[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Configuring Password Policy - Control not working
Hi,
I've installed openldap-2.3.20 but password policy does not appear to be
working as I expect.
I initially installed openldap with the following configuration
./configure -q --enable-syncprov=no --enable-ppolicy=yes --enable-accesslog=yes
--with-cyrus-sasl=yes
This I believe installed openldap with ppolicy overlay statically linked in.
I ran
make depend
make
make test
and all tests worked ok, including the password policy test22 (from logs,
it recognised ppolicy was available and didn't just skip the test)
I then installed openldap to the default location
make install
I edited slapd.conf and added ppolicy overlay commands to the end of the file:
overlay ppolicy
ppolicy_default "cn=Standard Policy,ou=Policies,dc=example,dc=org"
and included the schema at the top underneath other schema includes
include /usr/local/etc/openldap/schema/ppolicy.schema
Using ldapadd and ldif, I added ppolicy entries
dn: ou=Policies, dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Policies
dn: cn=Standard Policy, ou=Policies, dc=example,dc=org
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: Standard Policy
pwdAttribute: userPassword
pwdLockoutDuration: 0
pwdInHistory: 6
pwdCheckQuality: 2
pwdExpireWarning: 1000
pwdMaxAge: 30000
pwdMinLength: 5
pwdGraceAuthnLimit: 3
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdSafeModify: TRUE
pwdLockout: TRUE
I then ran openldap (note: have also configured TLS):
/usr/local/libexec/slapd -h "ldap:/// ldaps:///" -d -1
but got the following warning:
WARNING: No dynamic config support for overlay ppolicy.
config_build_entry: "olcOverlay={0}ppolicy"
I checked if the password policy control was supported
ldapsearch -x -b "" -s base "" supportedFeatures supportedControl supportedExtension
and got something like:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
but it was missing password policy control 1.3.6.1.4.1.42.2.27.8.5.1
Can anyone help explain why this is the case?
My custom client is not working, I think the missing control is causing my
problems.
In an effort to figure out what was going on, I've seen people have entries in
slapd.conf like this
modulepath /usr/local/libexec/openldap
moduleload ppolicy.la
So I tried to get this working (thought it might have something to do with
dynamic support), however, I failed miserably to get /usr/local/libexec/openldap/ppolicy.
la to build.
./configure -q --with-cyrus-sasl=yes --enable-overlays=yes --enable-modules=yes
--enable-dynamic=yes
or..
./configure -q --enable-syncprov=no --enable-ppolicy=yes --enable-accesslog=yes --
with-cyrus-sasl=yes --enable-overlays=yes --enable-modules=yes --enable-
dynamic=yes
On investigation, I understand that password policy is not available as a
dynamic module (http://www.openldap.org/faq/data/cache/362.html) , modules
are only available to backends !?
My custom client provides request controls, setting the password policy control
to be critical, i.e. must be supported by the server. This is an extract
of the debug:
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
ber_scanf fmt (b) ber:
=> get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (critical)
<= get_ctrls: n=1 rc=2 err="passwordPolicyRequest control invalid criticality"
send_ldap_result: conn=2 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=2
ber_flush: 63 bytes to sd 14
do_bind: get_ctrls failed
connection_get(14): got connid=2
connection_read(14): checking for input on id=2
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
The custom client receives error code 2, which I believe (from http://www.directory-
info.com/LDAP/LDAPErrorCodes.html) is:
2-> LDAP_PROTOCOL_ERROR: Indicates that the server has received an invalid
or malformed request from the client.
I would have expected error code 12 as the server didn't support the control:
12 -> LDAP_UNAVAILABLE_CRITICAL_EXTENSION: Indicates that the LDAP server
was unable to satisfy a request because one or more critical extensions
were not available. Either the server does not support the control or the
control is not appropriate for the operation type.
If anyone can help or point me in a direction where I may be able to get to
the bottom of this problem, I'd greatly appreciate it.
Thanks
Tony