我尝试在我的openldap实例中添加密码策略。它似乎无法正常工作。
这是我的设置:
添加到slapd.conf:
modulepath /usr/lib64/openldap
moduleload ppolicy.la
access to attrs=userPassword
by self write
by users read
by anonymous auth
access to *
by * read
database bdb
suffix "dc=openiam,dc=com"
rootdn "cn=Manager,dc=openiam,dc=com"
rootpw "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h"
# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
这是default.ldif文件:
dn: cn=default,ou=policies,dc=openiam,dc=com
cn: default
objectclass: top
objectclass: device
objectclass: pwdPolicy
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckquality: 1
pwdexpirewarning: 432000
pwdfailurecountinterval: 0
pwdgraceauthnlimit: 0
pwdinhistory: 6
pwdlockout: TRUE
pwdlockoutduration: 1920
pwdmaxage: 7516800
pwdmaxfailure: 4
pwdminlength: 100
pwdmustchange: TRUE
pwdsafemodify: FALSE
现在我正在使用Spring-ldap在openldap上创建带密码的新用户。
出于测试目的,我将密码长度策略限制为100(pwdminlength:100)
现在我用较短的密码创建用户并期望得到一些错误 - 但不是!我正在成功创建用户:
这是用户创建ldif:
dn: cn=roi cohen,ou=Users,dc=openiam,dc=com
cn: cohen
cn: roi cohen
description: somedesc
mail: roi@yahoo.com
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: top
objectclass: pwdPolicy
pwdattribute: userPassword
pwdlockout: TRUE
pwdmustchange: TRUE
sn: roi
uid: croi
userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=
删除objectclass后:pwdPolicy。我仍然设法创建用户。创建后的新用户ldif:
dn: cn=roi cohen,ou=Users,dc=openiam,dc=com
cn: cohen
cn: roi cohen
description: somedesc
mail: roi@yahoo.com
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: top
sn: roi
uid: croi
userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=
知道为什么密码策略不会限制用户创建吗?
感谢, 射线。
答案 0 :(得分:0)
您需要在指定密码策略请求控件时首先创建用户。然后,您将获得一个带有响应的密码策略响应控件,如果发生该错误将包含此错误。