I tried to add a password policy to my openldap instance. It's seems like it's not working.
This is my setup:
Added to slapd.conf:
modulepath /usr/lib64/openldap
moduleload ppolicy.la
access to attrs=userPassword
by self write
by users read
by anonymous auth
access to *
by * read
database bdb
suffix "dc=openiam,dc=com"
rootdn "cn=Manager,dc=openiam,dc=com"
rootpw "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h"
# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
This is the default.ldif file:
dn: cn=default,ou=policies,dc=openiam,dc=com
cn: default
objectclass: top
objectclass: device
objectclass: pwdPolicy
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckquality: 1
pwdexpirewarning: 432000
pwdfailurecountinterval: 0
pwdgraceauthnlimit: 0
pwdinhistory: 6
pwdlockout: TRUE
pwdlockoutduration: 1920
pwdmaxage: 7516800
pwdmaxfailure: 4
pwdminlength: 100
pwdmustchange: TRUE
pwdsafemodify: FALSE
Now i am using Spring-ldap in order to create new user with password on openldap.
for a testing purpose I limit the password length policy to 100(pwdminlength: 100)
Now I am creating the user with a shorter password and expecting to get some error - But not! I am creating the user succesfully:
This is the user creation ldif:
dn: cn=roi cohen,ou=Users,dc=openiam,dc=com
cn: cohen
cn: roi cohen
description: somedesc
mail: roi@yahoo.com
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: top
objectclass: pwdPolicy
pwdattribute: userPassword
pwdlockout: TRUE
pwdmustchange: TRUE
sn: roi
uid: croi
userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=
After removing the objectclass: pwdPolicy. I still managed to create the user. the new user ldif after creation:
dn: cn=roi cohen,ou=Users,dc=openiam,dc=com
cn: cohen
cn: roi cohen
description: somedesc
mail: roi@yahoo.com
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: top
sn: roi
uid: croi
userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=
Any idea why the password policy didnt restrict that user creation?
thanks, ray.
You need to create the user first while specifying the password-policy request control. Then you will get a password-policy response control with the response, which will contain this error if it occurred.