[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring Password Policy - Control not working



The log you attached indicates first an anonymous Bind, which will not get any policy response because there are no passwords for anonymous, therefore no password policies for anonymous. Then a single Search request, which completes successfully. There's no use of any password here, so again, no policy response control. If there was a Bind request with an actual DN, there would be a policy response control. If the Bind resulted in a restriction, then any subsequent operation with policy request would also receive a response control indicating the reason for the restriction.

Murphy, Tony wrote:
Thanks Howard for help. Changed the control from critical to non
critical and got a step further. Think there is still something wrong
with my configuration as no control response is returned.

I ran an ldapsearch with -e ppolicy option

ldapsearch -x -b "dc=example,dc=org" -e ppolicy objectclass=myUser

and got the following response
slap_global_control: unavailable control: 1.3.6.1.4.1.42.2.27.8.5.1

Full log below....

slapd startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
config_build_entry: "cn=config"
config_build_entry: "cn=include{0}"
config_build_entry: "cn=include{1}"
config_build_entry: "cn=include{2}"
config_build_entry: "cn=include{3}"
config_build_entry: "cn=include{4}"
config_build_entry: "cn=schema"
config_build_entry: "cn={0}core"
config_build_entry: "cn={1}cosine"
config_build_entry: "cn={2}inetorgperson"
config_build_entry: "cn={3}ppolicy"
config_build_entry: "cn={4}mySchema"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}bdb"
WARNING: No dynamic config support for overlay ppolicy.
config_build_entry: "olcOverlay={0}ppolicy"
backend_startup_one: starting "dc=example,dc=org"
bdb_db_open: Warning - No DB_CONFIG file found in directory
/usr/local/var/openldap-
data: (2)
Expect poor performance for suffix dc=example,dc=org.
bdb_db_open: dbenv_open(/usr/local/var/openldap-data)
slapd starting
ldap_pvt_gethostbyname_a: host=devpc-tm1, r=0
connection_get(14): got connid=0
connection_read(14): checking for input on id=0 ber_get_next
ber_get_next: tag 0x30 len 43 contents:
ber_get_next
ber_get_next on fd 14 failed errno=11 (Resource temporarily unavailable)
do_bind ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical) <=
get_ctrls: n=1 rc=0 err=""
dnPrettyNormal: <>
<<< dnPrettyNormal: <>, <>
do_bind: version=3 dn="" method=128
slap_global_control: unavailable control: 1.3.6.1.4.1.42.2.27.8.5.1
send_ldap_result: conn=0 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 14
connection_get(14): got connid=0
connection_read(14): checking for input on id=0 ber_get_next
ber_get_next: tag 0x30 len 98 contents:
ber_get_next
ber_get_next on fd 14 failed errno=11 (Resource temporarily unavailable)
do_bind: v3 anonymous bind
do_search
ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <dc=example,dc=org>
<<< dnPrettyNormal: <dc=example,dc=org>, <dc=example,dc=org> ber_scanf
fmt ({mm}) ber:
ber_scanf fmt ({M}}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
=> get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical) <=
get_ctrls: n=1 rc=0 err=""
slap_global_control: unavailable control: 1.3.6.1.4.1.42.2.27.8.5.1 ==>
limits_get: conn=0 op=1 dn="[anonymous]"
=> bdb_search
bdb_dn2entry("dc=example,dc=org")
=> bdb_dn2id("dc=example,dc=org")
<= bdb_dn2id: got id=0x00000001
entry_decode: "dc=example,dc=org"
<= entry_decode(dc=example,dc=org)
search_candidates: base="dc=example,dc=org" (0x00000001) scope=2 =>
bdb_dn2idl("dc=example,dc=org") => bdb_equality_candidates (objectClass)
=> key_read <= bdb_index_read: failed (-30989) <=
bdb_equality_candidates: id=0, first=0, last=0 =>
bdb_equality_candidates (objectClass) => key_read <= bdb_index_read 2
candidates <= bdb_equality_candidates: id=2, first=1678, last=1679
bdb_search_candidates: id=-1 first=1678 last=1679
entry_decode: "uid=aaaa,ou=people,dc=example,dc=org"
<= entry_decode(uid=aaaa,ou=people,dc=example,dc=org)
=> bdb_dn2id("ou=people,dc=example,dc=org")
<= bdb_dn2id: got id=0x00000003
=> bdb_dn2id("uid=aaaa,ou=people,dc=example,dc=org")
<= bdb_dn2id: got id=0x0000068e
=> send_search_entry: conn 0 dn="uid=aaaa,ou=people,dc=example,dc=org"
ber_flush: 256 bytes to sd 14
<= send_search_entry: conn 0 exit.
entry_decode: "uid=admin,ou=people,dc=example,dc=org"
<= entry_decode(uid=admin,ou=people,dc=example,dc=org)
=> bdb_dn2id("uid=admin,ou=people,dc=example,dc=org")
<= bdb_dn2id: got id=0x0000068f
=> send_search_entry: conn 0 dn="uid=admin,ou=people,dc=example,dc=org"
ber_flush: 331 bytes to sd 14
<= send_search_entry: conn 0 exit.
send_ldap_result: conn=0 op=1 p=3
send_ldap_response: msgid=2 tag=101 err=0
ber_flush: 14 bytes to sd 14
connection_get(14): got connid=0
connection_read(14): checking for input on id=0 ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ber_get_next on fd 14 failed errno=0 (Success)
connection_read(14): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=14 for close
connection_close: deferring conn=0 sd=14
connection_resched: attempting closing conn=0 sd=14
connection_close: deferring conn=0 sd=14 do_unbind
connection_resched: attempting closing conn=0 sd=14
connection_close: conn=0 sd=14
connection_get(14): connection not used
connection_read(14): no connection!



--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/