[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enabling Password Policy Messages via Extended Controls in OpenLDAP



--- Quanah Gibson-Mount <quanah@stanford.edu> wrote:
> Did you give yourself anonymous access to the root
> DSE?  This is generally 
> suggested.

Ah yes, that was my problem.  Network scanning
software determined that the anonymous scanning of
base was a vulnerability, so I turned that off some
time ago.   Now, I must turn it back on for
authenticated users.  As a side-note I now understand
why that feature is so important.
***
OK, back to my original question of how to enable the
client to read the password-policy messages from the
server pppolicy module.  My server supports these
controls, ext's and features:

******
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: +
#

#
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=fnfis,dc=com
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success
******

When I view the ldap.h file, I find the following
declarations:
                          
/* Password policy Controls */
/* work in progress */
/* ITS#3458: released, but not to latest draft;
disabled by default */
#define LDAP_CONTROL_PASSWORDPOLICYREQUEST
"1.3.6.1.4.1.42.2.27.8.5.1"
#define LDAP_CONTROL_PASSWORDPOLICYRESPONSE
"1.3.6.1.4.1.42.2.27.8.5.1"

These controls don't show up in my output above.  Must
I enable these controls before client can read the
password policy messages?

Thanks

Shawn