LDAP password policy not being reflected
112 views
Skip to first unread message
Jordan Stoner
Jan 14, 2022, 3:51:19 PM1/14/22
to pwm-general
Environment:
DC - Windows Server 2012R2
PWM v1.9.2 b0 r0 on Windows Server 2012R2
I have the password policy source set to LDAP. However on the Change Password page, only the following policy requirements are displayed:
-Password is case sensitive
-Password is case sensitive
-Must be at least 8 characters long
This is causing confusion for some users in that we also have Password complexity enabled (among other password policy settings). Is there a way to get PWM to reflect these requirements correctly?
I know I could go through and set the policy in PWM to generally reflect what AD expects, but I'd rather that AD be the source of truth. We're also setting up several PWM servers across multiple domains, so I'd like to not add that much configuration overhead.
Thanks!
Yann Lehmann
Jan 15, 2022, 9:08:38 AM1/15/22
to pwm-general
I am quite new to pwm and have still much to learn, so my suggestion might not be related to the described problem.
The text about password policy showed to users is "constructed" based on settings. The help-text to this setting mentions that with "complicated" policies, the text could not be accurate, see:
When
blank, PWM displays an automatically generated rule list to the user.
The automated rule list may not be inclusive of all settings in the
password policy. Some of the more esoteric or difficult to communicate
rules do not appear in the automatically generated list. This is done
in an attempt to not overwhelm the users with having to read and parse
the rules before attempting to change their passwords. Should the user
type a password that conflicts with such a rule - the per-keystroke rule
checker provides direct feedback to the user on how to correct the
problem.
If you do not want the automatically generated rule list, you can override it by setting a value here. The field permits HTML tags.
If you do not want the automatically generated rule list, you can override it by setting a value here. The field permits HTML tags.
Jordan Stoner
Mar 30, 2022, 11:58:00 AM3/30/22
to pwm-general
Thanks for your response. I had missed this setting before, but having now set it, it doesn't seem to have any effect on what is displayed on the Change Password page. It is still displaying the generated password policy.
I have also tried this in an environment running on Server 2022 and have also tried upgrading to PWM 2.0.1, but the issue remains.
Jordan Stoner
Mar 30, 2022, 12:58:24 PM3/30/22
to pwm-general
Nevermind, I had Password Policy Source set to LDAP. Since the Password Rule Text setting is part of the local password policy, it wasn't being used. Changing Password Policy Source to Merge Local and LDAP allows the custom message to be shown.
Reply all
Reply to author
Forward
0 new messages