问题描述

我试图向我的openldap实例添加密码策略.似乎不起作用.

I tried to add a password policy to my openldap instance. It's seems like it's not working.

这是我的设置:

已添加到slapd.conf:

Added to slapd.conf:

modulepath    /usr/lib64/openldap
moduleload ppolicy.la

access to attrs=userPassword
 by self write
 by users read
 by anonymous auth

access to *
 by * read

database    bdb
suffix      "dc=openiam,dc=com"
rootdn      "cn=Manager,dc=openiam,dc=com"
rootpw      "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h"
# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

这是default.ldif文件:

This is the default.ldif file:

dn: cn=default,ou=policies,dc=openiam,dc=com
cn: default
objectclass: top
objectclass: device
objectclass: pwdPolicy
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckquality: 1
pwdexpirewarning: 432000
pwdfailurecountinterval: 0
pwdgraceauthnlimit: 0
pwdinhistory: 6
pwdlockout: TRUE
pwdlockoutduration: 1920
pwdmaxage: 7516800
pwdmaxfailure: 4
pwdminlength: 100
pwdmustchange: TRUE
pwdsafemodify: FALSE

现在我正在使用Spring-ldap以便在openldap上使用密码创建新用户.

Now i am using Spring-ldap in order to create new user with password on openldap.

出于测试目的，我将密码长度策略限制为100(pwdminlength:100)

for a testing purpose I limit the password length policy to 100(pwdminlength: 100)

现在，我正在使用较短的密码创建用户，并期望得到一些错误-但是，不是！我成功创建了用户:

Now I am creating the user with a shorter password and expecting to get some error - But not! I am creating the user succesfully:

这是用户创建的ldif:

This is the user creation ldif:

dn: cn=roi cohen,ou=Users,dc=openiam,dc=com
cn: cohen
cn: roi cohen
description: somedesc
mail: [email protected]
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: top
objectclass: pwdPolicy
pwdattribute: userPassword
pwdlockout: TRUE
pwdmustchange: TRUE
sn: roi
uid: croi
userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=

除去对象类后:pwdPolicy.我仍然设法创建用户.创建后的新用户ldif:

After removing the objectclass: pwdPolicy. I still managed to create the user. the new user ldif after creation:

dn: cn=roi cohen,ou=Users,dc=openiam,dc=com
cn: cohen
cn: roi cohen
description: somedesc
mail: [email protected]
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: top
sn: roi
uid: croi
userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=

有人知道为什么密码策略没有限制用户的创建吗?

Any idea why the password policy didnt restrict that user creation?

谢谢，射线.

推荐答案

您需要在指定密码策略请求控件时首先创建用户.然后，您将获得带有响应的密码策略响应控件，如果发生此错误，它将包含此错误.

You need to create the user first while specifying the password-policy request control. Then you will get a password-policy response control with the response, which will contain this error if it occurred.

这篇关于Openldap和密码策略实施不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！