[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy (how to get hands on the password policy response)



Hi,

I would like to know how to enable the password policy controls from the server side. I have ppolicy overlay enabled in my slapd.conf, but when I login as a user whose password has expired (during one of the grace logins enabled in the server standard policy) there are no warnings that show up from the client side. But I do see following messages in the server logs:

Jun 5 17:02:15 ldaptest slapd[11738]: ppolicy_bind: Setting warning for password expiry for cn=Prakash Velayutham,ou=PI-users,dc=cchrf,dc=org = 215 seconds

When I do

ldapsearch -b "" -s base "" supportedControl supportedExtension supportedFeatures
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl supportedExtension supportedFeatures
#


#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

the result does not show PasswordPolicyControl (1.3.6.1.4.1.42.2.27.8.5.1). Could someone please let me know how to enable this control from the server side? For some reason the control seems to be not supported even with ppolicy overlay enabled.

Thanks,
Prakash

Note: I did see a thread on this topic earlier (http://www.openldap.org/lists/openldap-software/200601/msg00187.html), but there is no follow-up posted to that.