Philip Kime wrote: > Many thanks for the reply, helpful as always! > > >> I'm not sure what PAM is doing here. You can always verify that you >> > are being properly > restricted on password syntax by using ldapmodify > or ldappasswd from the command line. > > It seems not - ldappasswd doesn't enforce the policy whether I bind with > the user in question or Directory Manager. I've tried with subtree > policies and also user-only policies. If I try to change the password in > the GUI, the password policy works ok. > Check the access log for the server, and you may also need to turn on the trace level error logging. > >> This entry has objectclass ldapSubEntry, which means it is hidden from >> > normal searches. > > Hmm, I wonder if PAM and ldappasswd are not finding the policies as a > result of this? There is nothing interesting in the access log - I can > see the extop password operation line but it doesn't say anything about > the filter used to look for password policy objects? Is there perhaps a > way to include ldapSubEntry objects in normal searches? > No. The policy is supposed to be enforced on the server side. The client should not be attempting to use the policy settings on the server. > PK > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3178 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20061113/f92511aa/attachment.bin
