RSS feed

libpam-ldap and password policies

[Date Prev][Date Next] [Thread Prev][Thread Next]

libpam-ldap and password policies


Thank you for you fabulous work, it is very useful for my project. I
have my system users in the LDAP directory, and everything works
perfectly, even passwords change from root or the users.

I am struggling, however, and I am blocked with password policies.

Is there any way to configure libpam-ldap to fulfil the password
policies specified in the directory?

For instance, I have set up, for testing, a very simple LDAP policy like
that in my directory:
dn: cn=default,ou=pwpolicies,dc=homebox,dc=space
pwdExpireWarning: 259200
pwdMaxFailure: 5
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdMinLength: 8
pwdCheckQuality: 0
pwdAttribute: userPassword
pwdLockoutDuration: 0
pwdInHistory: 0
sn: default
pwdMaxAge: 31536000
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 300
structuralObjectClass: person
entryUUID: 816d6c56-c7e0-1037-844b-b71639529cec
creatorsName: cn=admin,dc=homebox,dc=space
createTimestamp: 20180329210425Z
entryCSN: 20180329210425.211979Z#000000#000#000000
modifiersName: cn=admin,dc=homebox,dc=space
modifyTimestamp: 20180329210425Z

And for a user:
dn: cn=Andre Rodier,ou=users,dc=homebox,dc=space
pwdPolicySubentry: cn=default,ou=pwpolicies,dc=homebox,dc=space
shadowMin: 0
givenName: Andre
uid: andre
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: inetLocalMailRecipient
objectClass: mailboxRelatedObject
loginShell: /bin/dash
shadowFlag: 0
uidNumber: 1002
shadowMax: 999999
gidNumber: 1001
sn: Rodier
shadowInactive: -1
homeDirectory: /home/users/mirina
shadowWarning: 7
pwdChangedTime: 20180329210427Z
structuralObjectClass: inetOrgPerson
cn: Mirina Rodier
entryUUID: 82a5ec56-c7e0-1037-8453-b71639529cec
creatorsName: cn=admin,dc=homebox,dc=space
createTimestamp: 20180329210427Z
entryCSN: 20180329210427.259980Z#000000#000#000000
modifiersName: cn=admin,dc=homebox,dc=space
modifyTimestamp: 20180329210427Z

However, if I logon on the system as "andre", I can change my password,
type a three letters new password, and libpam-ldap will not complain at all.

Is there anything I forgot?

Thanks for your help.
To unsubscribe send an email to or see