openLDAP pwdReset pwdMustChange

Lipscomb, Gary glipscomb at csu.edu.au
Wed Aug 24 04:34:10 UTC 2022 

Thanks Dan,

We already have that set and password expiration works. We get a warning displayed from 10 days prior to password expiration.
It’s just adding the additional pwdReset and pwdMustChange don’t do anything using SSO but work with ldapsearch CLI.

Regards

Gary

Gary Lipscomb
Technical Officer, Systems
IT Infrastructure & Security | Division of Information Technology

From: users <users-bounces at shibboleth.net> On Behalf Of Daniel Fisher via users
Sent: Wednesday, 24 August 2022 11:52
To: Shib Users <users at shibboleth.net>
Cc: Daniel Fisher <dfisher at vt.edu>
Subject: Re: openLDAP pwdReset pwdMustChange

On Tue, Aug 23, 2022 at 1:31 AM Lipscomb, Gary via users <users at shibboleth.net<mailto:users at shibboleth.net>> wrote:
Has anyone done this?

It appears you're attempting to use https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10<http://antispam.csu.edu.au:32224/?dmVyPTEuMDAxJiY0ZTczMjhhMTA0ZGZlYjA0ND02MzA1ODQ0MV8zNzIzMF81NzU4XzEmJmViNmViN2EzODkyNTYzOD0xMzMzJiZ1cmw9aHR0cHMlM0ElMkYlMkZkYXRhdHJhY2tlciUyRWlldGYlMkVvcmclMkZkb2MlMkZodG1sJTJGZHJhZnQtYmVoZXJhLWxkYXAtcGFzc3dvcmQtcG9saWN5LTEw> for your password policy implementation.


  *   idp.authn.LDAP.usePasswordPolicy = true

This is the property you want set to true to enable this feature.


  *   idp.authn.LDAP.usePasswordExpiration = true

This property enables a different type of password policy implementation (http://tools.ietf.org/html/draft-vchu-ldap-pwd-policy-00<http://antispam.csu.edu.au:32224/?dmVyPTEuMDAxJiY1MzJmMjZlYjE4Y2RhODA3MT02MzA1ODQ0MV8zNzIzMF81NzU4XzEmJjNiNWI2N2YzMTg1NTQyNj0xMzMzJiZ1cmw9aHR0cCUzQSUyRiUyRnRvb2xzJTJFaWV0ZiUyRW9yZyUyRmh0bWwlMkZkcmFmdC12Y2h1LWxkYXAtcHdkLXBvbGljeS0wMA==>)
Set it to false.

Assuming you've configured the ppolicy overlay correctly in OpenLDAP....
Your IDP should signal a warning type of AuthnEventIds.ACCOUNT_WARNING when a password warning is returned from an LDAP authentication. And an error type of AuthnEventIds.ACCOUNT_ERROR when a password error is returned.

--Daniel Fisher

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220824/219b9f75/attachment.htm>

More information about the users mailing list