change password criteria

[Jeff Viola]

I was using pwm to manage the password policy, but because you can not expire password I had to switch the password policy source to ldap.  My problem is that when a user tries to change their password pwm is making criterias that I don't have in ldap.  Like below:  Where can I turn off these settings?

Please change your password. Keep your new password secure. After you type your new password, click the Change Password button. If you must write it down, be sure to keep it in a safe place. Your new password must meet the following requirements:

• Password is case sensitive.
• Must not include any numeric characters.
• Must not include any symbol (non letter or number) characters.
• Must not include a common word or commonly used sequence of characters.

[Jeff Viola]

 

[Jeff Viola]

I could really use some help!   I going nuts trying to figure this out.   Is it a bug in the software?  No matter what changes I make I still get this requirement showing up when I user changes his password:

Please change your password. Keep your new password secure. After you type your new password, click the Change Password button. If you must write it down, be sure to keep it in a safe place. Your new password must meet the following requirements:

• Password is case sensitive.
• Must not include any numeric characters.
• Must not include any symbol (non letter or number) characters.
• Must not include a common word or commonly used sequence of characters.

I'm pointing at my LDAP server for Password Policy.   This is not the criteria I have setup in my LDAP server.

Here is what I have figured out.

If I choose Local then the password policy can be changed in PWM and work fine except you can expire the password.

So I tried choosing LDAP server and it adds the criteria as found abover.  I can seem to change it.

If I choose Local and LDAP or merge it is a combination of the criteria above and my Local settings.

If I change my LDAP server to say require a minimum of 6 characters and set the password policy to LDAP in PWM, it doesn't work.

Can someone point me in the right direction to resolve this?  Thanks.

[Menno Pieters]

Hi Jeff,

Sorry, I wish I could help, but do not have a similar setup and run a more recent version (development). I currently do not have the time and means to replicate your issue.

- Menno

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/b91cae15-2f38-4d87-89e1-47da4704c11d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Jeff Viola]

I don't know if it helps, but I've tried 1.70, 1.71, and about 7 different nightly.   I am running 08172014 right now.   It doesn't matter the version.

Regards,

Jeff

[Jason Rivard]

When you chose 'LDAP' as the source, PWM will try to read your password policy from your directory, but most directories don't have readable policies to satisfy all of PWM's policies, so it fills in the blanks with defaults.  It does this better or worse depending on the directory.  You didn't mention what directory your using.

It seems like you more want to change the user display message?  Try looking at the setting: Password Rule Text (Advanced)

On Wednesday, September 10, 2014 4:14:59 PM UTC-4, Jeff Viola wrote:

[Jeff Viola]

Thanks for the reply.  I am using openldap.   Will changing the message change the requirements?   The message that is displayed is preventing me from entering a password with numbers or symbols.

--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/B16RKLfWukc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.

To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/6a252e91-6b09-4824-9155-0b06bfd11e35%40googlegroups.com.

[Jeff Viola]

I made changes to "Password Rule Text" to no avail.  How do you disable pwm from setting the criteria and just let openldap set the criteria since I have choosen LDAP as my password policy?

Thanks,

On Thursday, September 18, 2014 4:59:47 PM UTC-4, Jeff Viola wrote:

Thanks for the reply.  I am using openldap.   Will changing the message change the requirements?   The message that is displayed is preventing me from entering a password with numbers or symbols.

On Sep 18, 2014 4:55 PM, "Jason Rivard" <jri...@gmail.com> wrote:

When you chose 'LDAP' as the source, PWM will try to read your password policy from your directory, but most directories don't have readable policies to satisfy all of PWM's policies, so it fills in the blanks with defaults.  It does this better or worse depending on the directory.  You didn't mention what directory your using.

It seems like you more want to change the user display message?  Try looking at the setting: Password Rule Text (Advanced)

On Wednesday, September 10, 2014 4:14:59 PM UTC-4, Jeff Viola wrote:

I was using pwm to manage the password policy, but because you can not expire password I had to switch the password policy source to ldap.  My problem is that when a user tries to change their password pwm is making criterias that I don't have in ldap.  Like below:  Where can I turn off these settings?

Please change your password. Keep your new password secure. After you type your new password, click the Change Password button. If you must write it down, be sure to keep it in a safe place. Your new password must meet the following requirements:

--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/B16RKLfWukc/unsubscribe.

To unsubscribe from this group and all its topics, send an email to pwm-general+unsubscribe@googlegroups.com.

[Menno Pieters]

That may be the problem... I don't think OpenLDAP is supported for that feature. AD and eDirectory are.

- Menno

--

You received this message because you are subscribed to the Google Groups "pwm-general" group.

To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.

To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/7e7db17d-a2d0-4996-840c-2186ddece0c3%40googlegroups.com.

[Jeff Viola]

Menno, thanks for responding.

If that is true, that would be bad news.  I’ve spent so much time on PWM and thought I was close to having a solution.  If PWM would expire password then I would just use PWM for password policies.   I don’t know why that feature can’t be added.  Obviously, PWM can read the timestamp of when passwords are changed, I don’t know why it can’t be written to check if it is x number of days? 

If PWM doesn’t work for LDAP, I’ll have to look for another solution.  Can anyone comment whether this is accurate or not?

-Jeff

[Menno Pieters]

Hi Jeff,

I just checked the code for the underlying LdapChai libary and, sorry, it's true: only for AD en eDirectory, reading the password policy has been implemented. The good news is, LdapChai is also free, open source software and you're more than welcome to contribute. If you could provide some code to read the password policies from OpenLDAP and possibly other implementations, that could be added to LdapChai and thus to PWM.

LdapChai can be found here: https://code.google.com/p/ldapchai/

- Menno

Sent from Surface

To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.

To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CALEP9trEagO-sPmp%3D4AzmiKD_TuCLBxKL6m%3DOmhpvaC_uWq%3Dzw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/541c51b8.e488320a.0dc8.725b%40mx.google.com.

[Jeff Viola]

Thanks Memo for checking on that for me.  I would love to help, but I'm not a coder, nor do I know how to get the code you are referring to.  If it is simple and I had instruction I could probably do it.   You're not talking about this information are you? http://linux.die.net/man/5/slapo-ppolicy

-Jeff

Thanks,

To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.

To post to this group, send email to pwm-g...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/6a252e91-6b09-4824-9155-0b06bfd11e35%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/7e7db17d-a2d0-4996-840c-2186ddece0c3%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "pwm-general" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pwm-general/B16RKLfWukc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/CALEP9trEagO-sPmp%3D4AzmiKD_TuCLBxKL6m%3DOmhpvaC_uWq%3Dzw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Menno Pieters]

...probably. For reference, please add an issue at https://code.google.com/p/ldapchai/issues/list. Add this information to it. No guarantees whatsoever if and when we can add it to the product.

- Menno

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/d33375b0-91fe-445e-ab7d-5533fbf42a8d%40googlegroups.com.

[Jeff Viola]

Ok.  I just submitted this issue.  Thanks,

-Jeff

[ahad alam]

I am also facing this issue. is there any solution yet? I also set LDAP as password policy source. If i choose Both, then it throws "4006: WRONG PASSWORD" error. When i set LDAP, it is not taking any symbol or numeric characters.

[Jason Rivard]

Please stop commenting on this 10 year old thread.  I have no idea what issue your having.  Post a new topic to the list and include all the info we need to help you.