LDAP backend does not force password policy

[tux1337]

Steps to reproduce

1. Enable LDAP user and group backend and enable Password Policy app
2. define a password policy for eg. min 10 characters
3. change the password with a new password of e.g. 1 character

Expected behaviour

Password should be checked for validity with the password policy app in Nextcloud or with the LDAP password policy

Actual behaviour

Password policy is ignored, you can use every password.
Password policy from LDAP is also ignored. It is only used for password expiration with OpenLDAP.

Server configuration

Operating system: Debian 9

Web server: Apache

Database: MariaDB

PHP version: 7.0

Nextcloud version: 13.0.4
LDAP user and group backend App 1.3.1
Password Policy App: 1.3.0

Updated from an older Nextcloud/ownCloud or fresh install: fresh install

Where did you install Nextcloud from: tar

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No errors have been found.

List of activated apps:

App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

LDAP user and group backend
Password policy

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here. 
Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …)

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP with 389 directory Server

LDAP configuration (delete this part if not used)

LDAP config

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser: Chrome

Operating system: Debian 9

Logs

Web server error log

Web server error log

Insert your webserver log here

Nextcloud log (data/nextcloud.log)

Nextcloud log

Insert your Nextcloud log here

Browser log

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[MorrisJobke]

@juliushaertl @nextcloud/ldap @rullzer @nickvergessen Usually this should work, right? Or is it maybe registered after the LDAP module?

[GitHubUser4234]

This definitely works. It rather points to some configuration issue at the LDAP server.

@tux1337 Just some hints: Is the policy is assigned to your LDAP user? Does the policy trigger when you use the ldappasswd command? Also, make sure that you don't use the LDAP DB admin in Nextcloud's LDAP settings, but another dedicated user that has permission to change other users' password.

[MorrisJobke]

Let's close this ticket then for now. Seems to be setup related.

Thanks @GitHubUser4234 for the clarification here.