Re: 答复: 答复: Forbidden account password reuse of the last 5 password

2019-02-15 Thread Clément OUDOT 
Le 15/02/2019 à 04:08, Tian Zhiying a écrit :
>
> Clément Oudot,
>
>  
>
> Thank you.
>
> I have changed the rootdn from root to other user, it’s still not
> working. I can modified the user password same with before.
>
>  
>

First check that your are sending you password in cleartext, so that
OpenLDAP can check the syntax and compare it to passwords in history.

You might need to set pwdCheckQuality to 1 or 2 in your ppolicy, but I
am not sure it is required to check history. It is needed to check
password length and other checks from the optionnal password checker module.

-- 

Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

答复: 答复: Forbidden account password reuse of the last 5 password

2019-02-14 Thread Tian Zhiying 
Clément Oudot,

 

Thank you.

I have changed the rootdn from root to other user, it’s still not working. I 
can modified the user password same with before.

 

I have set the password policy and added user in this password policy as below:



 



 

 

 

发件人: openldap-technical [mailto:openldap-technical-boun...@openldap.org] 代表 
Clément OUDOT
发送时间: 2019年2月14日 23:19
收件人: openldap-technical@openldap.org
主题: Re: 答复: Forbidden account password reuse of the last 5 password

 

 

Le 14/02/2019 à 12:17, Tian Zhiying a écrit :

But it seems not working, my password is following:

First time password: AAbb1122

Second time password: CCdd3344

Third time password: AAbb1122, same with the first time password, it has been 
modified successfully.

 

Check that the password modification is not done by the rootdn, as the rootdn 
is bypassing password policy constraints.

-- 
Clément Oudot | Identity Solutions Manager
 
clement.ou...@worteks.com <mailto:clement.ou...@worteks.com> 
 
Worteks | https://www.worteks.com

答复: Antw: 答复: Forbidden account password reuse of the last 5 password

2019-02-14 Thread Tian Zhiying 
Yes, I have set a default password policy and assigned the password policy to 
user.

-邮件原件-
发件人: openldap-technical [mailto:openldap-technical-boun...@openldap.org] 代表 
Ulrich Windl
发送时间: 2019年2月14日 22:18
收件人: matthieu.ce...@nbs-system.com; openldap-technical@openldap.org; tianzy1225 

主题: Antw: 答复: Forbidden account password reuse of the last 5 password

>>> "Tian Zhiying"  schrieb am 14.02.2019 um 
>>> 12:17
in
Nachricht <01d4c456$d6b4ed40$841ec7c0$@thundersoft.com>:
> Hi Matthieu,
> 
>  
> 
> Thank you for your reply.
> 
>  
> 
> I have set the "pwdInHistory" attribute to 5 in password policy and 
> set forbidden their reuse in config.inc.php of Self Service Password. 
> As below
> shown:
> 

Did you also assign the password policy to users, or did you set a default 
policy?

> 
> 
>  
> 
> 
> 
>  
> 
> But it seems not working, my password is following:
> 
> First time password: AAbb1122
> 
> Second time password: CCdd3344
> 
> Third time password: AAbb1122, same with the first time password, it 
> has been modified successfully.
> 
>  
> 
> Thanks
> 
>  
> 
>  
> 
> -邮件原件-
> 发件人: openldap-technical 
> [mailto:openldap-technical-boun...@openldap.org] 代表

> Matthieu Cerda
> 发送时间: 2019年2月14日 17:38
> 收件人: openldap-technical@openldap.org
> 主题: Re: Forbidden account password reuse of the last 5 password
> 
>  
> 
> You may set the "pwdInHistory" attribute to 5 to store the last 5 
> passwords

> used, and forbid their reuse.
> 
>  
> 
> Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
> 
>> Yes, you might want to use the password policy (ppolicy) overlay:
> 
>>  <https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/>
> https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
> 
>> 
> 
>> Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
> 
>>> Hi
> 
>>> 
> 
>>> Is there a feature that OpenLDAP password policy can forbidden user
password 
> reuse of the last 5 password?
> 
>>> 
> 
>>> Thanks.
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> 
> 
> --
> 
> Matthieu Cerda
> 
> Infrastructure, BU Means @ NBS System
> 
>  
> 
>

