On Mon, Oct 11, 2010 at 7:57 PM, Christian Manal < [email protected]> wrote:
> Am 11.10.2010 16:06, schrieb Meghanand Acharekar: > > On Mon, Oct 11, 2010 at 7:08 PM, Christian Manal < > > [email protected]> wrote: > > > >> Am 11.10.2010 15:25, schrieb Meghanand Acharekar: > >>> On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal < > >>> [email protected]> wrote: > >>> > >>>> Am 11.10.2010 14:41, schrieb Meghanand Acharekar: > >>>>> Hi, > >>>>> > >>>>> I am using ppolicy overlay to enforce password policies. > >>>>> Following is my ppolicy configuration/ldif. > >>>>> > >>>>> dn: cn=policies,dc=example,dc=com > >>>>> objectClass: top > >>>>> objectClass: device > >>>>> objectClass: pwdPolicy > >>>>> cn: policies > >>>>> pwdAttribute: userPassword > >>>>> pwdMaxAge: 7516800 > >>>>> pwdExpireWarning: 432000 > >>>>> pwdInHistory: 6 > >>>>> pwdCheckQuality: 1 > >>>>> pwdMinLength: 8 > >>>>> pwdMaxFailure: 4 > >>>>> pwdLockout: TRUE > >>>>> pwdLockoutDuration: 1920 > >>>>> pwdGraceAuthNLimit: 0 > >>>>> pwdFailureCountInterval: 0 > >>>>> pwdMustChange: TRUE > >>>>> pwdAllowUserChange: TRUE > >>>>> pwdSafeModify: FALSE > >>>>> > >>>>> while changing password on first login I got following error. > >>>>> > >>>>> WARNING: Your password has expired. > >>>>> You must change your password now and login again! > >>>>> Changing password for user prasad. > >>>>> Enter login(LDAP) password: > >>>>> New UNIX password: > >>>>> Retype new UNIX password: > >>>>> LDAP password information update failed: Constraint violation > >>>>> Password is too young to change > >>>>> passwd: Permission denied > >>>>> Connection to myhost closed. > >>>>> > >>>>> Thanks in advance > >>>>> Meghanand N Acharekar. > >>>>> > >>>> > >>>> > >>>> Hi, > >>>> > >>>> when you set 'pwdCheckQuality: 1', you require a module to actually > >>>> check the quality of the password. See slapo-ppolicy(5) and look at > the > >>>> pwdPolicyChecker/pwdCheckModule parts. > >>>> > >>>> > >>>> > >>> Hello > >>> > >>> After setting pwdReset TRUE in user attribute, i'm getting another > error. > >>> > >>> LDAP password information update failed: Constraint violation > >>> Password fails quality checking policy > >>> passwd: Permission denied > >>> Connection to myhost closed. > >>> > >>> Is it mandatory to use this module if we want to enforce password > >> policies. > >>> Any idea. > >>> > >>> > >>>> Regards, > >>>> Christian Manal > >>>> > >>> > >> > >> The 'Constraint violation' error means, that the new password does not > >> conform to the quality requirements, or in your case, the quality could > >> not be verified at all. As I said, if you want to use > >> > >> pwdCheckQuality: 1 > >> > >> you *need* a pwdCheckModule to run the password through, or you will > >> always get a constraint violation. > >> > >> > > Okies, if I use simple password it prompts me as follows. > > > > WARNING: Your password has expired. > > You must change your password now and login again! > > Changing password for user test > > Enter login(LDAP) password: > > New UNIX password: > > BAD PASSWORD: it does not contain enough DIFFERENT characters > > New UNIX password: > > BAD PASSWORD: it is based on a dictionary word > > New UNIX password: > > Retype new UNIX password: > > LDAP password information update failed: Constraint violation > > Password fails quality checking policy > > > > I think the "BAD PASSWORD" messages are coming from your PAM stack. > pam_cracklib, or something, may check the password quality, before > passing it to pam_ldap. But that doesn't have anything to do with the > quality checking of slapo-ppolicy. > > Update. I was not able to compile the check_password.c file,due to limited time. Finally I removed pwdCheckQuality & pwdMinLen from ppolicy, now had a configuration which relay on pam_cracklib on individual system for password quality checks and slapd-ppolicy for rest. I will further try compilation of check_password.c when find enough time ;) . Thanks to all > > By the way I found check_password.c file here > > https://ltb-project.org/svn/openldap-ppolicy-check-password/trunk/ > > I will compile it to generate check_password.so file and update you. > > > > > >> Regards, > >> Christian Manal > >> > > >
