Am 11.10.2010 16:06, schrieb Meghanand Acharekar: > On Mon, Oct 11, 2010 at 7:08 PM, Christian Manal < > [email protected]> wrote: > >> Am 11.10.2010 15:25, schrieb Meghanand Acharekar: >>> On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal < >>> [email protected]> wrote: >>> >>>> Am 11.10.2010 14:41, schrieb Meghanand Acharekar: >>>>> Hi, >>>>> >>>>> I am using ppolicy overlay to enforce password policies. >>>>> Following is my ppolicy configuration/ldif. >>>>> >>>>> dn: cn=policies,dc=example,dc=com >>>>> objectClass: top >>>>> objectClass: device >>>>> objectClass: pwdPolicy >>>>> cn: policies >>>>> pwdAttribute: userPassword >>>>> pwdMaxAge: 7516800 >>>>> pwdExpireWarning: 432000 >>>>> pwdInHistory: 6 >>>>> pwdCheckQuality: 1 >>>>> pwdMinLength: 8 >>>>> pwdMaxFailure: 4 >>>>> pwdLockout: TRUE >>>>> pwdLockoutDuration: 1920 >>>>> pwdGraceAuthNLimit: 0 >>>>> pwdFailureCountInterval: 0 >>>>> pwdMustChange: TRUE >>>>> pwdAllowUserChange: TRUE >>>>> pwdSafeModify: FALSE >>>>> >>>>> while changing password on first login I got following error. >>>>> >>>>> WARNING: Your password has expired. >>>>> You must change your password now and login again! >>>>> Changing password for user prasad. >>>>> Enter login(LDAP) password: >>>>> New UNIX password: >>>>> Retype new UNIX password: >>>>> LDAP password information update failed: Constraint violation >>>>> Password is too young to change >>>>> passwd: Permission denied >>>>> Connection to myhost closed. >>>>> >>>>> Thanks in advance >>>>> Meghanand N Acharekar. >>>>> >>>> >>>> >>>> Hi, >>>> >>>> when you set 'pwdCheckQuality: 1', you require a module to actually >>>> check the quality of the password. See slapo-ppolicy(5) and look at the >>>> pwdPolicyChecker/pwdCheckModule parts. >>>> >>>> >>>> >>> Hello >>> >>> After setting pwdReset TRUE in user attribute, i'm getting another error. >>> >>> LDAP password information update failed: Constraint violation >>> Password fails quality checking policy >>> passwd: Permission denied >>> Connection to myhost closed. >>> >>> Is it mandatory to use this module if we want to enforce password >> policies. >>> Any idea. >>> >>> >>>> Regards, >>>> Christian Manal >>>> >>> >> >> The 'Constraint violation' error means, that the new password does not >> conform to the quality requirements, or in your case, the quality could >> not be verified at all. As I said, if you want to use >> >> pwdCheckQuality: 1 >> >> you *need* a pwdCheckModule to run the password through, or you will >> always get a constraint violation. >> >> > Okies, if I use simple password it prompts me as follows. > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user test > Enter login(LDAP) password: > New UNIX password: > BAD PASSWORD: it does not contain enough DIFFERENT characters > New UNIX password: > BAD PASSWORD: it is based on a dictionary word > New UNIX password: > Retype new UNIX password: > LDAP password information update failed: Constraint violation > Password fails quality checking policy >
I think the "BAD PASSWORD" messages are coming from your PAM stack. pam_cracklib, or something, may check the password quality, before passing it to pam_ldap. But that doesn't have anything to do with the quality checking of slapo-ppolicy. > By the way I found check_password.c file here > https://ltb-project.org/svn/openldap-ppolicy-check-password/trunk/ > I will compile it to generate check_password.so file and update you. > > >> Regards, >> Christian Manal >> >
