我试图向我的openldap实例添加密码策略.似乎不起作用.
I tried to add a password policy to my openldap instance. It's seems like it's not working.
这是我的设置:
已添加到slapd.conf:
Added to slapd.conf:
modulepath /usr/lib64/openldap moduleload ppolicy.la access to attrs=userPassword by self write by users read by anonymous auth access to * by * read database bdb suffix "dc=openiam,dc=com" rootdn "cn=Manager,dc=openiam,dc=com" rootpw "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h" # PPolicy Configuration overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub这是default.ldif文件:
This is the default.ldif file:
dn: cn=default,ou=policies,dc=openiam,dc=com cn: default objectclass: top objectclass: device objectclass: pwdPolicy pwdallowuserchange: TRUE pwdattribute: userPassword pwdcheckquality: 1 pwdexpirewarning: 432000 pwdfailurecountinterval: 0 pwdgraceauthnlimit: 0 pwdinhistory: 6 pwdlockout: TRUE pwdlockoutduration: 1920 pwdmaxage: 7516800 pwdmaxfailure: 4 pwdminlength: 100 pwdmustchange: TRUE pwdsafemodify: FALSE现在我正在使用Spring-ldap以便在openldap上使用密码创建新用户.
Now i am using Spring-ldap in order to create new user with password on openldap.
出于测试目的,我将密码长度策略限制为100(pwdminlength:100)
for a testing purpose I limit the password length policy to 100(pwdminlength: 100)
现在,我正在使用较短的密码创建用户,并期望得到一些错误-但是,不是!我成功创建了用户:
Now I am creating the user with a shorter password and expecting to get some error - But not! I am creating the user succesfully:
这是用户创建的ldif:
This is the user creation ldif:
dn: cn=roi cohen,ou=Users,dc=openiam,dc=com cn: cohen cn: roi cohen description: somedesc mail: roi@yahoo objectclass: person objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: top objectclass: pwdPolicy pwdattribute: userPassword pwdlockout: TRUE pwdmustchange: TRUE sn: roi uid: croi userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=除去对象类后:pwdPolicy.我仍然设法创建用户.创建后的新用户ldif:
After removing the objectclass: pwdPolicy. I still managed to create the user. the new user ldif after creation:
dn: cn=roi cohen,ou=Users,dc=openiam,dc=com cn: cohen cn: roi cohen description: somedesc mail: roi@yahoo objectclass: person objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: top sn: roi uid: croi userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=有人知道为什么密码策略没有限制用户的创建吗?
Any idea why the password policy didnt restrict that user creation?
谢谢, 射线.
推荐答案您需要在指定密码策略请求控件时首先创建用户.然后,您将获得带有响应的密码策略响应控件,如果发生此错误,它将包含此错误.
You need to create the user first while specifying the password-policy request control. Then you will get a password-policy response control with the response, which will contain this error if it occurred.
更多推荐
Openldap和密码策略实施不起作用
发布评论