[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slap_global_control - ppolicy
> Hello All,
>
> I configured OpenLDAP-2.3.29 with the following options.
>
> ./configure --with-threads=posix --with-tls=openssl --enable-dynamic
> --with-cyrus-sasl --enable-modules--enable-ldbm=mod --enable-crypt
> --enable-lmpasswd --enable-ldap=mod --enable-meta=mod --enable-rewrite
> --enable-null=mod --enable-monitor=mod --enable-accesslog
> --enable-denyop --enable-dyngroup --enable-dynlist --enable-lastmod
> --enable-ppolicy --enable-proxycache --enable-refint --enable-retcode
> --enable-rwm --enable-syncprov --enable-translucent --enable-unique
> --enable-valsort --enable-aci --enable-bdb=mod --enable-hdb=mod
> --enable-ldbm-api=berkeley --enable-spasswd --enable-wrappers
> --prefix=/usr/local/encap/openldap
>
> My slapd.conf is:
>
> include
> /usr/local/encap/openldap/etc/openldap/schema/core.schema
> include
> /usr/local/encap/openldap/etc/openldap/schema/cosine.schema
> include
> /usr/local/encap/openldap/etc/openldap/schema/inetorgperson.schema
> include
> /usr/local/encap/openldap/etc/openldap/schema/openldap.schema
> include /usr/local/encap/openldap/etc/openldap/schema/nis.schema
> include
> /usr/local/encap/openldap/etc/openldap/schema/samba3.schema
> include
> /usr/local/encap/openldap/etc/openldap/schema/ppolicy.schema
>
> allow bind_anon_dn
>
> pidfile /usr/local/encap/openldap/var/run/slapd.pid
> argsfile /usr/local/encap/openldap/var/run/slapd.args
>
> database bdb
> suffix "dc=my-domain,dc=com"
> rootdn "cn=Manager,dc=my-domain,dc=com"
>
> rootpw secret
>
> directory /usr/local/encap/openldap/var/openldap-data
>
> index objectClass eq
>
> overlay ppolicy
> ppolicy_default "cn=Standard Policy,ou=Policies,dc=my-domain,dc=com"
> ppolicy_use_lockout
>
> access to attrs=userpassword
> by self write
> by * auth
>
> access to *
> by self write
> by * read
>
> loglevel -1
>
> ########################################################################
>
> Now when I try to do this:
>
> prakash@linux:~> ldapsearch -H ldap://localhost -D
> "cn=Manager,dc=my-domain,dc=com" -x -W -b "dc=my-domain,dc=com" -e
> ppolicy "cn=Manager"
> Enter LDAP Password:
>
> I get the proper result.
>
> # extended LDIF
> #
> # LDAPv3
> # base <dc=my-domain,dc=com> with scope subtree
> # filter: cn=Manager
> # requesting: ALL
> #
>
> # Manager, my-domain.com
> dn: cn=Manager,dc=my-domain,dc=com
> objectClass: organizationalRole
> cn: Manager
> description: LDAP Directory Manager
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> But in the server logs, I see,
>
> Nov 18 09:55:31 linux slapd[11135]: => get_ctrls:
> oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical)
> Nov 18 09:55:31 linux slapd[11135]: <= get_ctrls: n=1 rc=0 err=""
> Nov 18 09:55:31 linux slapd[11135]: attrs:
> Nov 18 09:55:31 linux slapd[11135]:
> Nov 18 09:55:31 linux slapd[11135]: conn=0 op=1 SRCH
> base="dc=my-domain,dc=com" scope=2 deref=0 filter="(cn=manager)"
> Nov 18 09:55:31 linux slapd[11135]: slap_global_control: unavailable
> control: 1.3.6.1.4.1.42.2.27.8.5.1
>
> Is this the reason, why I am not able to get my ppolicy controls to
> work? How do I make this control available?
That message is only telling you that ppolicy is not recognized as a
global control; in fact, it's only supported within the naming context you
configured the ppolicy overlay for. As a consequence, handling of that
control is deferred. You're simply logging at a too verbose level, and
erroneously interpreting the resulting logs. The control does nothing in
the operation above likely because there's nothing to do (i.e. you didn't
provide an incorrect password multiple times, and your password is not
about to expire, or simply because you auth'ed as the rootdn).
Did you read the man page and the draft that control is about? What are
you expecting it to do, otherwise?
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------