On 03/03/2017 10:23 AM, Predrag Zečević - Technical Support Analyst wrote:
On 02/28/17 03:15 PM, Mark Reynolds wrote:
I can confirm that something is wrong, also in 389-ds-base-1.3.5.14
(e.g. also having same problem).
Make sure you are NOT using Directory manager to change passwords.
Directory manager bypasses password policies.
Thanks, that might be a reason. I will make note and check scripts.
On a side note - this is documented in the Administration guide.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/10/html/Administration_Guide/User_Account_Management.html#Managing_the_Password_Policy-Setting_User_Passwords
This doc refers to the Directory Manager account as the root DN, which
is correct but could be confusing. This could be "clearer" so I've
opened a doc bug on this.
Regards,
Mark
Hi Mark,
I have checked scripts and found following - for changing password we
have 2 scenarios:
a) user changes it self (via PHP web interface - that works fine BTW)
b) member of group "Directory Administrators" (with proper ACI)
changes it for user (from shell script - works fine)
I have cases that user IS able to authorize against LDAP even if
password has been expired... In global password policy we have set this:
passwordMaxAge: 31536000 # 365 days (I guess that is default)
In local one (per user policy
"cn=nsPwPolicyContainer,ou=people,dc=2e-systems,dc=com") we have
redefined that value:
passwordMaxAge: 7776000 # which is 90 days
Can be that be a problem? User name is replaced in output below:
#========================================= Global PP Setup ===
# ldapsearch -xLLL -D "cn=Directory Manager" -b 'cn=config' -s base
'objectClass=*' '*' passwordHistory | grep ^password
passwordInHistory: 7
passwordUnlock: on
passwordGraceLimit: 3
passwordMustChange: off
passwordWarning: 604800
passwordLockout: on
passwordMinLength: 8
passwordMinDigits: 1
passwordMinAlphas: 1
passwordMinUppers: 1
passwordMinLowers: 1
passwordMinSpecials: 0
passwordMin8bit: 0
passwordMaxRepeats: 0
passwordMinCategories: 4
passwordMinTokenLength: 3
passwordMaxFailure: 3
passwordMaxAge: 31536000
passwordResetFailureCount: 1800
passwordIsGlobalPolicy: on
passwordLegacyPolicy: on
passwordTrackUpdateTime: off
passwordChange: on
passwordExp: off
passwordSendExpiringTime: off
passwordLockoutDuration: 3600
passwordCheckSyntax: on
passwordMinAge: 0
passwordStorageScheme: SSHA
passwordAdminDN:
passwordHistory: on
#========================================= User PP setup ===
# ldapsearch -xLLL -D "cn=Directory Manager" -b
"cn=nsPwPolicyContainer,ou=people,dc=2e-systems,dc=com"
"(&(objectClass=ldapsubentry)(objectClass=passwordPolicy)(cn=*GivenName Surname*))"
dn: cn=cn\3DnsPwPolicyEntry\2Ccn\3Dgivenname
surname\2Cou\3Dpeople\2Cdc\3D2e-s
ystems\2Cdc\3Dcom,cn=nsPwPolicyContainer,ou=People,dc=2e-systems,dc=com
passwordInHistory: 5
passwordMinAge: 600
passwordChange: on
passwordUnlock: on
passwordLockoutDuration: 1800
passwordResetFailureCount: 600
passwordLockout: on
passwordMaxFailure: 10
passwordMaxRepeats: 0
passwordStorageScheme: ssha
passwordMaxAge: 7776000
passwordExp: on
passwordGraceLimit: 6
passwordMin8bit: 0
passwordMinAlphas: 0
passwordMinSpecials: 1
passwordMinDigits: 1
passwordMinLowers: 1
passwordMinUppers: 1
passwordMinTokenLength: 5
passwordMinCategories: 4
passwordMinLength: 8
passwordCheckSyntax: on
passwordMustChange: off
objectClass: top
objectClass: ldapsubentry
objectClass: passwordpolicy
cn: cn=nsPwPolicyEntry,cn=givenname
surname,ou=people,dc=2e-systems,dc=com
#========================================= User DN Setup ===
# ldapsearch -xLLL -D "cn=Directory Manager" -b
"dc=2e-systems,dc=com"
"(&(objectclass=additionalPersonalData)(cn=GivenName Surname))"
dn: cn=GivenName Surname,ou=People,dc=2e-systems,dc=com
passwordExpirationTime: 20170223113208Z
passwordExpWarned: 0
passwordGraceUserTime: 2
passwordRetryCount: 0
passwordAllowChangeTime: 20161125114208Z
passwordHistory:
20151015062612Z{SSHA}yFVx6mQasMSPFIb1cgrEMPQoxDYgLk3Lnl5MWA==
passwordHistory:
20160331065019Z{SSHA}kRLwA3OjzKnmsYwk31dIHHWEZWIO2P3RISBXxQ==
passwordHistory:
20160622062736Z{SSHA}P8iQemcypxBwWaFOaqcJe+KLNTFyNrNxBT3VAw==
passwordHistory:
20160915064325Z{SSHA}a9WrOm5IDrhc3mN+P9DmHGj6QZl4ZpWGLbRQ/w==
passwordHistory:
20161125113208Z{SSHA}peCYxS8AY7t7HagqdDeyXTTTJHMNNErOkGHcEg==
In this last output one can see that password has expired at
20170223113208Z - but user still can log-in into LDAP?
What could be wrong here?
you have configured a
passwordGraceLimit: 6
which means the user can login 6 times after the pw expired
With best regards.
Predrag Zečević
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
