如何激活密码策略以使用扩展操作在OpenLDAP/Windows中重置密码 [英] How to activate password policy to use Extended operation for password reset in OpenLDAP/windows

问题描述

我已经按照针对OpenLDAP提到的步骤创建了密码策略 但是，通过扩展操作更改用户密码时，没有观察到其效果.我得到了响应控件，但它只有警告而不是错误.

I have created password policy by following procedure mentioned for OpenLDAP But I don't observed its effect when I change password of user through extended operation. I get the response control but it has only warning instead of error.

那么问题是我身边缺少什么? 如何执行密码策略以使用扩展操作来重置密码? 定义密码策略后，该策略是否适用于OpenLDAP服务器中的所有现有用户?还是仅适用于新用户?

So question is what is missing from my side ? How to enforce password policy to use extended operation for resetting password ? Once I define password policy would it be applicable for all existing users in OpenLDAP server? Or it will be applicable for new user only?

推荐答案

您不得自己将ManagerDN帐户用于任何.它绕过所有覆盖，并为您提供了对DIT的无限访问权限，这是您不需要的.

You must not use the ManagerDN account for anything yourself. It bypasses all overlays and gives you infinite access to the DIT, which you don't want.

您的应用程序应以用户身份运行，并在DIT中具有在配置中获得适当权限的条目.

Your applications should run as users with entries in the DIT which are given appropriate permissions in the configuration.

为此，我已定义了管理员组，所有应用程序和人工管理员都属于该组，这使配置更加简单(并且以后添加或更改管理员或应用程序很多更简单).我的使用slapd.conf语法是这样的:将其转换为在线slapd.d语法留给读者练习.请注意，您必须更改基本DN等以适合您自己的DIT，也许还要更改组类和属性名称.

I've defined admin groups for that, that all the applications and the human administrators are part of, which makes the configuration simpler (and adding/changing admins or applications later much simpler). Mine goes something like this, in slapd.conf syntax: converting it to slapd.d online syntax is left as an exercise for the reader. Note that you'll have to change the base DNs etc to suit your own DIT, maybe the group classes and attribute names as well.

access to attrs=userPassword
    by dn.exact="cn=Manager,dc=XXX,dc=com" write
    by group/groupOfUniqueNames/uniqueMember="cn=LDAP admins,ou=Groups,dc=XXX,dc=com" write
    by group/groupOfUniqueNames/uniqueMember="cn=Applications,ou=Groups,dc=XXX,dc=com" write
    by anonymous auth
    by self write
    by * none

access to *
    by self write
    by dn="cn=Replicator,dc=XXX,dc=com,c=us" write
    by dn.exact="cn=Manager,dc=XXX,dc=com" write
    by group/groupOfUniqueNames/uniqueMember="cn=LDAP admins,ou=Groups,dc=XXX,dc=com" write
    by group/groupOfUniqueNames/uniqueMember="cn=Applications,ou=Groups,dc=XXX,dc=com" write
    by users read
    by anonymous search
    by * none

请注意，此设置还允许用户更改自己的密码，因此您现在可以在执行操作时将绑定为用户.

Note that this setup also allows users to change their own passwords, so you can now bind as the user when doing that.

这篇关于如何激活密码策略以使用扩展操作在OpenLDAP/Windows中重置密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！