0

I have a NextCloud server which is connected to an openLDAP server. All users can change their passwords which should follow a password policy. For users which only have a NextCloud account, this works fine with the setting in NextCloud. However, most users have an openLDAP account. I followed this HowTo

https://kifarunix.com/implement-openldap-password-policies/

to set up the password policy in openLDAP. On the LDAP server itself it works (e.g. minimum of 10 characters). However, you can type in any password changing it via the NextCloud. In the NextCloud I use cn=admin to connect to the LDAP server.

Has anyone any idea why the password policy is ignored?

Best regards

Arne Fallisch
  • 1
  • I guess connection of the admin account is the problem, as I get the same result if I use the command line directly on the server. – Arne Fallisch Jul 26 '22 at 11:49

1 Answers1

0

You cannot use the admin account to connect the NextCloud to the LDAP server because it circumvents your password policy. You need another user with special rights. I used an LDIF file containing this

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.subtree="ou=people,o=suffix"
  by dn.exact=cn=nextcloud,dc=ldap,dc=quarep,dc=org manage
olcAccess: to attrs=userPassword
  by dn.exact=cn=nextcloud,dc=ldap,dc=quarep,dc=org manage
  by self write
  by anonymous auth
  by * none
olcAccess: to attrs=shadowLastChange
  by self write
  by * read
olcAccess: to * by * read

to grant the user nextcloud enough rights.

Arne Fallisch
  • 1