Dear All,
I have tried modifying pwdChangedTime & facing below error
modifying entry "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com" ldap_modify: Constraint violation (19) additional info: pwdChangedTime: no user modification allowed
Thanks, Tayyab Saeed
Dear Tayyab,
well the error message says most of it.
The attribute pwdChangedTime is defined in sect. 5.3.2. of https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 as:
...
NO-USER-MODIFICATION USAGE directoryOperation )
Which means, that an LDAP client is not allowed to modify the values of this attribute, and that it is to be modified by the directory server only.
And this makes perfectly sense, that the value is changed, if and only if the password is being changed.
Cheers, Peter
Am 12.04.2018 um 22:55 schrieb Tayyab Saeed:
Dear All,
I have tried modifying pwdChangedTime & facing below error
modifying entry "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com" ldap_modify: Constraint violation (19) additional info: pwdChangedTime: no user modification allowed
Thanks, Tayyab Saeed
Dear Peter / ALL,
Thanks a lot for your reply.
So how can we exempt some users from password policy ?
Is it possible in OpenLDAP or not ?
Thanks, Tayyab Saeed ----- Original Message -----
From: "Peter Gietz" peter.gietz@daasi.de To: openldap-technical@openldap.org Sent: Friday, April 13, 2018 1:08:31 PM Subject: Re: exempt some users from OpenLDAP password policy
Dear Tayyab,
well the error message says most of it.
The attribute pwdChangedTime is defined in sect. 5.3.2. of https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 as:
...
NO-USER-MODIFICATION USAGE directoryOperation )
Which means, that an LDAP client is not allowed to modify the values of this attribute, and that it is to be modified by the directory server only.
And this makes perfectly sense, that the value is changed, if and only if the password is being changed.
Cheers, Peter
Am 12.04.2018 um 22:55 schrieb Tayyab Saeed:
Dear All,
I have tried modifying pwdChangedTime & facing below error
modifying entry "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com" ldap_modify: Constraint violation (19) additional info: pwdChangedTime: no user modification allowed
Thanks, Tayyab Saeed
Hello,
You may either:
* Set a relaxed default password policy using olcPPolicyDefault / ppolicy_default (or no default policy at all) and set more restrictive password policies on some of your users by setting the pwdPolicySubentry attribute on their object * Set a restrictive default password policy, and a relaxed ones on some of your users
Using one or the other depends on the proportions of exceptions you would generate: the less, the better
--
Matthieu CERDA
Le 13/04/2018 à 11:38, Tayyab Saeed a écrit :
Dear Peter / ALL,
Thanks a lot for your reply.
So how can we exempt some users from password policy ?
Is it possible in OpenLDAP or not ?
Thanks, Tayyab Saeed
*From: *"Peter Gietz" peter.gietz@daasi.de *To: *openldap-technical@openldap.org *Sent: *Friday, April 13, 2018 1:08:31 PM *Subject: *Re: exempt some users from OpenLDAP password policy
Dear Tayyab,
well the error message says most of it.
The attribute pwdChangedTime is defined in sect. 5.3.2. of https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 as:
...
NO-USER-MODIFICATION USAGE directoryOperation )
Which means, that an LDAP client is not allowed to modify the values of this attribute, and that it is to be modified by the directory server only.
And this makes perfectly sense, that the value is changed, if and only if the password is being changed.
Cheers, Peter
Am 12.04.2018 um 22:55 schrieb Tayyab Saeed:
Dear All, I have tried modifying pwdChangedTime & facing below error modifying entry "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com" ldap_modify: Constraint violation (19) additional info: pwdChangedTime: no user modification allowed Thanks, Tayyab Saeed
Here is an example which you can apply per-user which needs to be exempted:
dn: cn=ppolicy-exclude,ou=policies,dc=organization,dc=org cn: ppolicy-exclude objectClass: top objectClass: device objectClass: pwdPolicyChecker objectClass: pwdPolicy pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdMustChange: FALSE pwdLockout: FALSE
On Fri, Apr 13, 2018 at 10:28 AM, Matthieu Cerda < matthieu.cerda@nbs-system.com> wrote:
Hello,
You may either:
- Set a relaxed default password policy using olcPPolicyDefault /
ppolicy_default (or no default policy at all) and set more restrictive password policies on some of your users by setting the pwdPolicySubentry attribute on their object
- Set a restrictive default password policy, and a relaxed ones on
some of your users
Using one or the other depends on the proportions of exceptions you would generate: the less, the better
--
Matthieu CERDA
Le 13/04/2018 à 11:38, Tayyab Saeed a écrit :
Dear Peter / ALL,
Thanks a lot for your reply.