Antw: 答复: Forbidden account password reuse of the last 5 password

2019-02-14 Thread Ulrich Windl 
>>> "Tian Zhiying"  schrieb am 14.02.2019 um 12:17
in
Nachricht <01d4c456$d6b4ed40$841ec7c0$@thundersoft.com>:
> Hi Matthieu,
> 
>  
> 
> Thank you for your reply.
> 
>  
> 
> I have set the "pwdInHistory" attribute to 5 in password policy and set 
> forbidden their reuse in config.inc.php of Self Service Password. As below 
> shown:
> 

Did you also assign the password policy to users, or did you set a default
policy?

> 
> 
>  
> 
> 
> 
>  
> 
> But it seems not working, my password is following:
> 
> First time password: AAbb1122
> 
> Second time password: CCdd3344
> 
> Third time password: AAbb1122, same with the first time password, it has 
> been modified successfully.
> 
>  
> 
> Thanks
> 
>  
> 
>  
> 
> -邮件原件-
> 发件人: openldap-technical [mailto:openldap-technical-boun...@openldap.org] 代表

> Matthieu Cerda
> 发送时间: 2019年2月14日 17:38
> 收件人: openldap-technical@openldap.org 
> 主题: Re: Forbidden account password reuse of the last 5 password
> 
>  
> 
> You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords

> used, and forbid their reuse.
> 
>  
> 
> Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
> 
>> Yes, you might want to use the password policy (ppolicy) overlay:
> 
>>   
> https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/ 
> 
>> 
> 
>> Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
> 
>>> Hi
> 
>>> 
> 
>>> Is there a feature that OpenLDAP password policy can forbidden user
password 
> reuse of the last 5 password?
> 
>>> 
> 
>>> Thanks.
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> 
> 
> --
> 
> Matthieu Cerda
> 
> Infrastructure, BU Means @ NBS System
> 
>  
> 
>

Re: 答复: Forbidden account password reuse of the last 5 password

2019-02-14 Thread Clément OUDOT 

Le 14/02/2019 à 12:17, Tian Zhiying a écrit :
>
> But it seems not working, my password is following:
>
> First time password: AAbb1122
>
> Second time password: CCdd3344
>
> *Third time password: AAbb1122, same with the first time password, it
> has been modified successfully.*
>

Check that the password modification is not done by the rootdn, as the
rootdn is bypassing password policy constraints.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

答复: Forbidden account password reuse of the last 5 password

2019-02-14 Thread Tian Zhiying 
Hi Matthieu,

 

Thank you for your reply.

 

I have set the "pwdInHistory" attribute to 5 in password policy and set 
forbidden their reuse in config.inc.php of Self Service Password. As below 
shown:



 



 

But it seems not working, my password is following:

First time password: AAbb1122

Second time password: CCdd3344

Third time password: AAbb1122, same with the first time password, it has been 
modified successfully.

 

Thanks

 

 

-邮件原件-
发件人: openldap-technical [mailto:openldap-technical-boun...@openldap.org] 代表 
Matthieu Cerda
发送时间: 2019年2月14日 17:38
收件人: openldap-technical@openldap.org
主题: Re: Forbidden account password reuse of the last 5 password

 

You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords 
used, and forbid their reuse.

 

Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :

> Yes, you might want to use the password policy (ppolicy) overlay:

>   
> https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/

> 

> Le 14/02/2019 à 07:58, Tian Zhiying a écrit :

>> Hi

>> 

>> Is there a feature that OpenLDAP password policy can forbidden user password 
>> reuse of the last 5 password?

>> 

>> Thanks.

>> 

>> 

>> 

>> 

--

Matthieu Cerda

Infrastructure, BU Means @ NBS System