我有一个工作的 LDAP 服务器。接下来将密码策略添加到 LDAP 服务器。我的密码 ldif 如下所示:
dn: cn=MyPolicy,ou=Policies,dc=XXX,dc=XXXX
cn: MyPolicy
objectClass: pwdPolicy
#objectClass: pwdPolicyChecker
objectClass: device
objectClass: top
pwdAttribute: 2.5.4.35
#pwdAttribute: userPassword
pwdMaxAge: 7862400
pwdExpireWarning: 6048000
pwdInHistory: 3
pwdCheckQuality: 2
pwdMinLength: 7
pwdMaxFailure: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
pwdReset: FALSE
它已成功添加到我的 LDAP 服务器。但只有锁定和锁定持续时间有效。密码最小长度不起作用。
pam configuration
Server side configuration
pam.d/common-auth
auth [success=1 default=ignore] pam_ldap.so nullok_secure try_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
pam.d/common-account
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
pam.d/common-password
password [success=1 default=ignore] pam_unix.so obscure sha512 minlen=8
password requisite pam_deny.so
password required pam_permit.so
Client side configuration
pam.d/common-auth
auth [success=2 default=ignore] pam_unix.so null_secure try_first_pass
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_ldap.so
account [success=1 default=ignore] pam_unix.so
account needs pam_deny.so
account required pam_permit.so
pam.d/common-password
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
password requisite pam_deny.so
password required pam_permit.so
ldap.conf
pam_lookup_policy yes
你能否让我知道我哪里出错了。