So how can we exempt some users from password policy ?
Is it possible in OpenLDAP or not ?
Thanks, Tayyab Saeed
*From: *"Peter Gietz" peter.gietz@daasi.de peter.gietz@daasi.de *To: *openldap-technical@openldap.org *Sent: *Friday, April 13, 2018 1:08:31 PM *Subject: *Re: exempt some users from OpenLDAP password policy
Dear Tayyab,
well the error message says most of it.
The attribute pwdChangedTime is defined in sect. 5.3.2. of https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 as:
...
NO-USER-MODIFICATION USAGE directoryOperation )
Which means, that an LDAP client is not allowed to modify the values of this attribute, and that it is to be modified by the directory server only.
And this makes perfectly sense, that the value is changed, if and only if the password is being changed.
Cheers, Peter
Am 12.04.2018 um 22:55 schrieb Tayyab Saeed:
Dear All,
I have tried modifying pwdChangedTime & facing below error
modifying entry "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com" ldap_modify: Constraint violation (19) additional info: pwdChangedTime: no user modification allowed
Thanks, Tayyab Saeed
-- Matthieu Cerda Infrastructure, BU Means @ NBS System
Dear All,
I am sorry but still unable to configure the same, could anyone please share the complete steps / link so i can setup the same.
Thanks, Tayyab Saeed ----- Original Message -----
From: "Dave Macias" davama@gmail.com To: "Matthieu Cerda" matthieu.cerda@nbs-system.com Cc: openldap-technical@openldap.org Sent: Friday, April 13, 2018 8:27:04 PM Subject: Re: exempt some users from OpenLDAP password policy
Here is an example which you can apply per-user which needs to be exempted:
dn: cn=ppolicy-exclude,ou=policies,dc=organization,dc=org cn: ppolicy-exclude objectClass: top objectClass: device objectClass: pwdPolicyChecker objectClass: pwdPolicy pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdMustChange: FALSE pwdLockout: FALSE
On Fri, Apr 13, 2018 at 10:28 AM, Matthieu Cerda < matthieu.cerda@nbs-system.com > wrote:
Hello,
You may either:
* Set a relaxed default password policy using olcPPolicyDefault / ppolicy_default (or no default policy at all) and set more restrictive password policies on some of your users by setting the pwdPolicySubentry attribute on their object * Set a restrictive default password policy, and a relaxed ones on some of your users
Using one or the other depends on the proportions of exceptions you would generate: the less, the better
What your ldap tree look like (the relevant parts, users, current ppolicy)? As far as links, there are soo many out there. Just search for one that fits your enviroment Here is how to add a ppolicy in the first place. https://wiki.polaire.nl/doku.php?id=centos7_openldap_ppolicy
How to add ppolicy to specific objects: http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples
As Matthieu already mentioned, assuming you already have a ppolicy, then you would need to create a less restrictive policy and apply to specific users using the pwdPolicySubentry attribute
regards, dave
On Apr 15, 2018, 11:50 PM -0400, Tayyab Saeed tayyab.saeed@nds.com.pk, wrote:
Dear All,
I am sorry but still unable to configure the same, could anyone please share the complete steps / link so i can setup the same.
Thanks, Tayyab Saeed ------------------------------ *From:* "Dave Macias" davama@gmail.com *To:* "Matthieu Cerda" matthieu.cerda@nbs-system.com *Cc:* openldap-technical@openldap.org *Sent:* Friday, April 13, 2018 8:27:04 PM *Subject:* Re: exempt some users from OpenLDAP password policy
Here is an example which you can apply per-user which needs to be exempted:
dn: cn=ppolicy-exclude,ou=policies,dc=organization,dc=org cn: ppolicy-exclude objectClass: top objectClass: device objectClass: pwdPolicyChecker objectClass: pwdPolicy pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdMustChange: FALSE pwdLockout: FALSE
On Fri, Apr 13, 2018 at 10:28 AM, Matthieu Cerda < matthieu.cerda@nbs-system.com> wrote:
Hello,
You may either:
- Set a relaxed default password policy using olcPPolicyDefault /
ppolicy_default (or no default policy at all) and set more restrictive password policies on some of your users by setting the pwdPolicySubentry attribute on their object
- Set a restrictive default password policy, and a relaxed ones on
some of your users
Using one or the other depends on the proportions of exceptions you would generate: the less, the better
--
Matthieu CERDA
Le 13/04/2018 à 11:38, Tayyab Saeed a écrit :
Dear Peter / ALL,
Thanks a lot for your reply.
