Philip Kime
2006-Nov-10 23:46 UTC
[Fedora-directory-users] password policy on FDS 1.0.2 - doesn''t seem to work?
I have pam_lookup_policy yes and a user-local password policy for one user as a test. If I try to change the user''s password, it updates fine in LDAP but does''t warn me about the policy restrictions (set to min 8 chars but I can use 7 no problem, for example). I read that PAM needs anonymous bind access to the objectclass=passwordpolicy attrs? I tried that but it made no difference. The really odd thing is that the policy object lives in: cn=nspwpolicycontainer,ou=people,dc=blah,dc=com but if I ldapsearch on ''(objectclass=passwordpolicy)'' in the above container (or in the whole root DSE for that matter), I find nothing,even if I bind as Directory Manager. It''s there - I can see the object in the GUI. PK -- Philip Kime NOPS Systems Architect 310 401 0407
Richard Megginson
2006-Nov-10 23:57 UTC
Re: [Fedora-directory-users] password policy on FDS 1.0.2 - doesn''t seem to work?
Philip Kime wrote:> I have > > pam_lookup_policy yes > > and a user-local password policy for one user as a test. > > If I try to change the user''s password, it updates fine in LDAP but > does''t warn me about the policy restrictions (set to min 8 chars but I > can use 7 no problem, for example).I''m not sure what PAM is doing here. You can always verify that you are being properly restricted on password syntax by using ldapmodify or ldappasswd from the command line.> > I read that PAM needs anonymous bind access to the > objectclass=passwordpolicy attrs? I tried that but it made no difference. > The really odd thing is that the policy object lives in: > > cn=nspwpolicycontainer,ou=people,dc=blah,dc=com > > but if I ldapsearch on ''(objectclass=passwordpolicy)'' in the above > container (or in the whole root DSE for that matter), I find > nothing,even if I bind as Directory Manager. It''s there - I can see > the object in the GUI.This entry has objectclass ldapSubEntry, which means it is hidden from normal searches. Try a search filter like (|(objectclass=*)(objectclass=ldapSubEntry)) to see these types of entries + normal entries. This is what the console does automatically, and you can verify this by looking at your access log.> > PK > > -- > Philip Kime > NOPS Systems Architect > 310 401 0407 > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >