Hello
I have openLDAP 2.4.21 running and configured to age password after 90
days. I just implemented ppolicy but the all the users were in place
before before password policy were implemented.
>From the logs, it look like the slapd is aware it should be aging the
passwords, but it does not force the user to change the password when
the password is older than 90 days. Is it possible to enforce password
for users who were created before ppolicy was setup? Is it necessary
to run ldapmodify against all exisitng users and add some attributes
related to ppolicy?
Below is the a debug log on a single session. Does anyone notice
anything I could have missed? The line below does indicate that the
password policy is at least identifying the aged password?
May 4 09:53:42 ldap1 slapd[6534]: ppolicy_bind: Setting warning for
password expiry for uid=user1,ou=people,dc=example,dc=local = 0
seconds
Full session below:
May 4 09:53:42 ldap1 slapd[6534]: conn=1049 op=0 do_bind
May 4 09:53:42 ldap1 slapd[6534]: >>> dnPrettyNormal:
<uid=user1,ou=people,dc=example,dc=local>
May 4 09:53:42 ldap1 slapd[6534]: <<< dnPrettyNormal:
<uid=user1,ou=people,dc=example,dc=local>,
<uid=user1,ou=people,dc=example,dc=local>
May 4 09:53:42 ldap1 slapd[6534]: conn=1049 op=0 BIND
dn="uid=user1,ou=people,dc=example,dc=local" method=128
May 4 09:53:42 ldap1 slapd[6534]: do_bind: version=3
dn="uid=user1,ou=people,dc=example,dc=local" method=128
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: ndn:
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: oc: "(null)", at: "(null)"
May 4 09:53:42 ldap1 slapd[6534]:
bdb_dn2entry("uid=user1,ou=people,dc=example,dc=local")
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: found entry:
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: bdb_entry_get: rc=0
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: ndn:
"cn=default,ou=policies,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: oc: "(null)", at: "(null)"
May 4 09:53:42 ldap1 slapd[6534]:
bdb_dn2entry("cn=default,ou=policies,dc=example,dc=local")
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: found entry:
"cn=default,ou=policies,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: bdb_entry_get: rc=0
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: ndn:
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: oc: "(null)", at: "(null)"
May 4 09:53:42 ldap1 slapd[6534]:
bdb_dn2entry("uid=user1,ou=people,dc=example,dc=local")
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: found entry:
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: bdb_entry_get: rc=0
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: ndn:
"cn=default,ou=policies,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: oc: "(null)", at: "(null)"
May 4 09:53:42 ldap1 slapd[6534]:
bdb_dn2entry("cn=default,ou=policies,dc=example,dc=local")
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: found entry:
"cn=default,ou=policies,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: bdb_entry_get: rc=0
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: ndn:
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: oc: "(null)", at: "(null)"
May 4 09:53:42 ldap1 slapd[6534]:
bdb_dn2entry("uid=user1,ou=people,dc=example,dc=local")
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: found entry:
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: bdb_entry_get: rc=0
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: ndn:
"cn=default,ou=policies,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: oc: "(null)", at: "(null)"
May 4 09:53:42 ldap1 slapd[6534]:
bdb_dn2entry("cn=default,ou=policies,dc=example,dc=local")
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: found entry:
"cn=default,ou=policies,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: bdb_entry_get: rc=0
May 4 09:53:42 ldap1 slapd[6534]: ==> hdb_bind: dn:
uid=user1,ou=people,dc=example,dc=local
May 4 09:53:42 ldap1 slapd[6534]:
bdb_dn2entry("uid=user1,ou=people,dc=example,dc=local")
May 4 09:53:42 ldap1 slapd[6534]: => access_allowed: result not in
cache (userPassword)
May 4 09:53:42 ldap1 slapd[6534]: => access_allowed: auth access to
"uid=user1,ou=people,dc=example,dc=local" "userPassword" requested
May 4 09:53:42 ldap1 slapd[6534]: => acl_get: [1] attr userPassword
May 4 09:53:42 ldap1 slapd[6534]: => acl_mask: access to entry
"uid=user1,ou=people,dc=example,dc=local", attr "userPassword"
requested
May 4 09:53:42 ldap1 slapd[6534]: => acl_mask: to value by "", (=0)
May 4 09:53:42 ldap1 slapd[6534]: <= check a_dn_pat: anonymous
May 4 09:53:42 ldap1 slapd[6534]: <= acl_mask: [1] applying auth(=xd) (stop)
May 4 09:53:42 ldap1 slapd[6534]: <= acl_mask: [1] mask: auth(=xd)
May 4 09:53:42 ldap1 slapd[6534]: => slap_access_allowed: auth access
granted by auth(=xd)
May 4 09:53:42 ldap1 slapd[6534]: => access_allowed: auth access
granted by auth(=xd)
May 4 09:53:42 ldap1 slapd[6534]: conn=1049 op=0 BIND
dn="uid=user1,ou=people,dc=example,dc=local" mech=SIMPLE ssf=0
May 4 09:53:42 ldap1 slapd[6534]: do_bind: v3 bind:
"uid=user1,ou=people,dc=example,dc=local" to
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: send_ldap_result: conn=1049 op=0 p=3
May 4 09:53:42 ldap1 slapd[6534]: send_ldap_result: err=0 matched="" text=""
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: ndn:
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: oc: "(null)", at: "(null)"
May 4 09:53:42 ldap1 slapd[6534]:
bdb_dn2entry("uid=user1,ou=people,dc=example,dc=local")
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: found entry:
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: bdb_entry_get: rc=0
May 4 09:53:42 ldap1 slapd[6534]: ppolicy_bind: Setting warning for
password expiry for uid=user1,ou=people,dc=example,dc=local = 0
seconds
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: ndn:
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: oc: "(null)", at: "(null)"
May 4 09:53:42 ldap1 slapd[6534]:
bdb_dn2entry("uid=user1,ou=people,dc=example,dc=local")
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: found entry:
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: bdb_entry_get: rc=0
May 4 09:53:42 ldap1 slapd[6534]: ppolicy_bind: Setting warning for
password expiry for uid=user1,ou=people,dc=example,dc=local = 0
seconds
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: ndn:
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: oc: "(null)", at: "(null)"
May 4 09:53:42 ldap1 slapd[6534]:
bdb_dn2entry("uid=user1,ou=people,dc=example,dc=local")
May 4 09:53:42 ldap1 slapd[6534]: => bdb_entry_get: found entry:
"uid=user1,ou=people,dc=example,dc=local"
May 4 09:53:42 ldap1 slapd[6534]: bdb_entry_get: rc=0
May 4 09:53:42 ldap1 slapd[6534]: ppolicy_bind: Setting warning for
password expiry for uid=user1,ou=people,dc=example,dc=local = 0
seconds
May 4 09:53:42 ldap1 slapd[6534]: send_ldap_response: msgid=1 tag=97 err=0
May 4 09:53:42 ldap1 slapd[6534]: conn=1049 op=0 RESULT tag=97 err=0 text=
May 4 09:53:42 ldap1 slapd[6534]: daemon: activity on 1 descriptor
May 4 09:53:42 ldap1 slapd[6534]: daemon: activity on:
Regards,
William
_______________________________________________
ltb-users mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-users