So how can we exempt some users from password policy ?
Is it possible in OpenLDAP or not ?
Thanks, Tayyab Saeed
*From:* "Peter Gietz" peter.gietz@daasi.de peter.gietz@daasi.de *To:* openldap-technical@openldap.org *Sent:* Friday, April 13, 2018 1:08:31 PM *Subject:* Re: exempt some users from OpenLDAP password policy
Dear Tayyab,
well the error message says most of it.
The attribute pwdChangedTime is defined in sect. 5.3.2. of https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 as:
...
NO-USER-MODIFICATION USAGE directoryOperation )
Which means, that an LDAP client is not allowed to modify the values of this attribute, and that it is to be modified by the directory server only.
And this makes perfectly sense, that the value is changed, if and only if the password is being changed.
Cheers, Peter
Am 12.04.2018 um 22:55 schrieb Tayyab Saeed:
Dear All,
I have tried modifying pwdChangedTime & facing below error
modifying entry "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com" ldap_modify: Constraint violation (19) additional info: pwdChangedTime: no user modification allowed
Thanks, Tayyab Saeed
-- Matthieu Cerda Infrastructure, BU Means @ NBS System
Dear All,
How can we disable password policy completely?
Thanks, Tayyab Saeed ----- Original Message -----
From: "Dave Macias" davama@gmail.com To: "Tayyab Saeed" tayyab.saeed@nds.com.pk Cc: openldap-technical@openldap.org, "Matthieu Cerda" matthieu.cerda@nbs-system.com Sent: Thursday, April 19, 2018 5:36:04 PM Subject: Re: exempt some users from OpenLDAP password policy
What your ldap tree look like (the relevant parts, users, current ppolicy)?
As far as links, there are soo many out there. Just search for one that fits your enviroment Here is how to add a ppolicy in the first place. https://wiki.polaire.nl/doku.php?id=centos7_openldap_ppolicy
How to add ppolicy to specific objects: http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples
As Matthieu already mentioned, assuming you already have a ppolicy, then you would need to create a less restrictive policy and apply to specific users using the pwdPolicySubentry attribute
regards, dave
On Apr 15, 2018, 11:50 PM -0400, Tayyab Saeed < tayyab.saeed@nds.com.pk >, wrote:
Dear All,
I am sorry but still unable to configure the same, could anyone please share the complete steps / link so i can setup the same.
Thanks, Tayyab Saeed
From: "Dave Macias" < davama@gmail.com > To: "Matthieu Cerda" < matthieu.cerda@nbs-system.com > Cc: openldap-technical@openldap.org Sent: Friday, April 13, 2018 8:27:04 PM Subject: Re: exempt some users from OpenLDAP password policy
Here is an example which you can apply per-user which needs to be exempted:
dn: cn=ppolicy-exclude,ou=policies,dc=organization,dc=org cn: ppolicy-exclude objectClass: top objectClass: device objectClass: pwdPolicyChecker objectClass: pwdPolicy pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdMustChange: FALSE pwdLockout: FALSE
On Fri, Apr 13, 2018 at 10:28 AM, Matthieu Cerda < matthieu.cerda@nbs-system.com > wrote:
<blockquote>
Hello,
You may either:
* Set a relaxed default password policy using olcPPolicyDefault / ppolicy_default (or no default policy at all) and set more restrictive password policies on some of your users by setting the pwdPolicySubentry attribute on their object * Set a restrictive default password policy, and a relaxed ones on some of your users
Using one or the other depends on the proportions of exceptions you would generate: the less, the better
Hello,
Well, you might want to take a look at the recent thread "removing ppolicy overlay" (especially Frank Swasey's latest answer).
