Openldap和密码策略实施不起作用 [英] Openldap and Password policy enforcement not working
问题描述
我试图向我的openldap实例添加密码策略.似乎不起作用.
I tried to add a password policy to my openldap instance. It's seems like it's not working.
这是我的设置:
已添加到slapd.conf:
Added to slapd.conf:
modulepath /usr/lib64/openldap
moduleload ppolicy.la
access to attrs=userPassword
by self write
by users read
by anonymous auth
access to *
by * read
database bdb
suffix "dc=openiam,dc=com"
rootdn "cn=Manager,dc=openiam,dc=com"
rootpw "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h"
# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
这是default.ldif文件:
This is the default.ldif file:
dn: cn=default,ou=policies,dc=openiam,dc=com
cn: default
objectclass: top
objectclass: device
objectclass: pwdPolicy
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckquality: 1
pwdexpirewarning: 432000
pwdfailurecountinterval: 0
pwdgraceauthnlimit: 0
pwdinhistory: 6
pwdlockout: TRUE
pwdlockoutduration: 1920
pwdmaxage: 7516800
pwdmaxfailure: 4
pwdminlength: 100
pwdmustchange: TRUE
pwdsafemodify: FALSE
现在我正在使用Spring-ldap以便在openldap上使用密码创建新用户.
Now i am using Spring-ldap in order to create new user with password on openldap.
出于测试目的,我将密码长度策略限制为100(pwdminlength:100)
for a testing purpose I limit the password length policy to 100(pwdminlength: 100)
现在,我正在使用较短的密码创建用户,并期望得到一些错误-但是,不是!我成功创建了用户:
Now I am creating the user with a shorter password and expecting to get some error - But not! I am creating the user succesfully:
这是用户创建的ldif:
This is the user creation ldif:
dn: cn=roi cohen,ou=Users,dc=openiam,dc=com
cn: cohen
cn: roi cohen
description: somedesc
mail: roi@yahoo.com
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: top
objectclass: pwdPolicy
pwdattribute: userPassword
pwdlockout: TRUE
pwdmustchange: TRUE
sn: roi
uid: croi
userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=
除去对象类后:pwdPolicy.我仍然设法创建用户.创建后的新用户ldif:
After removing the objectclass: pwdPolicy. I still managed to create the user. the new user ldif after creation:
dn: cn=roi cohen,ou=Users,dc=openiam,dc=com
cn: cohen
cn: roi cohen
description: somedesc
mail: roi@yahoo.com
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: top
sn: roi
uid: croi
userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=
有人知道为什么密码策略没有限制用户的创建吗?
Any idea why the password policy didnt restrict that user creation?
谢谢, 射线.
推荐答案
您需要在指定密码策略请求控件时首先创建用户.然后,您将获得带有响应的密码策略响应控件,如果发生此错误,它将包含此错误.
You need to create the user first while specifying the password-policy request control. Then you will get a password-policy response control with the response, which will contain this error if it occurred.
这篇关于Openldap和密码策略实施不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
