[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
21.12.2016, 23:34, "Matthieu Cerda" <kegeruneku+openldap@ironflake.org>:
> Hello folks,
Hello,
The "deleted access denied by read" error has been fixed to OpenLDAP next version, I remember.
I think it was from that slapo-ppolicy and has been fix in the 2.4.11 version.
http://www.openldap.org/devel/cvsweb.cgi/Attic/CHANGES
Regards,
--
Ozgur Karatas
m: mueddib@openldap.org
w: http://www.openldap.org
f: https://www.facebook.com/openldap
t: https://www.twitter.com/openldaporg
i: irc.freenode.net #openldap
> I just stumbled upon a (maybe not) surprising technical issue with my
> OpenLDAP setup: ppolicy seems unable to update pwdAccountLockedTime on
> my users.
>
> Setup:
>
> * OpenLDAP 2.4.40(+dfsg-1+deb8u2) on Debian jessie
>
> * Password policy and ACLs:
>
> ---8<---
> dn: cn=default,ou=policies,dc=company,dc=com
> objectClass: top
> objectClass: person
> objectClass: pwdPolicy
> cn: passwordDefault
> cn: default
> pwdAttribute: userPassword
> sn: passwordDefault
> pwdAllowUserChange: TRUE
> pwdCheckQuality: 0
> pwdExpireWarning: 0
> pwdFailureCountInterval: 0
> pwdGraceAuthNLimit: 0
> pwdInHistory: 3
> pwdLockout: TRUE
> pwdLockoutDuration: 300
> pwdMaxAge: 0
> pwdMaxFailure: 3
> pwdMinAge: 0
> pwdMinLength: 8
> pwdMustChange: FALSE
> pwdSafeModify: FALSE
> ---8<---
>
> ---8<---
> access to attrs=userPassword,shadowLastChange
> by dn="uid=mcerda,ou=people,dc=company,dc=com" write
> by self write
> by anonymous auth
> by * none
>
> access to dn.base="" by * read
>
> access to *
> by dn="uid=mcerda,ou=people,dc=company,dc=com" write
> by users read
> by * none
> ---8<---
>
> * pwdFailureTime gets updated on each failed login attempt on users
> until pwdMaxFailure is reached (3)
>
> * Testing for account locking is done both by observing we appearance in
> user object and using '-e ppolicy' on ldapsearch (ppolicy_use_lockout is
> enabled)
>
> Everytime an user reaches pwdMaxFailure count, the debug log (level
> 65535) gives:
>
> ---8<---
> 585947a5 => mdb_entry_get: found entry:
> "cn=default,ou=policies,dc=company,dc=com"
> 585947a5 mdb_entry_get: rc=0
> 585947a5 mdb_modify: uid=fbar,ou=people,dc=company,dc=com
> 585947a5 slap_queue_csn: queueing 0x65696ef4bce0
> 20161220150053.705334Z#000000#000#000000
> 585947a5 mdb_dn2entry("uid=fbar,ou=people,dc=company,dc=com")
> 585947a5 => mdb_dn2id("uid=fbar,ou=people,dc=company,dc=com")
> 585947a5 <= mdb_dn2id: got id=0x9
> 585947a5 => mdb_entry_decode:
> 585947a5 <= mdb_entry_decode
> 585947a5 mdb_modify_internal: 0x00000009:
> uid=fbar,ou=people,dc=company,dc=com
> 585947a5 => access_allowed: result not in cache (pwdAccountLockedTime)
> 585947a5 => access_allowed: delete access to
> "uid=fbar,ou=people,dc=company,dc=com" "pwdAccountLockedTime" requested
> 585947a5 => dn: [2]
> 585947a5 => acl_get: [3] attr pwdAccountLockedTime
> 585947a5 => acl_mask: access to entry
> "uid=fbar,ou=people,dc=company,dc=com", attr "pwdAccountLockedTime"
> requested
> 585947a5 => acl_mask: to all values by "", (=0)
> 585947a5 <= check a_dn_pat: uid=mcerda,ou=people,dc=company,dc=com
> 585947a5 <= check a_dn_pat: users
> 585947a5 <= check a_dn_pat: anonymous
> 585947a5 <= acl_mask: [3] applying read(=rscxd) (stop)
> 585947a5 <= acl_mask: [3] mask: read(=rscxd)
> 585947a5 => slap_access_allowed: delete access denied by read(=rscxd)
> 585947a5 => access_allowed: no more rules
> 585947a5 mdb_modify: modify failed (50)
> 585947a5 send_ldap_result: conn=1000 op=0 p=3
> 585947a5 send_ldap_result: err=50 matched="" text=""
> 585947a5 slap_graduate_commit_csn: removing 0x6569601047f0
> 20161220150053.705334Z#000000#000#000000
> 585947a5 send_ldap_response: msgid=1 tag=97 err=49
> ---8<---
>
> I can't see a reason why the update gets denied. Setting the global ACL
> to:
>
> ---8<---
> access to *
> by dn="uid=mcerda,ou=people,dc=company,dc=com" write
> by * write
> ---8<---
>
> fixes the issue (but I obviously not want an open bar slapd).
>
> The documentation (http://www.openldap.org/doc/admin24/overlays.html)
> advises nothing about ACLs.
>
> Is this and issue or a misconfiguration ?
>
> Thanks in advance,
> --
> Matthieu Cerda