Closed NoxInmortus closed 3 years ago
Using the OpenLDAP rootdn as Bind DN will bypass OpenLDAP ppolicy.
Service Desk is not applying password policy itself, it is done by the LDAP directory. Service Desk reads the password policy configuration to display information about password expiration or account locking.
Hello @coudot, thanks for your time.
I see, the default policy option in only here to provides information for Service-Desk users about the so said password policy.
My apologies for asking but I did not understand what you mean by Using the OpenLDAP rootdn as Bind DN will bypass OpenLDAP ppolicy.
can you elaborate ?
You configured:
$ldap_binddn = "cn=admin,dc=mydomain";
$ldap_bindpw = "pwd";
If cn=admin,dc=mydomain
it the rootdn of your OpenLDAP database, then OpenLDAP will bypass any ppolicy check. Use a service account so ppolicy is applied.
Thanks for the clarification. So in my case, using cn=admin as the binddn, Service Desk will not display information about password expiration or account locking is that correct ?
And so that using a service account, will allow to display the remaining time before password expiration, that kind of stuff.
(Still a bit new in the ldap world, making sure i'm not missing anything)
Service Desk is using the binddn to modify password in the directory. It the binddn is the rootdn, OpenLDAP will bypass ppolicy checks, so you wil be able to use any password value when changing it trough Service Desk.
Service Desk reads ppolicy configuration to display information about account status. This does not depend on which binddn is used.
Thanks you.
Hello,
I'm trying to debug the default policy option. Here is a sample of my conf :
And here is my policy :
And my pqchecker configuration (it's the default):
But if I reset a password from Service-Desk, It will accept anything (qwerty for my latest test). In my ldap logs I can see there is a query for my password policy but that's all. And for service-desk, theses are my only logs :
Any hint ?