Openldap and Password policy enforcement not working

Question

I tried to add a password policy to my openldap instance. It's seems like it's not working.

This is my setup:

Added to slapd.conf:

modulepath    /usr/lib64/openldap
moduleload ppolicy.la

access to attrs=userPassword
 by self write
 by users read
 by anonymous auth

access to *
 by * read

database    bdb
suffix      "dc=openiam,dc=com"
rootdn      "cn=Manager,dc=openiam,dc=com"
rootpw      "{SSHA}2ttRoo/t5HuMT2nPxtI6goVUML5R2H9h"
# PPolicy Configuration
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=openiam,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

This is the default.ldif file:

dn: cn=default,ou=policies,dc=openiam,dc=com
cn: default
objectclass: top
objectclass: device
objectclass: pwdPolicy
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckquality: 1
pwdexpirewarning: 432000
pwdfailurecountinterval: 0
pwdgraceauthnlimit: 0
pwdinhistory: 6
pwdlockout: TRUE
pwdlockoutduration: 1920
pwdmaxage: 7516800
pwdmaxfailure: 4
pwdminlength: 100
pwdmustchange: TRUE
pwdsafemodify: FALSE

Now i am using Spring-ldap in order to create new user with password on openldap.

for a testing purpose I limit the password length policy to 100(pwdminlength: 100)

Now I am creating the user with a shorter password and expecting to get some error - But not! I am creating the user succesfully:

This is the user creation ldif:

dn: cn=roi cohen,ou=Users,dc=openiam,dc=com
cn: cohen
cn: roi cohen
description: somedesc
mail: roi@yahoo.com
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: top
objectclass: pwdPolicy
pwdattribute: userPassword
pwdlockout: TRUE
pwdmustchange: TRUE
sn: roi
uid: croi
userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=

After removing the objectclass: pwdPolicy. I still managed to create the user. the new user ldif after creation:

dn: cn=roi cohen,ou=Users,dc=openiam,dc=com
cn: cohen
cn: roi cohen
description: somedesc
mail: roi@yahoo.com
objectclass: person
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: top
sn: roi
uid: croi
userpassword: {SHA}QL0AFWMIX8NRZTKeof9cXsvbvu8=

Any idea why the password policy didnt restrict that user creation?

thanks, ray.

Answer 1

You need to create the user first while specifying the password-policy request control. Then you will get a password-policy response control with the response, which will contain this error if it occurred.