[Ltb-users] policy never executing check_password

Clément OUDOT clem.oudot at gmail.com
Wed Feb 27 22:14:57 CET 2013


2013/2/27 Jonathan Disher <jdisher at bluekai.com>:
> I have an Ubuntu box running OpenLDAP 2.4.28 and the ppolicy overlay
> configured, and I'm trying to use check_password to validate password
> complexity.  For some reason, it doesn't look like it is even getting
> executed.  When I try to change my password to something that should be
> valid, I get this (I'm running slapd by hand in –d any mode):
>
> 512e5428 send_ldap_result: conn=1008 op=2 p=3
> 512e5428 send_ldap_result: err=19 matched="" text="Password fails quality
> checking policy"
> 512e5428 send_ldap_response: msgid=3 tag=103 err=19
>
> However, I get no logging from check_password.so anywhere, not in syslog,
> not to the console, even though I compiled it with –DDEBUG.
>
> My config file is:
>
> useCracklib 1
> minPoints 3
> minUpper 0
> minLower 0
> minDigit 0
> minPunct 0
>
> My password policy is:
>
> dn: cn=default,ou=policies,dc=bluekai,dc=com
> cn: default
> objectClass: device
> objectClass: pwdPolicy
> objectClass: pwdPolicyChecker
> objectClass: top
> pwdAllowUserChange: TRUE
> pwdAttribute: userPassword
> pwdCheckModule: check_password.so
> pwdCheckQuality: 2
> pwdMustChange: TRUE
> structuralObjectClass: device
> pwdSafeModify: FALSE
> pwdLockout: TRUE
> pwdLockoutDuration: 3600
> pwdMaxFailure: 5
> pwdFailureCountInterval: 600
> pwdMinLength: 8
>
> One of the passwords I tried to use, fwiw, is 'Pa55w0rd', which should be
> valid.  I also tried to use a bunch of other, longer, more complicated
> passwords.
>
> Any ideas?


You should check if check_password.so is executable by OpenLDAP user,
and check the module_path (or olcModulePatch) OpenLDAP configuration
parameter.

Clément.


More information about the ltb-users mailing list