Red Hat Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments

    • LDAP ppolicy errors are not displayed using /usr/bin/passwd during password change

    Posted on

    I have a RHEL 7.1 Server running OpenLDAP. I recently used the ppolicy overlay on the LDAP server to enforce password policies from the server side. They appear to be working just fine. Logging in and policy enforcement are working well.

    My question is primarily client side. I am on a 7.1 Client using nslcd and pam to use the LDAP server for authentication. I can change my LDAP password using passwd, and I can log in to machines that are using LDAP for authentication. That is all working fine.

    The only problem I have is that when you are changing your password with /usr/bin/passwd, and you violate the password policy guidelines, nothing useful is printed to the screen. The error I get is:
    Changing password for user user1
    (current) LDAP Password:
    New password:
    Retype new password:
    password change failed: Constraint violation

    I know I can set up some password policies using pam on RHEL 7 clients, but I would like to have a solution that checks the errors from the LDAP server and something like says: "your password is to short" or "You've used this password before.

    When I use the "ldappasswd" command with the "-e ppolicy" option, I get very useful errors, like so:
    ldap1.example.com % ldappasswd -e ppolicy -D uid=user1,ou=people,dc=example,dc=com -x -W -S "uid=user1,ou=people,dc=example,dc=com"
    New password:
    Re-enter new password:
    Enter LDAP Password:
    Result: Constraint violation (19)
    Additional info: Password fails quality checking policy
    control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAOBAQY=
    ppolicy: error=6 (Password is too short for policy)

    So it appears that the LDAP server is checking the password and finding the errors, but something on the client side (PAM) is just ignoring them.

    I must be missing something, but for the life of me, I can't seem to find it in any of the documentation or google. Any help would be appreciated.

    /etc/nslcd.conf
    uid nslcd
    gid ldap
    uri ldaps://ldap1.example.com
    base dc=example,dc=com
    ssl no
    tls_cacertdir /etc/openldap/cacerts

    /etc/openldap/ldap.conf
    TLS_CACERTDIR /etc/openldap/cacerts
    SASL_NOCANON on
    URI ldaps://ldap1.example.com
    BASE dc=example,dc=com

    by

    points

    Responses

    Red Hat

    Quick Links

    Help

    Site Info

    Related Sites

    © 2025 Red Hat, Inc.