'Re: Configuring ppolicy problem'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: Configuring ppolicy problem
From:       cbulist <cbulist () gmail ! com>
Date:       2012-08-31 19:39:04
Message-ID: 504112D8.90905 () gmail ! com
[Download RAW message or body]


Guillaume,

I did a test with your suggestion and now It is working when I change 
the pwdMaxAge to some short time as 15 seconds but I don't receive any 
message invite me to change the password or any warning message for 
expiration time.
I see the follow message in debug mode:

uid=user1,ou=People,dc=sample,dc=com  has an expired password

I set the attributes in default Policies:

pwsGraceAuthNLimit: 2
pwdAllowUserChange: TRUE
pwdExpireWarning: 10
pwdLockout: TRUE
pwdMaxAge: 15
pwdMustChange: TRUE

In my ldap client I have set:
pam_lookup_policy yes

Do I have to change something in PAM?

Thanks in advance!

On 08/29/2012 03:59 PM, Guillaume Rousse wrote:
> Le 29/08/2012 20:52, cbulist a écrit :
>> Thanks Clement and Guillaume for your reply.
>>
>> This is my operational attributes for my user:
>>
>> dn: cn=user1,ou=policies,dc=samle,dc=com
>> objectClass: pwdPolicy
>> objectClass: top
>> objectClass: shadowAccount
>> objectClass: inetOrgPerson
>> objectClass: organizationalPerson
>> objectClass: person
>> cn: user1
>> pwdAttribute: userPassword
>> sn: user1
>> uid: user1
>> pwdAllowUserChange: TRUE
>> pwdExpireWarning: 10
>> pwdLockout: TRUE
>> pwdMaxAge: 15
>> pwdMustChange: TRUE
> Those are plain attributes, not *operational* attributes.
>
>> Guillaume:
>> I know that my access configuration is dangereous but how I am testing I
>> just want to be sure don't block anything.
>> If I understood your concept I can't use pwdPolicy for unix account. Is
>> there any way to control password history with shadowAccount?..
> Not with shadowAccount, but with password policy. Just create a 
> pwdPolicy object, instance of pwdPolicy class, and apply it to either 
> all your users, through slapd.conf ppolicy_default setting, or just to 
> some of your users, through its operational pwdPolicySubentry attribute.
>
> Basically, you should have distinct user and policy objects, such as:
>
> dn: cn=user1,ou=users,dc=samle,dc=com
> objectClass: shadowAccount
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> cn: user1
> sn: user1
> uid: user1
> userPassword: XXXX
>
> dn: cn=default,ou=policies,dc=samle,dc=com
> objectClass: pwdPolicy
> objectClass: top
> pwdAllowUserChange: TRUE
> pwdExpireWarning: 10
> pwdLockout: TRUE
> pwdMaxAge: 15
> pwdMustChange: TRUE
>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic