我已经为此工作了大约一周,似乎无法弄清楚为什么会发生这种情况。
我已经开始passwd
工作,让用户从客户端计算机更改自己的 LDAP 密码,并且它与 ppolicy 覆盖一起使用:
$ passwd
Current Password:
New password:
BAD PASSWORD: The password is shorter than 8 characters
New password:
BAD PASSWORD: The password is a palindrome
New password:
BAD PASSWORD: The password is the same as the old one
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
但是,当我用来ldappasswd
更改密码时,它允许我创建单字母密码和回文密码,但不能创建历史记录中的密码:
$ ldappasswd -H ldap://**** -x -D "uid=test,ou=Users,dc=***,dc=***,dc=***" -W -A -S
Old password:
Re-enter old password:
New password:
Re-enter new password:
Enter LDAP Password:
$
# no issues entering "a" as the password (this is bad)
$ ldappasswd -H ldap://**** -x -D "uid=test,ou=Users,dc=***,dc=***,dc=***" -W -A -S
Old password:
Re-enter old password:
New password:
Re-enter new password:
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password is in history of old passwords
$
# entered "password" as the password and it doesn't let me change it
理想情况下,我希望两者passwd
都ldappasswd
遵循密码策略。
这是我在 slapd 配置中的访问规则:
/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif
...
# manager is the root bind dn, with password in /etc/ldap.secret
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn.base="uid=manager,ou=Users,dc=***,dc=***,dc=***" write by anonymous auth by * none
olcAccess: {1}to * by * read by dn.base="uid=manager,ou=Users,dc=***,dc=***,dc=***" write
...
在我看来,就像passwd
绑定到 root dn,因为删除经理帐户的访问权限会使passwd
工作完全停止,并且ldappasswd
不受影响。
任何帮助表示赞赏。