Philip Kime
2006-Nov-12 00:17 UTC
[Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn''t seem to work?
Many thanks for the reply, helpful as always!> I''m not sure what PAM is doing here. You can always verify that youare being properly > restricted on password syntax by using ldapmodify or ldappasswd from the command line. It seems not - ldappasswd doesn''t enforce the policy whether I bind with the user in question or Directory Manager. I''ve tried with subtree policies and also user-only policies. If I try to change the password in the GUI, the password policy works ok.> This entry has objectclass ldapSubEntry, which means it is hidden fromnormal searches. Hmm, I wonder if PAM and ldappasswd are not finding the policies as a result of this? There is nothing interesting in the access log - I can see the extop password operation line but it doesn''t say anything about the filter used to look for password policy objects? Is there perhaps a way to include ldapSubEntry objects in normal searches? PK
David Boreham
2006-Nov-12 01:29 UTC
Re: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn''t seem to work?
>Hmm, I wonder if PAM and ldappasswd are not finding the policies as a >result of this? There is nothing interesting in the access log - I can >see the extop password operation line but it doesn''t say anything about >the filter used to look for password policy objects? Is there perhaps a >way to include ldapSubEntry objects in normal searches? > >The server enforces the policy internally, and (at least in theory) all the code paths that modify passwords should be calling the same policy checking function. So ldappasswd, ldapmodify and the GUI should see exactly the same policy. If you turn up the logging level you might see more interesting output (in the errors log, not the access log, which is always quite terse).
Richard Megginson
2006-Nov-13 16:42 UTC
Re: [Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn''t seem to work?
Philip Kime wrote:> Many thanks for the reply, helpful as always! > > >> I''m not sure what PAM is doing here. You can always verify that you >> > are being properly > restricted on password syntax by using ldapmodify > or ldappasswd from the command line. > > It seems not - ldappasswd doesn''t enforce the policy whether I bind with > the user in question or Directory Manager. I''ve tried with subtree > policies and also user-only policies. If I try to change the password in > the GUI, the password policy works ok. >Check the access log for the server, and you may also need to turn on the trace level error logging.> >> This entry has objectclass ldapSubEntry, which means it is hidden from >> > normal searches. > > Hmm, I wonder if PAM and ldappasswd are not finding the policies as a > result of this? There is nothing interesting in the access log - I can > see the extop password operation line but it doesn''t say anything about > the filter used to look for password policy objects? Is there perhaps a > way to include ldapSubEntry objects in normal searches? >No. The policy is supposed to be enforced on the server side. The client should not be attempting to use the policy settings on the server.> PK > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >