Am Fri, 18 Feb 2011 12:55:01 +0600 schrieb Konstantin Boyandin <[email protected]>:
> Greetings, > > Given: OpenLDAP: 2.4.23, password policy module enabled, default > password policy loaded as > > dn: cn=default,ou=Policies,dc=example,dc=com > cn: default > objectClass: pwdPolicy > objectClass: person > objectClass: top > pwdAllowUserChange: TRUE > pwdAttribute: userPassword > pwdCheckQuality: 0 > pwdExpireWarning: 600 > pwdFailureCountInterval: 30 > pwdGraceAuthNLimit: 5 > pwdInHistory: 5 > pwdLockout: TRUE > pwdLockoutDuration: 30 > pwdMaxAge: 7776000 > pwdMaxFailure: 5 > pwdMinAge: 0 > pwdMinLength: 5 > pwdMustChange: FALSE > pwdSafeModify: FALSE > sn: dummy value > > Authentication is set via LDAP (. > The problem: when I try to set password via ldappassword, using > command like this: > > ldappasswd -e ppolicy -W -x -D "cn=Manager,dc=example,dc=com" \ > -H ldap://127.0.0.1/ -A -S "uid=testuser,ou=Users,dc=example,dc=com" rootdn bypasses all restrictions. > it bypasses password policy settings - I can set the same password, > can set the previously used password. It doesn't matter whether I > specify '-e ppolicy' or not. > > However, when I try to change password with passwd (authentication is > set via LDAP, /etc/ldap.conf contains 'pam_password exop'): > > passwd testuser > > the password policy restrictions are in effect. I am not allowed to > set the same password, to set previous or similar password etc. > > Is it possible to make ldappaswd observe password policy restrictions? Yes, do not bind as rootdn. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
