389-ds Password policies not working

Hi all,

Please can you help me identify why I’m not able to configure a password policy ?

As you can see below, the password policy has been configured, but when I test it, It’s not working…

I’m running the 389-ds server on Linux Suse15 sp2

uname -a

Linux dl360s-04 5.3.18-24.15-default #1 SMP Thu Sep 3 22:48:37 UTC 2020 (b3a3711) x86_64 x86_64 x86_64 GNU/Linux

  • Here is the definition of the password policy I want to apply :

According to the last line for example, it should not accept any password length below 20.

LDAP_SERVER:~ # dsconf -D “cn=Directory Manager” ldap://LDAP_SERVER.example.fr localpwp get “ou=people,dc=example,dc=fr”
Enter password for cn=Directory Manager on ldap://LDAP_SERVER.example.fr:
Local Subtree Policy Policy for “ou=people,dc=example,dc=fr”: cn=cn\3DnsPwPolicyEntry3\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dfr,cn=nsPwPolicyContainer,ou=people,dc=example,dc=fr

passwordstoragescheme: PBKDF2_SHA256
passwordchange: off
passwordmustchange: on
passwordinhistory: 4
passwordwarning: 2500
passwordmaxage: 6000
passwordminage: 2000
passwordgracelimit: 1
passwordlockout: on
passwordlockoutduration: 1000
passwordmaxfailure: 1
passwordresetfailurecount: 300
passwordminlength: 20

  • Here is the definition of the container :

ldapsearch -x -v -LL -h LDAP_SERVER -p 389 -D cn=“Directory Manager” -w PASSWORD1234 -b “cn=nsPwPolicyContainer,ou=people,dc=example,dc=fr”

dn: cn=nsPwPolicyContainer,ou=people,dc=example,dc=fr
objectClass: top
objectClass: nsContainer
cn: nsPwPolicyContainer

dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dfr,cn=nsPwPolicyContainer,ou=people,dc=example,dc=fr
cn: cn=nsPwTemplateEntry,ou=people,dc=example,dc=fr
cn: cn\=nsPwTemplateEntry\,ou\=people\,dc\=example\,dc\=fr
cosPriority: 1
objectClass: top
objectClass: cosTemplate
objectClass: extensibleObject

  • Here the definition of the template :

ldapsearch -x -v -LL -h LDAP_SERVER -p 389 -D cn=“Directory Manager” -w PASSWORD1234 -b “cn=cn\3DnsPwTemplateEntry\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dfr,cn=nsPwPolicyContainer,ou=people,dc=example,dc=fr”

filter: (objectclass=*)
requesting: All userApplication attributes
version: 1

dn: cn=cn\3DnsPwTemplateEntry\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dfr,cn=nsPwPolicyContainer,ou=people,dc=example,dc=fr
cn: cn=nsPwTemplateEntry,ou=people,dc=example,dc=fr
cn: cn\=nsPwTemplateEntry\,ou\=people\,dc\=example\,dc\=fr
cosPriority: 1
objectClass: top
objectClass: cosTemplate
objectClass: extensibleObject

  • Here is the definition of the user demo_user6 (created for testing):

ldapsearch -x -v -LL -h LDAP_SERVER -p 389 -D cn=“Directory Manager” -w PASSWORD1234 -b “uid=demo_user6,ou=people,dc=example,dc=fr” pwdpolicysubentry

filter: (objectclass=*)
requesting: pwdpolicysubentry
version: 1

dn: uid=demo_user6,ou=people,dc=example,dc=fr
pwdpolicysubentry: cn=cn\3DnsPwPolicyEntry3\2Cou\3Dpeople\2Cdc\3Dexample\2Cdc\3Dfr,cn=nsPwPolicyContainer,ou=people,dc=example,dc=fr

ldapsearch -x -v -LL -h LDAP_SERVER -p 389 -D cn=“Directory Manager” -w PASSWORD1234 -b “uid=demo_user6,ou=people,dc=example,dc=fr”

filter: (objectclass=*)
requesting: All userApplication attributes
version: 1

dn: uid=demo_user6,ou=people,dc=example,dc=fr
shadowLastChange: 18799
userPassword:: XXXXXX
uid: demo_user6
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
loginShell: /bin/bash
homeDirectory: /home/demo_user6
gecos: Demo User6
description: No description
gidNumber: 10005
uidNumber: 10006
cn: demo_user6

TEST :

Here we’ll try an ldapmodify, by logging with the test user (user6), we try to edit the password of the user which is less than 20 characters, but unfortunately it works…

ldapmodify -D “uid=demo_user6,ou=people,dc=example,dc=fr” -w “oldpwd” -x -h LDAP_SERVER -v

ldap_initialize( ldap://LDAP_SERVER )

dn: uid=demo_user6,ou=people,dc=example,dc=fr
changetype: modify
replace: userPassword
userPassword: newpwd

replace userPassword:
newpwd
modifying entry “uid=demo_user6,ou=people,dc=example,dc=fr”
modify complete

Hope I can find some help,

THanks in advance,