If you do not want to go through the hassle of editing your LDAP database to remove all ppolicy attributes, you may leave the password policy overlay enabled without any default policy set, which would be basically the same as having it disabled since no policy would be enforced.
For this to work, you will want to check if there is no "pwdPolicySubentry" attribute somewhere, that would explicitely enable a password policy on the object.
Have a nice day,
--
Matthieu CERDA
Le 23/04/2018 à 07:22, Tayyab Saeed a écrit :
Dear All,
How can we disable password policy completely?
Thanks, Tayyab Saeed
*From: *"Dave Macias" davama@gmail.com *To: *"Tayyab Saeed" tayyab.saeed@nds.com.pk *Cc: *openldap-technical@openldap.org, "Matthieu Cerda" matthieu.cerda@nbs-system.com *Sent: *Thursday, April 19, 2018 5:36:04 PM *Subject: *Re: exempt some users from OpenLDAP password policy
What your ldap tree look like (the relevant parts, users, current ppolicy)? As far as links, there are soo many out there. Just search for one that fits your enviroment Here is how to add a ppolicy in the first place. https://wiki.polaire.nl/doku.php?id=centos7_openldap_ppolicy
How to add ppolicy to specific objects: http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples
As Matthieu already mentioned, assuming you already have a ppolicy, then you would need to create a less restrictive policy and apply to specific users using the pwdPolicySubentry attribute
regards, dave
On Apr 15, 2018, 11:50 PM -0400, Tayyab Saeed <tayyab.saeed@nds.com.pk mailto:tayyab.saeed@nds.com.pk>, wrote:
Dear All, I am sorry but still unable to configure the same, could anyone please share the complete steps / link so i can setup the same. Thanks, Tayyab Saeed ------------------------------------------------------------------------ *From:* "Dave Macias" <davama@gmail.com <mailto:davama@gmail.com>> *To:* "Matthieu Cerda" <matthieu.cerda@nbs-system.com <mailto:matthieu.cerda@nbs-system.com>> *Cc:* openldap-technical@openldap.org <mailto:openldap-technical@openldap.org> *Sent:* Friday, April 13, 2018 8:27:04 PM *Subject:* Re: exempt some users from OpenLDAP password policy Here is an example which you can apply per-user which needs to be exempted: dn: cn=ppolicy-exclude,ou=policies,dc=organization,dc=org cn: ppolicy-exclude objectClass: top objectClass: device objectClass: pwdPolicyChecker objectClass: pwdPolicy pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdMustChange: FALSE pwdLockout: FALSE On Fri, Apr 13, 2018 at 10:28 AM, Matthieu Cerda <matthieu.cerda@nbs-system.com <mailto:matthieu.cerda@nbs-system.com>> wrote: Hello, You may either: * Set a relaxed default password policy using olcPPolicyDefault / ppolicy_default (or no default policy at all) and set more restrictive password policies on some of your users by setting the pwdPolicySubentry attribute on their object * Set a restrictive default password policy, and a relaxed ones on some of your users Using one or the other depends on the proportions of exceptions you would generate: the less, the better -- Matthieu CERDA Le 13/04/2018 <tel:13/04/2018> à 11:38, Tayyab Saeed a écrit : Dear Peter / ALL, Thanks a lot for your reply. So how can we exempt some users from password policy ? Is it possible in OpenLDAP or not ? Thanks, Tayyab Saeed ------------------------------------------------------------------------ *From:* "Peter Gietz" <peter.gietz@daasi.de> <mailto:peter.gietz@daasi.de> *To:* openldap-technical@openldap.org <mailto:openldap-technical@openldap.org> *Sent:* Friday, April 13, 2018 1:08:31 PM *Subject:* Re: exempt some users from OpenLDAP password policy Dear Tayyab, well the error message says most of it. The attribute pwdChangedTime is defined in sect. 5.3.2. of https://tools.ietf.org/html/draft-behera-ldap-password-policy-10 as: ... NO-USER-MODIFICATION USAGE directoryOperation ) Which means, that an LDAP client is not allowed to modify the values of this attribute, and that it is to be modified by the directory server only. And this makes perfectly sense, that the value is changed, if and only if the password is being changed. Cheers, Peter Am 12.04.2018 um 22:55 schrieb Tayyab Saeed: Dear All, I have tried modifying pwdChangedTime & facing below error modifying entry "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com" ldap_modify: Constraint violation (19) additional info: pwdChangedTime: no user modification allowed Thanks, Tayyab Saeed -- Matthieu Cerda Infrastructure, BU Means @ NBS System
Yes, it's possible, as already mentioned.... http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples
Just create another policy(less restrictive) if you already have one and apply it to the specified users
Once the ppolicy overlay is enabled all users will become subject to the default policy. You have 2 choices:
1. Make the default policy accommodate your less restrictive use case and apply a more restrictive policy to the users that need it.
