* Do not use rootdn account to test ppolicy (rootdn bypass ppolicy) - i have a service account setup in /etc/pam_ldap.conf. What should the proper acl be for this?
* Do not hash password before modifying it (password in SSHA cannot be verified against min size for example) - Ah. i'll change that to send in clear and try again. However shouldn't this just make the check fail being that the hash will be longer then 12 chars? * What client do you use to test? pam_ldap, and apache directory studio (bind as regular user) Thanks, Dan On Wed, Apr 10, 2013 at 12:34 PM, Clément OUDOT <[email protected]>wrote: > > > 2013/4/10 D C <[email protected]> > >> Fair enough. now I'm updated >> $ rpm -qa |grep openldap >> openldap-ltb-2.4.35-1.el6.x86_64 >> openldap-ltb-check-password-1.1-8.el6.x86_64 >> >> I dumped and reimported my database, and tried agian. I dont see any >> difference. >> >> TESTS: RESULT: >> >> pwdSafeModify: FALSE PASS: Message: LDAP password information >> update failed: Insufficient access. Must supply old password to be >> changed as well as new one >> pwdAllowUserChange: FALSE PASS: Message: LDAP password information >> update failed: Insufficient access. User alteration of password is not >> allowed >> pwdMaxAge: 300 Not Tested. >> pwdExpireWarning: 10 Not Tested. >> pwdInHistory: 3 FAIL: I can still flip between 2 passwords >> pwdMinLength: 12 FAIL: I can still set a 6 char password >> pwdMustChange: FAIL: I am not forced to change passwd. >> pwdMaxFailure: 2 FAIL: Still allowed in after 3 failures >> >> >> >> > > Several points: > * Do not use rootdn account to test ppolicy (rootdn bypass ppolicy) > * Do not hash password before modifying it (password in SSHA cannot be > verified against min size for example) > * What client do you use to test? > > > Clément. >
