Openldap and Password policy enforcement not working


I tried to add a password policy to my openldap instance. It's seems like it's not working.

This is my setup:

Added to slapd.conf:

modulepath /usr/lib64/openldap moduleload ppolicy.la access to attrs=userPassword by self write by users read by anonymous auth access to * by * read database bdb suffix "dc=openiam,dc=com" rootdn "cn=Manager,dc=openiam,dc=com" rootpw "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h" # PPolicy Configuration overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub

This is the default.ldif file:

dn: cn=default,ou=policies,dc=openiam,dc=com cn: default objectclass: top objectclass: device objectclass: pwdPolicy pwdallowuserchange: TRUE pwdattribute: userPassword pwdcheckquality: 1 pwdexpirewarning: 432000 pwdfailurecountinterval: 0 pwdgraceauthnlimit: 0 pwdinhistory: 6 pwdlockout: TRUE pwdlockoutduration: 1920 pwdmaxage: 7516800 pwdmaxfailure: 4 pwdminlength: 100 pwdmustchange: TRUE pwdsafemodify: FALSE

Now i am using Spring-ldap in order to create new user with password on openldap.

for a testing purpose I limit the password length policy to 100(pwdminlength: 100)

Now I am creating the user with a shorter password and expecting to get some error - But not! I am creating the user succesfully:

This is the user creation ldif:

dn: cn=roi cohen,ou=Users,dc=openiam,dc=com cn: cohen cn: roi cohen description: somedesc mail: roi@yahoo.com objectclass: person objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: top objectclass: pwdPolicy pwdattribute: userPassword pwdlockout: TRUE pwdmustchange: TRUE sn: roi uid: croi userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=

After removing the objectclass: pwdPolicy. I still managed to create the user. the new user ldif after creation:

dn: cn=roi cohen,ou=Users,dc=openiam,dc=com cn: cohen cn: roi cohen description: somedesc mail: roi@yahoo.com objectclass: person objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: top sn: roi uid: croi userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=

Any idea why the password policy didnt restrict that user creation?

thanks, ray.


You need to create the user first while specifying the password-policy request control. Then you will get a password-policy response control with the response, which will contain this error if it occurred.


  • Time Complexity of finding the length of an array
  • Expand Vector in Tensorflow and space elements with zeros
  • Java - Slice any array at steps
  • All the zero values in upper triangle
  • Create a config file to hold values like username password url in python behave
  • Array access optimization
  • Iterating over the array in random order [duplicate]
  • Create index on first 3 characters (area code) of phone field?
  • Efficient random permutation of n-set-bits
  • How to find the frequency from FFT data in MATLAB
  • Remove the last occurrence of an element in a Swift array
  • Convert list of N items to relative ordering (0-(N-1))? [duplicate]
  • Split a String without removing the delimiter in Swift
  • How do I use the indices of nested for-loops to generate a consecutive list of numbers?
  • joins versus correlated exists subqueries
  • could not convert from
  • Find the maximum values in 2nd column for each distinct values in 1st column using Linux
  • row-wise first/last occurrences from column series in data.table
  • How to show scatter plot on specific condition which I set using dc.js
  • Algorithm for: All possible ways of splitting a set of elements into two sets?
  • Tuple of sequence
  • Typeclass instances for functions
  • Python Statsmodels: OLS regressor not predicting
  • Adding a CSS class to element on ng-click
  • Laravel : display personal format of timestamps fields
  • HttpSendRequest blocking when more than two downloads are already in progress
  • Equivalent for np.add.at in tensorflow
  • Parse PFFile download order iOS
  • How to make Java compiler generate line numbers in compiled code
  • Pandas multi-index subtract from value based on value in other column
  • javafx 3d performance large data set
  • Sql indexes vs full table scan
  • C++ String tokenisation from 3D .obj files
  • Spring MVC redirect with custom http headers
  • C++ Armadillo Access Triangular Matrix Elements
  • Crafting a LINQ based solution to determine if a set of predicates are satisfied for a pair of colle
  • Creating an Order Column for encrypted data
  • possible limitation of implode function in PHP
  • Functions in global context