Re: Configuring Password Policy - Control not working

[Howard Chu <hyc@symas.com>]

The log you attached  indicates first an anonymous Bind, which will not 
get any policy response because there are no passwords for anonymous, 
therefore no password policies for anonymous. Then a single Search 
request, which completes successfully. There's no use of any password 
here, so again, no policy response control. If there was a Bind request 
with an actual DN, there would be a policy response control. If the Bind 
resulted in a restriction, then any subsequent operation with policy 
request would also receive a response control indicating the reason for 
the restriction.

Murphy, Tony wrote:
> Thanks Howard for help. Changed the control from critical to non
> critical and got a step further. Think there is still something wrong
> with my configuration as no control response is returned.
>
> I ran an ldapsearch with -e ppolicy option
>
> ldapsearch -x -b "dc=example,dc=org" -e ppolicy objectclass=myUser
>
> and got the following response
> slap_global_control: unavailable control: 1.3.6.1.4.1.42.2.27.8.5.1
>
> Full log below....
>
> slapd startup: initiated.
> backend_startup_one: starting "cn=config"
> config_back_db_open
> config_build_entry: "cn=config"
> config_build_entry: "cn=include{0}"
> config_build_entry: "cn=include{1}"
> config_build_entry: "cn=include{2}"
> config_build_entry: "cn=include{3}"
> config_build_entry: "cn=include{4}"
> config_build_entry: "cn=schema"
> config_build_entry: "cn={0}core"
> config_build_entry: "cn={1}cosine"
> config_build_entry: "cn={2}inetorgperson"
> config_build_entry: "cn={3}ppolicy"
> config_build_entry: "cn={4}mySchema"
> config_build_entry: "olcDatabase={-1}frontend"
> config_build_entry: "olcDatabase={0}config"
> config_build_entry: "olcDatabase={1}bdb"
> WARNING: No dynamic config support for overlay ppolicy.
> config_build_entry: "olcOverlay={0}ppolicy"
> backend_startup_one: starting "dc=example,dc=org"
> bdb_db_open: Warning - No DB_CONFIG file found in directory
> /usr/local/var/openldap-
> data: (2)
> Expect poor performance for suffix dc=example,dc=org.
> bdb_db_open: dbenv_open(/usr/local/var/openldap-data)
> slapd starting
> ldap_pvt_gethostbyname_a: host=devpc-tm1, r=0
> connection_get(14): got connid=0
> connection_read(14): checking for input on id=0 ber_get_next
> ber_get_next: tag 0x30 len 43 contents:
> ber_get_next
> ber_get_next on fd 14 failed errno=11 (Resource temporarily unavailable)
> do_bind ber_scanf fmt ({imt) ber:
> ber_scanf fmt (m}) ber:
> => get_ctrls
> ber_scanf fmt ({m) ber:
> => get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical) <=
> get_ctrls: n=1 rc=0 err=""
>   
> > > > dnPrettyNormal: <>
> > > >         
> <<< dnPrettyNormal: <>, <>
> do_bind: version=3 dn="" method=128
> slap_global_control: unavailable control: 1.3.6.1.4.1.42.2.27.8.5.1
> send_ldap_result: conn=0 op=0 p=3
> send_ldap_response: msgid=1 tag=97 err=0
> ber_flush: 14 bytes to sd 14
> connection_get(14): got connid=0
> connection_read(14): checking for input on id=0 ber_get_next
> ber_get_next: tag 0x30 len 98 contents:
> ber_get_next
> ber_get_next on fd 14 failed errno=11 (Resource temporarily unavailable)
> do_bind: v3 anonymous bind
> do_search
> ber_scanf fmt ({miiiib) ber:
>   
> > > > dnPrettyNormal: <dc=example,dc=org>
> > > >         
> <<< dnPrettyNormal: <dc=example,dc=org>, <dc=example,dc=org> ber_scanf
> fmt ({mm}) ber:
> ber_scanf fmt ({M}}) ber:
> => get_ctrls
> ber_scanf fmt ({m) ber:
> => get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical) <=
> get_ctrls: n=1 rc=0 err=""
> slap_global_control: unavailable control: 1.3.6.1.4.1.42.2.27.8.5.1 ==>
> limits_get: conn=0 op=1 dn="[anonymous]"
> => bdb_search
> bdb_dn2entry("dc=example,dc=org")
> => bdb_dn2id("dc=example,dc=org")
> <= bdb_dn2id: got id=0x00000001
> entry_decode: "dc=example,dc=org"
> <= entry_decode(dc=example,dc=org)
> search_candidates: base="dc=example,dc=org" (0x00000001) scope=2 =>
> bdb_dn2idl("dc=example,dc=org") => bdb_equality_candidates (objectClass)
> => key_read <= bdb_index_read: failed (-30989) <=
> bdb_equality_candidates: id=0, first=0, last=0 =>
> bdb_equality_candidates (objectClass) => key_read <= bdb_index_read 2
> candidates <= bdb_equality_candidates: id=2, first=1678, last=1679
> bdb_search_candidates: id=-1 first=1678 last=1679
> entry_decode: "uid=aaaa,ou=people,dc=example,dc=org"
> <= entry_decode(uid=aaaa,ou=people,dc=example,dc=org)
> => bdb_dn2id("ou=people,dc=example,dc=org")
> <= bdb_dn2id: got id=0x00000003
> => bdb_dn2id("uid=aaaa,ou=people,dc=example,dc=org")
> <= bdb_dn2id: got id=0x0000068e
> => send_search_entry: conn 0 dn="uid=aaaa,ou=people,dc=example,dc=org"
> ber_flush: 256 bytes to sd 14
> <= send_search_entry: conn 0 exit.
> entry_decode: "uid=admin,ou=people,dc=example,dc=org"
> <= entry_decode(uid=admin,ou=people,dc=example,dc=org)
> => bdb_dn2id("uid=admin,ou=people,dc=example,dc=org")
> <= bdb_dn2id: got id=0x0000068f
> => send_search_entry: conn 0 dn="uid=admin,ou=people,dc=example,dc=org"
> ber_flush: 331 bytes to sd 14
> <= send_search_entry: conn 0 exit.
> send_ldap_result: conn=0 op=1 p=3
> send_ldap_response: msgid=2 tag=101 err=0
> ber_flush: 14 bytes to sd 14
> connection_get(14): got connid=0
> connection_read(14): checking for input on id=0 ber_get_next
> ber_get_next: tag 0x30 len 5 contents:
> ber_get_next
> ber_get_next on fd 14 failed errno=0 (Success)
> connection_read(14): input error=-2 id=0, closing.
> connection_closing: readying conn=0 sd=14 for close
> connection_close: deferring conn=0 sd=14
> connection_resched: attempting closing conn=0 sd=14
> connection_close: deferring conn=0 sd=14 do_unbind
> connection_resched: attempting closing conn=0 sd=14
> connection_close: conn=0 sd=14
> connection_get(14): connection not used
> connection_read(14): no connection!
>
>   


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/