[Date Prev][Date Next] [Chronological] [Thread] [Top]

Ppolicy DIGEST-MD5 ignore expired password



Have a nice day.

I have to implement password policy in our OpenLdap. During testing futures
of ppolicy module I found that they ignore expired password when I authenticate
user by SASL DIGEST-MD5.
When I try on exprired account:

ldapwhoami -xD "cn=Kokos Velky,ou=TestUsers,ou=People,o=Ceske drahy,c=CZ"

the answer is: ldap_bind: Invalid credentials (49)
and in slapd log:

ppolicy_bind: Entry cn=Kokos Velky,ou=TestUsers,ou=People,o=Ceske
drahy,c=CZ has an expired password: 0 grace logins

But when I try

ldapwhoami -Y DIGEST-MD5 -U kokos1

the answer is
SASL/DIGEST-MD5 authentication started
SASL username: kokos1
SASL SSF: 128
SASL installing layers
dn:cn=kokos velky,ou=testusers,ou=people,o=ceske drahy,c=cz
Result: Success (0)

In slapd.conf I have

sasl-regexp
       uid=(.*),cn=digest-md5,cn=auth
       "ldap:///o=Ceske drahy,c=CZ??sub?(&(uid=$1)(|(objectClass=inetOrgPerson)
(objectClass=applicationProcess)))"

What I am doing wrong?

Many thanks for advice.
Jiri Netolicky