0

I have installed the openldap version 2.4.23 on windows xp and using the apache DS as a client.I can authenticate users on a client server I set up for testing.

My next step is to turn on a password policy. This is where things have gotten a bit hazy for me and I'm hoping someone can help me out.

i added a password policy also by using the followin command

ldapadd -x -c -f -D "cn=Manager,dc=maxcrc,dc=com" -w secret

but after addition of password policies how do i make them in effect.

The openldap documentation says the password policy module should be configured with the DN of the default policy.

i added the following lines in slapd.conf file 

# invokes password policies for this DIT only
overlay ppolicy
# Default ppolicy
ppolicy_default "cn=passwordDefault,ou=policies,dc=maxcrc,dc=com"

but somehow it is not getting loaded , i have already spent more a lot of time on this, but i am not getting the proper guide for the same.

Can anyone shed some light on this in plain, layman's terms?

Thanks in advance.

My ldif file is as follows.

dn: cn=passwordDefault,ou=policies,dc=localdomain,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: passwordDefault
sn: passwordDefault
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdMinAge: 1
pwdMaxAge: 90
pwdMinLength: 6
pwdInHistory: 4
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 604800
pwdGraceAuthNLimit: 3
pwdMustChange: TRUE
pwdSafeModify: TRUE

after adding this policy and restarting the server i tried changing the password of existing as well as newly added users. The server allows me to change the password to a string with length less than 6 whereas i have mentioned pwdMinLength: 6 in ldif.

as well as i tried changing the password more than once , but it allows me to change the password to recently used password, whereas the pwdInHistory: 4 in ldif.

Deepak Patil
  • 285
  • 7
  • 23
  • 1
    Your `ldapadd` command does not look right, `-f` takes a filename (usually of an LDIF file). – mr.spuratic Mar 04 '13 at 17:29
  • It would also help to show us what's in the LDIF file, and what evidence you have that the policy isn't in effect. – user207421 Mar 05 '13 at 01:09
  • @mr.spuratic : i just missed the filename here , the complete ldapadd command is ldapadd -c -f passwordpolicy.ldif -D "cn=Manager,dc=maxcrc,dc=com" -x -w secret – Deepak Patil Mar 05 '13 at 07:12

3 Answers3

1

The password policy doesn't work if you use the rootDN to execute the updates. You must use an existing admin account, or the user's own account.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • i did not get what do you mean by "extended operation for changing passwords" , can you please elaborate more. Thanks – Deepak Patil Mar 06 '13 at 13:50
0

It is not clear how you are setting the password when testing, but I would check if you are passing the password in the correct format, meaning that the server needs to receive the password in cleartext. Some clients would hash the value before sending the value to the OpenLDAP server, in which case it would be impossible for the OpenLDAP server to determine the length of password. The communication can and should be encrypted, but it shouldn't be pre-hashed. Hashing can be handled by the server:

pwdCheckQuality

If the value is 1 and the supplied password is in cleartext then a user supplied function (defined using the pwdCheckModule - if defined - will be called to check the password quality. If this function is not available then the password will be accepted (assuming it passes all the other tests defined by the various pwdPolicy attributes).

reference: http://www.zytrax.com/books/ldap/ch6/ppolicy.html

H. Shin
  • 1
  • 2
0

the rootdn bypass password policy, so do not use rootdn in your ldappasswd command.

https://www.openldap.org/lists/openldap-technical/201102/msg00262.html

You can basically put any password (not empty thou) if setting passwords using ldappasswd and binding with rootdn. It's a bit tricky situation since you cannot change the password with "passwd" command either for the user. In this case the password policy would kick in.

If you know the rootdn password, you can bypass everything.

user9601040
  • 1