Fedora directory users - Oct 2008 - Problem with Password Policy : dirsrv service restart required !

Hello,

I try to use the global password policy in order to forbid the change of 
user password.

I put the field "User may change password" unchecked with console.

But normal users can change their own password with 
/usr/lib/mozldap/ldappasswd command :
# /usr/lib/mozldap/ldappasswd -P /etc/dirsrv/slapd-fds1/ -m 
/etc/dirsrv/slapd-fds1/ -D "uid=user1,ou=People,dc=example,dc=com" -w
- -S
New Password:
Re-enter new Password:
Enter bind password:
ldappasswd: password successfully changed

a command-line verification into cn=config entree of DIT show the 
passwordChange attribut value as "Off" :
# /usr/lib/mozldap/ldapsearch -s base  -b "cn=config" -D
"cn=Directory
Manager" -w -  "(cn=config)"  passwordChange
Enter bind password:
version: 1
dn: cn=config
passwordChange: off


I have created local password policy for my "ou=People" subtree and
for
my user "User1", but user can change their own password !!!!!!
If i restart the dirsrv service on system, this item of policy is used.


CONCLUSION = All change of the field "User may change password" on 
Password Policy require a restart of the LDAP daemon  !



-- 
* Hugo Étiévant *

Hugo Etievant wrote:
> Hello,
>
> I try to use the global password policy in order to forbid the change 
> of user password.
>
> I put the field "User may change password" unchecked with
console.
>
> But normal users can change their own password with 
> /usr/lib/mozldap/ldappasswd command :
> # /usr/lib/mozldap/ldappasswd -P /etc/dirsrv/slapd-fds1/ -m 
> /etc/dirsrv/slapd-fds1/ -D
"uid=user1,ou=People,dc=example,dc=com" -w
> - -S
> New Password:
> Re-enter new Password:
> Enter bind password:
> ldappasswd: password successfully changed
What if you use ldapmodify to modify the userPassword attribute directly 
- same result?
>
> a command-line verification into cn=config entree of DIT show the 
> passwordChange attribut value as "Off" :
> # /usr/lib/mozldap/ldapsearch -s base  -b "cn=config" -D
"cn=Directory
> Manager" -w -  "(cn=config)"  passwordChange
> Enter bind password:
> version: 1
> dn: cn=config
> passwordChange: off
>
>
> I have created local password policy for my "ou=People" subtree
and
> for my user "User1", but user can change their own password
!!!!!!
> If i restart the dirsrv service on system, this item of policy is used.
>
>
> CONCLUSION = All change of the field "User may change password"
on
> Password Policy require a restart of the LDAP daemon  !
>
>
>

hello,

If i use  ldapmodify command, some change of password policy''s
"User may
change password" attribute is used immedialety without ldap deamon restart,
but if y use ldappassword, i have to restart ldap deamon !!!

why this difference ?


Rich Megginson a écrit :
> Hugo Etievant wrote:
>> Hello,
>>
>> I try to use the global password policy in order to forbid the change 
>> of user password.
>>
>> I put the field "User may change password" unchecked with
console.
>>
>> But normal users can change their own password with 
>> /usr/lib/mozldap/ldappasswd command :
>> # /usr/lib/mozldap/ldappasswd -P /etc/dirsrv/slapd-fds1/ -m 
>> /etc/dirsrv/slapd-fds1/ -D
"uid=user1,ou=People,dc=example,dc=com" -w
>> - -S
>> ldappasswd: password successfully changed
> What if you use ldapmodify to modify the userPassword attribute 
> directly - same result?
>> CONCLUSION = All change of the field "User may change
password" on
>> Password Policy require a restart of the LDAP daemon  !
-- 
* Hugo Étiévant *

Hugo Etievant wrote:
> hello,
>
> If i use  ldapmodify command, some change of password policy''s
"User
> may change password" attribute is used immedialety without ldap deamon
> restart,
> but if y use ldappassword, i have to restart ldap deamon !!!
>
> why this difference ?
Let me see if I understand.  After changing the password policy to "User 
may change password":
If you use ldapmodify to change the userPassword attribute, the policy 
is in effect immediately without a server restart
If you use ldappasswd to change the user''s password, the policy is not 
in effect until after a server restart

Is this correct?  If so, sounds like a bug - in either case, the change 
should take effect immediately.
>
>
> Rich Megginson a écrit :
>> Hugo Etievant wrote:
>>> Hello,
>>>
>>> I try to use the global password policy in order to forbid the 
>>> change of user password.
>>>
>>> I put the field "User may change password" unchecked with
console.
>>>
>>> But normal users can change their own password with 
>>> /usr/lib/mozldap/ldappasswd command :
>>> # /usr/lib/mozldap/ldappasswd -P /etc/dirsrv/slapd-fds1/ -m 
>>> /etc/dirsrv/slapd-fds1/ -D
"uid=user1,ou=People,dc=example,dc=com"
>>> -w - -S
>>> ldappasswd: password successfully changed
>> What if you use ldapmodify to modify the userPassword attribute 
>> directly - same result?
>>> CONCLUSION = All change of the field "User may change
password" on
>>> Password Policy require a restart of the LDAP daemon  !
>

Rich Megginson a écrit :
> Hugo Etievant wrote:
>> hello,
>>
>> If i use  ldapmodify command, some change of password policy''s
"User
>> may change password" attribute is used immedialety without ldap 
>> deamon restart,
>> but if y use ldappassword, i have to restart ldap deamon !!!
>>
>> why this difference ?
> Let me see if I understand.  After changing the password policy to 
> "User may change password":
> If you use ldapmodify to change the userPassword attribute, the policy 
> is in effect immediately without a server restart
> If you use ldappasswd to change the user''s password, the policy is
not
> in effect until after a server restart
>
> Is this correct?
Yes, it is !
Exactly.
> If so, sounds like a bug - in either case, the change should take 
> effect immediately. 
I think, too !



-- 
* Hugo Étiévant *0