to reset their password on first bind do I need to set something on object creation?
6) Anything else I might be missing?
Any help would be awesome.
Thanks,
I am getting a little further with this.
I have added
pwdLockOut = TRUE pwdMaxFialure = 5 pwdMinLength = 8
Now if I try to log in with the wrong password it add a pwdFailureTime attribute to the user as expected and after 5 I can't bind as that user anymore. Then if I reset the password the user can log in again. So at least something with the policy is working.
When I change the password however it allows passwords with less then 8 characters and pwdReset is still not set on the user's entry.
Any thoughts on what might be happening?
Thanks,
Bram
On 2014-08-03, 9:10 AM, Bram Cymet wrote:
Hi,
It looks like the password policy overlay will do exactly what I need it to I just can't get it to work.
I have applied the overlay my directory. I have a default policy set that has:
pwdAttribute set to userPassword and pwdMustChange set to TRUE.
However when I change a user's password either with an ldapmodify or the ldappassword command that user is still able to bind to the directory just fine. I was assuming that a bind attempt would return an error saying that the user had to change their password or is this not the expected behavior?
Also I have tried adding pwdReset = TRUE to my user's object but it complains the pwdReset is not allowed in the schema. Is there a specific objectclass that I have to add to my user entries?
I have also tried creating a schema with pwdReset and pwdPolicySubentry but when I add that schema it complains that these are operational attributes.
I have upped the logging and when I user tries to bind I see:
Aug 3 08:57:08 devauth slapd[30441]: conn=1017 fd=17 ACCEPT from IP=10.20.48.66:55519 (IP=0.0.0.0:389) Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" method=128 Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry: "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry: "cn=websales_password_policy,ou=test_websales_users,dc=ls,dc=cbn" Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: result not in cache (userPassword) Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access to "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" "userPassword" requested Aug 3 08:57:08 devauth slapd[30441]: => acl_get: [2] attr userPassword Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: access to entry "uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn", attr "userPassword" requested Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: to value by "", (=0) Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: self Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: * Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] applying auth(=xd) (stop) Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] mask: auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: => slap_access_allowed: auth access granted by auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access granted by auth(=xd) Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND dn="uid=email@test.com,ou=test_websales_users,dc=ls,dc=cbn" mech=SIMPLE ssf=0
So it looks to me like the default policy has been applied but nothing happens when a password is reset by an administrator.
So I think I am missing something fundamental here. I have a few questions that I think will help me to narrow down my problem though.
What is the best way to debug an overlay?
Is there a proper way for an administrator to change a password so
that the pwdReset flag is set on the user (or whatever is supposed to happen so that the user needs to reset their password on their next bind)
- Is it enough to have a password policy with just pwdAttribute and
pwdMustChange set or are there other values that need to be set to make this work.
- Are there any extra object classes that have to added to my user
entries for the password policies to work?
- I would like users to have to reset their password on first bind do
I need to set something on object creation?
- Anything else I might be missing?
Any help would be awesome.
Thanks,
2014-08-05 17:56 GMT+02:00 Bram Cymet bcymet@cbnco.com:
I am getting a little further with this.
I have added
pwdLockOut = TRUE pwdMaxFialure = 5 pwdMinLength = 8
Now if I try to log in with the wrong password it add a pwdFailureTime attribute to the user as expected and after 5 I can't bind as that user anymore. Then if I reset the password the user can log in again. So at least something with the policy is working.
When I change the password however it allows passwords with less then 8 characters and pwdReset is still not set on the user's entry.
Any thoughts on what might be happening?
Hi,
1/ Password policy is not applied on password modification if the operation is done with the manager account 2/ Password size or strength is not verified if password is sent in hashed form, you need to send cleartext password to be able to check it 3/ pwdReset is not set to TRUE automatically, you need to set it by hand.
Clément.
openldap-technical@openldap.org
-
Bram Cymet -
Clément OUDOT