Openldap和密码策略实施不起作用

本文介绍了Openldap和密码策略实施不起作用的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我试图向我的openldap实例添加密码策略.似乎不起作用.

I tried to add a password policy to my openldap instance. It's seems like it's not working.

这是我的设置:

已添加到slapd.conf:

Added to slapd.conf:

modulepath /usr/lib64/openldap moduleload ppolicy.la access to attrs=userPassword by self write by users read by anonymous auth access to * by * read database bdb suffix "dc=openiam,dc=com" rootdn "cn=Manager,dc=openiam,dc=com" rootpw "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h" # PPolicy Configuration overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub

这是default.ldif文件:

This is the default.ldif file:

dn: cn=default,ou=policies,dc=openiam,dc=com cn: default objectclass: top objectclass: device objectclass: pwdPolicy pwdallowuserchange: TRUE pwdattribute: userPassword pwdcheckquality: 1 pwdexpirewarning: 432000 pwdfailurecountinterval: 0 pwdgraceauthnlimit: 0 pwdinhistory: 6 pwdlockout: TRUE pwdlockoutduration: 1920 pwdmaxage: 7516800 pwdmaxfailure: 4 pwdminlength: 100 pwdmustchange: TRUE pwdsafemodify: FALSE

现在我正在使用Spring-ldap以便在openldap上使用密码创建新用户.

Now i am using Spring-ldap in order to create new user with password on openldap.

出于测试目的，我将密码长度策略限制为100(pwdminlength:100)

for a testing purpose I limit the password length policy to 100(pwdminlength: 100)

现在，我正在使用较短的密码创建用户，并期望得到一些错误-但是，不是！我成功创建了用户:

Now I am creating the user with a shorter password and expecting to get some error - But not! I am creating the user succesfully:

这是用户创建的ldif:

This is the user creation ldif:

dn: cn=roi cohen,ou=Users,dc=openiam,dc=com cn: cohen cn: roi cohen description: somedesc mail: roi@yahoo objectclass: person objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: top objectclass: pwdPolicy pwdattribute: userPassword pwdlockout: TRUE pwdmustchange: TRUE sn: roi uid: croi userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=

除去对象类后:pwdPolicy.我仍然设法创建用户.创建后的新用户ldif:

After removing the objectclass: pwdPolicy. I still managed to create the user. the new user ldif after creation:

dn: cn=roi cohen,ou=Users,dc=openiam,dc=com cn: cohen cn: roi cohen description: somedesc mail: roi@yahoo objectclass: person objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: top sn: roi uid: croi userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=

有人知道为什么密码策略没有限制用户的创建吗?

Any idea why the password policy didnt restrict that user creation?

谢谢， 射线.

推荐答案

您需要在指定密码策略请求控件时首先创建用户.然后，您将获得带有响应的密码策略响应控件，如果发生此错误，它将包含此错误.

You need to create the user first while specifying the password-policy request control. Then you will get a password-policy response control with the response, which will contain this error if it occurred.