2010/10/14 Meghanand Acharekar <[email protected]>: > > On Mon, Oct 11, 2010 at 7:57 PM, Christian Manal > <[email protected]> wrote: >> >> Am 11.10.2010 16:06, schrieb Meghanand Acharekar: >> > On Mon, Oct 11, 2010 at 7:08 PM, Christian Manal < >> > [email protected]> wrote: >> > >> >> Am 11.10.2010 15:25, schrieb Meghanand Acharekar: >> >>> On Mon, Oct 11, 2010 at 6:42 PM, Christian Manal < >> >>> [email protected]> wrote: >> >>> >> >>>> Am 11.10.2010 14:41, schrieb Meghanand Acharekar: >> >>>>> Hi, >> >>>>> >> >>>>> I am using ppolicy overlay to enforce password policies. >> >>>>> Following is my ppolicy configuration/ldif. >> >>>>> >> >>>>> dn: cn=policies,dc=example,dc=com >> >>>>> objectClass: top >> >>>>> objectClass: device >> >>>>> objectClass: pwdPolicy >> >>>>> cn: policies >> >>>>> pwdAttribute: userPassword >> >>>>> pwdMaxAge: 7516800 >> >>>>> pwdExpireWarning: 432000 >> >>>>> pwdInHistory: 6 >> >>>>> pwdCheckQuality: 1 >> >>>>> pwdMinLength: 8 >> >>>>> pwdMaxFailure: 4 >> >>>>> pwdLockout: TRUE >> >>>>> pwdLockoutDuration: 1920 >> >>>>> pwdGraceAuthNLimit: 0 >> >>>>> pwdFailureCountInterval: 0 >> >>>>> pwdMustChange: TRUE >> >>>>> pwdAllowUserChange: TRUE >> >>>>> pwdSafeModify: FALSE >> >>>>> >> >>>>> while changing password on first login I got following error. >> >>>>> >> >>>>> WARNING: Your password has expired. >> >>>>> You must change your password now and login again! >> >>>>> Changing password for user prasad. >> >>>>> Enter login(LDAP) password: >> >>>>> New UNIX password: >> >>>>> Retype new UNIX password: >> >>>>> LDAP password information update failed: Constraint violation >> >>>>> Password is too young to change >> >>>>> passwd: Permission denied >> >>>>> Connection to myhost closed. >> >>>>> >> >>>>> Thanks in advance >> >>>>> Meghanand N Acharekar. >> >>>>> >> >>>> >> >>>> >> >>>> Hi, >> >>>> >> >>>> when you set 'pwdCheckQuality: 1', you require a module to actually >> >>>> check the quality of the password. See slapo-ppolicy(5) and look at >> >>>> the >> >>>> pwdPolicyChecker/pwdCheckModule parts. >> >>>> >> >>>> >> >>>> >> >>> Hello >> >>> >> >>> After setting pwdReset TRUE in user attribute, i'm getting another >> >>> error. >> >>> >> >>> LDAP password information update failed: Constraint violation >> >>> Password fails quality checking policy >> >>> passwd: Permission denied >> >>> Connection to myhost closed. >> >>> >> >>> Is it mandatory to use this module if we want to enforce password >> >> policies. >> >>> Any idea. >> >>> >> >>> >> >>>> Regards, >> >>>> Christian Manal >> >>>> >> >>> >> >> >> >> The 'Constraint violation' error means, that the new password does not >> >> conform to the quality requirements, or in your case, the quality could >> >> not be verified at all. As I said, if you want to use >> >> >> >> pwdCheckQuality: 1 >> >> >> >> you *need* a pwdCheckModule to run the password through, or you will >> >> always get a constraint violation. >> >> >> >> >> > Okies, if I use simple password it prompts me as follows. >> > >> > WARNING: Your password has expired. >> > You must change your password now and login again! >> > Changing password for user test >> > Enter login(LDAP) password: >> > New UNIX password: >> > BAD PASSWORD: it does not contain enough DIFFERENT characters >> > New UNIX password: >> > BAD PASSWORD: it is based on a dictionary word >> > New UNIX password: >> > Retype new UNIX password: >> > LDAP password information update failed: Constraint violation >> > Password fails quality checking policy >> > >> >> I think the "BAD PASSWORD" messages are coming from your PAM stack. >> pam_cracklib, or something, may check the password quality, before >> passing it to pam_ldap. But that doesn't have anything to do with the >> quality checking of slapo-ppolicy. >> > > Update. > I was not able to compile the check_password.c file,due to limited time. > Finally I removed pwdCheckQuality & pwdMinLen from ppolicy, > now had a configuration which relay on pam_cracklib on individual system for > password quality checks and slapd-ppolicy for rest. > I will further try compilation of check_password.c when find enough time ;)
Hi, you will find some documentation here: http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password Clément.
