[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enabling Password Policy Messages via Extended Controls in OpenLDAP



Extensions which are "works in progress" are generally not
advertised in slapd(8)'s root DSE.   The Password Policy
LDAP extension specification, as well as our implementation
of this specification, are works in progress and hence not
advertised in the root DSE.

To enable the extension in slapd(8), see slapo-ppolicy.
To enable the extension in OpenLDAP command line tools,
see the man page for the tool (or the usage statement).

Kurt

At 08:55 AM 8/23/2005, Shawn McKinney wrote:
>--- Quanah Gibson-Mount <quanah@stanford.edu> wrote:
>> Did you give yourself anonymous access to the root
>> DSE?  This is generally 
>> suggested.
>
>Ah yes, that was my problem.  Network scanning
>software determined that the anonymous scanning of
>base was a vulnerability, so I turned that off some
>time ago.   Now, I must turn it back on for
>authenticated users.  As a side-note I now understand
>why that feature is so important.
>***
>OK, back to my original question of how to enable the
>client to read the password-policy messages from the
>server pppolicy module.  My server supports these
>controls, ext's and features:
>
>******
># extended LDIF
>#
># LDAPv3
># base <> with scope baseObject
># filter: (objectclass=*)
># requesting: +
>#
>
>#
>dn:
>structuralObjectClass: OpenLDAProotDSE
>configContext: cn=config
>namingContexts: dc=fnfis,dc=com
>supportedControl: 2.16.840.1.113730.3.4.18
>supportedControl: 2.16.840.1.113730.3.4.2
>supportedControl: 1.3.6.1.4.1.4203.1.10.1
>supportedControl: 1.2.840.113556.1.4.1340
>supportedControl: 1.2.840.113556.1.4.1413
>supportedControl: 1.2.840.113556.1.4.1339
>supportedControl: 1.2.840.113556.1.4.319
>supportedControl: 1.2.826.0.1.334810.2.3
>supportedControl: 1.3.6.1.1.13.2
>supportedControl: 1.3.6.1.1.13.1
>supportedControl: 1.3.6.1.1.12
>supportedExtension: 1.3.6.1.4.1.1466.20037
>supportedExtension: 1.3.6.1.4.1.4203.1.11.1
>supportedExtension: 1.3.6.1.4.1.4203.1.11.3
>supportedFeatures: 1.3.6.1.1.14
>supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
>supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
>supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
>supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
>supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
>supportedLDAPVersion: 3
>supportedSASLMechanisms: CRAM-MD5
>supportedSASLMechanisms: DIGEST-MD5
>entryDN:
>subschemaSubentry: cn=Subschema
>
># search result
>search: 2
>result: 0 Success
>******
>
>When I view the ldap.h file, I find the following
>declarations:
>                          
>/* Password policy Controls */
>/* work in progress */
>/* ITS#3458: released, but not to latest draft;
>disabled by default */
>#define LDAP_CONTROL_PASSWORDPOLICYREQUEST
>"1.3.6.1.4.1.42.2.27.8.5.1"
>#define LDAP_CONTROL_PASSWORDPOLICYRESPONSE
>"1.3.6.1.4.1.42.2.27.8.5.1"
>
>These controls don't show up in my output above.  Must
>I enable these controls before client can read the
>password policy messages?
>
>Thanks
>
>Shawn