Openldap password policy is configured as below
- ldap password policy module is loaded as below
vi load-ppolicy-mod.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la
#ldapadd -Y EXTERNAL -H ldapi:/// -f load-ppolicy-mod.ldif
- OU container is created as below
vi pwpolicy-ou.ldif
dn: ou=pwpolicynew,o=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: pwpolicynew
#ldapadd -x -W -D “cn=testadmin,o=example,dc=com -f pwpolicy-ou.ldif
- Pasword policy overlay is added as below
#vi pwpolicyoverlay.ldif
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=pwpolicynew,o=example,dc=com
olcPPolicyHashCleartext: TRUE
#ldapadd -x -W -D “cn=testadmin,o=example,dc=com” -f pwpolicyoverlay.ldif
- LDAP password policies defined under newly created OU
#vi ppolicy-default.ldif
dn: cn=default,ou=pwpolicynew,o=example,dc=com
objectClass: person
objectClass: pwdPolicy
cn: pwpolicynew
sn: pwpolicynew
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 500
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 2
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 103680
pwdMaxFailure: 3
pwdMinAge: 560
pwdMinLength: 6
pwdMustChange: FALSE
pwdSafeModify: FALSE
#ldapadd -x -W -D “cn=testadmin,o=example,dc=com” -f ppolicy-default.ldif
However after performing all above steps succesfully ldap user can still set simple passwords, example policy is defined to have minimum length of 6 characters however uses can change their password with 5 characters using passwd command.
This means password policy is not working as expected.
Any help to resolve this issue.
Tushar is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.