2. Leave the default policy the more restrictive case, create a less restrictive policy for your “exception” use case and apply the less restrictive policy to users that need it.
The method you choose will be driven by which use case is the “rule” and which use case is the “exception”. In either case you apply distinct policies where needed by supplying the DN of the policy in the pwdPolicySubentry attribute of the user.
[cid:image001.png@01D3D2F6.EE048DE0]http://www.aep.com/
JON C KIDDER | MIDDLEWARE ADMINISTRATOR LEAD JCKIDDER@AEP.COMmailto:JCKIDDER@AEP.COM | D:614.716.4970 1 RIVERSIDE PLAZA, COLUMBUS, OH 43215
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Tayyab Saeed Sent: Thursday, April 12, 2018 4:55 PM To: openldap-technical@openldap.org Subject: [EXTERNAL] exempt some users from OpenLDAP password policy
This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments. If suspicious please forward to incidents@aep.commailto:incidents@aep.com for review.
________________________________ Dear All,
I have tried modifying pwdChangedTime & facing below error modifying entry "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com" ldap_modify: Constraint violation (19) additional info: pwdChangedTime: no user modification allowed Thanks, Tayyab Saeed
You also have the option of not specifying a default policy but I’m assuming that “no policy” is your exception use case and not what you want as the default.
[cid:image001.png@01D3D2F8.96CC7360]http://www.aep.com/
JON C KIDDER | MIDDLEWARE ADMINISTRATOR LEAD JCKIDDER@AEP.COMmailto:JCKIDDER@AEP.COM | D:614.716.4970 1 RIVERSIDE PLAZA, COLUMBUS, OH 43215
From: Jon C Kidder Sent: Friday, April 13, 2018 7:22 AM To: 'Tayyab Saeed'; openldap-technical@openldap.org Subject: RE: [EXTERNAL] exempt some users from OpenLDAP password policy
Once the ppolicy overlay is enabled all users will become subject to the default policy. You have 2 choices:
1. Make the default policy accommodate your less restrictive use case and apply a more restrictive policy to the users that need it.
2. Leave the default policy the more restrictive case, create a less restrictive policy for your “exception” use case and apply the less restrictive policy to users that need it.
The method you choose will be driven by which use case is the “rule” and which use case is the “exception”. In either case you apply distinct policies where needed by supplying the DN of the policy in the pwdPolicySubentry attribute of the user.
[cid:image001.png@01D3D2F8.96CC7360]http://www.aep.com/
JON C KIDDER | MIDDLEWARE ADMINISTRATOR LEAD JCKIDDER@AEP.COMmailto:JCKIDDER@AEP.COM | D:614.716.4970 1 RIVERSIDE PLAZA, COLUMBUS, OH 43215
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Tayyab Saeed Sent: Thursday, April 12, 2018 4:55 PM To: openldap-technical@openldap.orgmailto:openldap-technical@openldap.org Subject: [EXTERNAL] exempt some users from OpenLDAP password policy
This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN attachments. If suspicious please forward to incidents@aep.commailto:incidents@aep.com for review.
________________________________ Dear All,
I have tried modifying pwdChangedTime & facing below error modifying entry "uid=test1,ou=ITSupport,ou=people,dc=mydomain,dc=com" ldap_modify: Constraint violation (19) additional info: pwdChangedTime: no user modification allowed Thanks, Tayyab Saeed
openldap-technical@openldap.org
-
Dave Horsfall -
Dave Macias -
Jon C Kidder -
Matthieu Cerda -
Peter Gietz -
Tayyab Saeed