I am getting a little further with this. I have added
pwdLockOut = TRUE pwdMaxFialure = 5 pwdMinLength = 8 Now if I try to log in with the wrong password it add a pwdFailureTime attribute to the user as expected and after 5 I can't bind as that user anymore. Then if I reset the password the user can log in again. So at least something with the policy is working. When I change the password however it allows passwords with less then 8 characters and pwdReset is still not set on the user's entry. Any thoughts on what might be happening? Thanks, Bram On 2014-08-03, 9:10 AM, Bram Cymet wrote: > Hi, > > It looks like the password policy overlay will do exactly what I need it > to I just can't get it to work. > > I have applied the overlay my directory. > I have a default policy set that has: > > pwdAttribute set to userPassword > and > pwdMustChange set to TRUE. > > However when I change a user's password either with an ldapmodify or the > ldappassword command that user is still able to bind to the directory > just fine. I was assuming that a bind attempt would return an error > saying that the user had to change their password or is this not the > expected behavior? > > Also I have tried adding pwdReset = TRUE to my user's object but it > complains the pwdReset is not allowed in the schema. Is there a specific > objectclass that I have to add to my user entries? > > I have also tried creating a schema with pwdReset and pwdPolicySubentry > but when I add that schema it complains that these are operational > attributes. > > I have upped the logging and when I user tries to bind I see: > > Aug 3 08:57:08 devauth slapd[30441]: conn=1017 fd=17 ACCEPT from > IP=10.20.48.66:55519 (IP=0.0.0.0:389) > Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND > dn="[email protected],ou=test_websales_users,dc=ls,dc=cbn" method=128 > Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry: > "[email protected],ou=test_websales_users,dc=ls,dc=cbn" > Aug 3 08:57:08 devauth slapd[30441]: => bdb_entry_get: found entry: > "cn=websales_password_policy,ou=test_websales_users,dc=ls,dc=cbn" > Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: result not in > cache (userPassword) > Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access to > "[email protected],ou=test_websales_users,dc=ls,dc=cbn" "userPassword" > requested > Aug 3 08:57:08 devauth slapd[30441]: => acl_get: [2] attr userPassword > Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: access to entry > "[email protected],ou=test_websales_users,dc=ls,dc=cbn", attr > "userPassword" requested > Aug 3 08:57:08 devauth slapd[30441]: => acl_mask: to value by "", (=0) > Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: self > Aug 3 08:57:08 devauth slapd[30441]: <= check a_dn_pat: * > Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] applying > auth(=xd) (stop) > Aug 3 08:57:08 devauth slapd[30441]: <= acl_mask: [2] mask: auth(=xd) > Aug 3 08:57:08 devauth slapd[30441]: => slap_access_allowed: auth > access granted by auth(=xd) > Aug 3 08:57:08 devauth slapd[30441]: => access_allowed: auth access > granted by auth(=xd) > Aug 3 08:57:08 devauth slapd[30441]: conn=1017 op=0 BIND > dn="[email protected],ou=test_websales_users,dc=ls,dc=cbn" mech=SIMPLE > ssf=0 > > So it looks to me like the default policy has been applied but nothing > happens when a password is reset by an administrator. > > So I think I am missing something fundamental here. I have a few > questions that I think will help me to narrow down my problem though. > > 1) What is the best way to debug an overlay? > > 2) Is there a proper way for an administrator to change a password so > that the pwdReset flag is set on the user (or whatever is supposed to > happen so that the user needs to reset their password on their next bind) > > 3) Is it enough to have a password policy with just pwdAttribute and > pwdMustChange set or are there other values that need to be set to make > this work. > > 4) Are there any extra object classes that have to added to my user > entries for the password policies to work? > > 5) I would like users to have to reset their password on first bind do > I need to set something on object creation? > > 6) Anything else I might be missing? > > Any help would be awesome. > > Thanks, > -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. 613-608-9752
