Reputation: 13209
How to disable LDAP password policy
Is it possible to completely disable the LDAP password policy in 389 directory service? If so, how?
As some more background, we currently have our policy rules defined globally at the cn=config level. So, if I do a search for cn=config, I'll find entries like the following:
passwordMinLength: 12
passwordMinDigits: 1
passwordMinAlphas: 2
passwordMinUppers: 1
passwordMinLowers: 1
What I've tried
I've tried deleting the "passwordMinLength" attribute, but doing that just sets it to a default value of "8".
I also tried setting "passwordMinLength" to a low number. It seems the lowest I'm allowed to set it to is "2". So, perhaps if there isn't a simple way to just turn off all password rules, I can fall back to going through each rule and finding the least intrusive value I'm allowed to set it to.
What is it I'm really trying to do?
I'm trying to integrate keycloak into our LDAP installation. Keycloak has its own password-policy managing system that's separate from LDAP, but the configuration seems to be completely ignored. My best guess at the moment is that LDAP's built-in password policy rules are conflicting with keycloak's rules (I've seen this sort of thing happen before with something else). Reading this article about keycloak's password policy system, it states "The end user should either choose Keycloak Password Policy or LDAP password Policy. Using a mix of both should be totally ruled out." but then it gives no explanation on how to "turn off" LDAP's rules. Turing off keycloak's rules and using LDAPs instead doesn't seem to be a valid option either, as keycloak is somehow bypassing LDAP's rules whenever it saves a password (I've seen support threads that show that this is intentional behavior).
Upvotes: 0
Views: 808
Answers (1)
Reputation: 16095
You can disable the password policy using the dsconf utility :
dsconf : Manage a remote or local instance configuration. This requires
cn=Directory Manageraccess. It changes settings of the server and is the primary tool you will use for administration of config.
There is no global switch unfortunately (afaik), so it amounts to turning off account lockout, password age tracking/history, and the syntax check (all other parameters depends on these) :
dsconf -D "cn=Directory Manager" ldap://example.com pwpolicy set --pwdlockout off
dsconf -D "cn=Directory Manager" ldap://example.com pwpolicy set --pwdchecksyntax off
dsconf -D "cn=Directory Manager" ldap://example.com pwpolicy set --pwdhistory off
dsconf -D "cn=Directory Manager" ldap://example.com pwpolicy set --pwdtrack off
dsconf -D "cn=Directory Manager" ldap://example.com pwpolicy set --pwdexpire off
You might also have to disable "fine-grained" password policies if any (defined at the subtree/user level) :
dsconf -D "cn=Directory Manager" ldap://example.com pwpolicy set --pwdlocal off
-> Configuring a password-based account lockout policy using the command line
You can also do the same thing from the management console if you have it installed :
- Open Directory Server UI in the web console
- Select the instance
- Open the Database menu, navigate to → Password Policies → Global Policy
(for the old UI check the screenshot here)
-> Configuring a password-based account lockout policy using the web console
Upvotes: 1
Related Questions
- Keycloak set password policy via Rest API
- How to view and modify LDAP password configuration
- How to unlock user on ApacheDS
- Keycloak | How to add custom keycloak password policies?
- Keycloak - import password policy
- How to disable the property of password-generator in OpenDJ
- Keycloak Admin API - How to check if password fits the password policy
- ldap password policy minimum length is not working
- disable plaintext password in ldap
- JAAS with LDAP password policy