[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap bind and password policy



Oh, I'm not bothered. I'm not touchy or impatient. I've done it myself. :)

- chris

Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs@apollogrp.edu


From: Marco Pizzoli <marco.pizzoli@gmail.com>
To: Chris Jacobs
Cc: boesch@fhv.at <boesch@fhv.at>; openldap-technical@openldap.org <openldap-technical@openldap.org>
Sent: Fri Jul 02 09:10:35 2010
Subject: Re: ldap bind and password policy

You're right, I apologize for reading too fast the original request. It seemed similar to a problem I had months ago and replied consequently. Sorry.

Marco




On Fri, Jul 2, 2010 at 6:00 PM, Chris Jacobs <Chris.Jacobs@apollogrp.edu> wrote:
"ppolicy_forward_updates" won't affect the primary issue of:
* wrong password --> got ldapsearch results:
"...(type in wrong password for binding) ldapsearch get me search results..."

Also, it seems he already has that setup:
"it just adds a pwdFailureTimeattribute on the provider and consumer"

I have nothing to add (having chased this issue myself unsuccessfully) except to clarify what the original poster wrote.

This is the third time we've heard of the issue.

Christian:
* What OS/ver are you using?
* What version of PAM is installed?
* What does your slapd.conf look like on your consumer (don't make the noob mistake I did of posting real domain, rootdn and rootpw info)?

- chris

Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs@apollogrp.edu


From: openldap-technical-bounces@OpenLDAP.org <openldap-technical-bounces@OpenLDAP.org>
To: Christian Bösch <boesch@fhv.at>
Cc: openldap-technical@openldap.org <openldap-technical@openldap.org>
Sent: Fri Jul 02 07:18:51 2010
Subject: Re: ldap bind and password policy

Hi, you have to add in your configuration of ppolicy overlay the directive about the forwarding of operational attirbutes related to ppolicy to the master server. So you have this attributes syncronized in all your servers.

ppolicy_forward_updates available since version 2.4.18.

Regards
    Marco

On Fri, Jul 2, 2010 at 1:46 PM, Christian Bösch <boesch@fhv.at> wrote:
hi,

i just added password policy overlay to our openldap servers (2.4.21)
it works fine in general. i can change password as user and it gets well replicated
between provider and consumer.

but since i added password policy i have a strange behaviour:
_i do a ldapsearch on the provider and type in a wrong password for the binding user,
then i get: ldap_bind: Invalid credentials (49) - as expected
_if i do the same on the consumer (type in wrong password for binding) ldapsearch
get me search results without to complain about wrong password. it just adds a pwdFailureTime
attribute on the provider and consumer. but i also expect to get a ldap_bind: Invalid credentials (49) error?

thx for any ideas!

/chris





--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.




--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.