I have done everything I am aware of that is required for enabling this feature, which is:
1. Updating ivmgrd.conf, specifically these options in the LDAP stanza:
enhanced-pwd-policy = yes
auth-using-compare = no
2. Updated ldap,conf specifically these options in the ldap-generic-general stanza
auth-using-compare-supported = no
This did not seem necessary, but I did it anyway
3. Updated the ACL under the DIT where my users are stored ou=users, dc=<company> as instructed in a guide I came across
dn:ou=users,o=<company>
changetype:modify
add:aclEntry
aclEntry:access-id:cn=this:at.userPassword:rwsc
It looked like this was everything, however I noticed a few things:
1. Parameters updated in the global password policy in ISDS, which had their equivalent in ISAM, did not have the values updated in ISAM to match ISDS. Things like max failed logins or min alpha characters or max repeated characters
2. If I locked an account in ISDS directly there was no sign of the account being locked in ISAM, although ISAM did throw an error message saying too many failed logins and when I unlocked the account in ISDS then login via ISAM worked again. So, the LDAP state is being read, it is just not indicating when I do a user show <username> whether or not an account is locked in ISDS because it shows account and password as being valid
So, my questions
1. Are the experiences described above correct and expected?
2. Does ISAM even pay attention to max alpha characters, max repeated characters when updating passwords?
3. Why does ISAM need the permissions update? Are there modifications to an account in LDAP that are performed via ISAM besides changing password when this enhanced password management feature is enabled?
I find it confusing that ISAM will utilize ISDS password policy options but does not show them via it's own user management tools! If I was help desk staff for example I literally couldn't trust account values like account valid and password valid when this "enhanced password management" was enabled. It looks like the info via pdadmin is only partially trustworthy, that I have to look that info and directly in LDAP and decipher the actual state
I'm struggling to see the point of this feature! My feeling is it should delegate everything password policy state related or nothing, not this mish-mash .. unless of course my configuration is incomplete and I missed something about it :(
------------------------------
Dennis English
------------------------------