Philip Kime wrote:
I'm not sure what PAM is doing here. You can always verify that you are being properly restricted on password syntax by using ldapmodify or ldappasswd from the command line.I havepam_lookup_policy yes and a user-local password policy for one user as a test. If I try to change the user's password, it updates fine in LDAP but does't warn me about the policy restrictions (set to min 8 chars but I can use 7 no problem, for example).
I read that PAM needs anonymous bind access to the objectclass=passwordpolicy attrs? I tried that but it made no difference.This entry has objectclass ldapSubEntry, which means it is hidden from normal searches. Try a search filter like (|(objectclass=*)(objectclass=ldapSubEntry)) to see these types of entries + normal entries. This is what the console does automatically, and you can verify this by looking at your access log.The really odd thing is that the policy object lives in:cn=nspwpolicycontainer,ou=people,dc=blah,dc=com but if I ldapsearch on '(objectclass=passwordpolicy)' in the above container (or in the whole root DSE for that matter), I find nothing,even if I bind as Directory Manager. It's there - I can see the object in the GUI.
PK --Philip Kime NOPS Systems Architect 310 401 0407-------------------------------------------------------------------------- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
