[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6411) Possible bug in Overlay pPolicy
Please close this its.
In 2.4.21 Version works fine.
Tanks
Jarbas
2009/12/3 Jarbas Peixoto J=FAnior <jarbas.junior@gmail.com>:
> Attached to the configuration file server testing openldap squeeze.
>
> I made some changes to the file /etc/ldap/slapd.overlay.conf being
> included by /etc/ldap/slapd.conf and discovered that the problem is
> with the overlay rwm, because when I comment that overlay the problem
> does not appear.
>
> If I keep the following entries rwm overlay the problem happen again:
>
> moduleload rwm
> overlay rwm
>
> Even with the other settings overlay rwm commented the problem continues.
>
> Any ideas?
>
>
> 2009/12/2 Howard Chu <hyc@symas.com>:
>> jarbas.junior@gmail.com wrote:
>>>
>>> Full_Name: Jarbas Peixoto Junior
>>> Version: 2.4.11 / 2.4.17 / 2.4.20
>>> OS: Gnu/Linux Debian
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (200.152.34.143)
>>>
>>>
>>> Possible bug in Overlay pPolicy
>>>
>>> I have OpenLDAP installed via the Debian Lenny package functioning
>>> normally.
>>>
>>> Aiming to test the version of Debian Squeeze in the test machine instal=
led
>>> package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11).
>>>
>>> However, when testing the overlay pPolicy noticed that a wrong password
>>> authentication, runs all objects in the ldap database, causing a "delay=
"
>>> that
>>> does not exist in version Lenny.
>>>
>>> Below is some information that may be useful in detecting the problem:
>>>
>>> File: slapd.conf
>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>> moduleload =A0 =A0 =A0ppolicy
>>> overlay ppolicy
>>> ppolicy_default
>>> "cn=3Ddefault,ou=3DLdapPassword,ou=3DPoliticas,ou=3DBuiltin,dc=3Dprevid=
encia,dc=3Dgov,dc=3Dbr"
>>> ppolicy_use_lockout
>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>>
>>> ldapsearch -LLL -x -H ldap://squeeze -b
>>> ou=3DLdapPassword,ou=3DPoliticas,ou=3DBuiltin,dc=3Dprevidencia,dc=3Dgov=
,dc=3Dbr
>>> '(cn=3Ddefault)'
>>> dn:
>>> cn=3Ddefault,ou=3DLdapPassword,ou=3DPoliticas,ou=3DBuiltin,dc=3Dprevide=
ncia,dc=3Dgov,d
>>> =A0c=3Dbr
>>> objectClass: top
>>> objectClass: device
>>> objectClass: pwdPolicy
>>> pwdAttribute: userPassword
>>> description::
>>> UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M=3D
>>> pwdAllowUserChange: TRUE
>>> pwdFailureCountInterval: 3600
>>> pwdGraceAuthNLimit: 5
>>> pwdInHistory: 0
>>> pwdLockoutDuration: 60
>>> pwdMaxAge: 7776000
>>> pwdMinAge: 0
>>> pwdMinLength: 6
>>> pwdSafeModify: FALSE
>>> pwdCheckQuality: 1
>>> pwdExpireWarning: 600
>>> cn: default
>>> pwdMustChange: FALSE
>>> pwdMaxFailure: 10
>>> pwdLockout: FALSE
>>>
>>> date ; ldapsearch -LLL -x -H ldap://squeeze -b
>>> ou=3Dusuarios,dc=3Dprevidencia,dc=3Dgov,dc=3Dbr -D
>>> uid=3Djarbas.peixoto,ou=3Dpessoas,ou=3Dusuarios,dc=3Dprevidencia,dc=3Dg=
ov,dc=3Dbr -w
>>> wrong-password '(uid=3Djarbas.peixoto)' cn mail pwdFailureTime
>>> pwdAccountLockedTime modifyTimeStamp ; date
>>> Qua Dez =A02 16:14:56 AMST 2009
>>> ldap_bind: Invalid credentials (49)
>>> Qua Dez =A02 16:15:36 AMST 2009
>>>
>>> grep 'access_allowed: search access to' /var/log/debug | wc -l
>>> 83714
>>>
>>> The question is: why access all entries in LDAP?
>>
>> Don't know. This would have to be the result of a search operation, but
>> there is no search code in ppolicy.c. Since ppolicy cannot be the culpri=
t,
>> we'll need to see the rest of your config to track down the issue.
>>
>> --
>> =A0-- Howard Chu
>> =A0CTO, Symas Corp. =A0 =A0 =A0 =A0 =A0 http://www.symas.com
>> =A0Director, Highland Sun =A0 =A0 http://highlandsun.com/hyc/
>> =A0Chief Architect, OpenLDAP =A0http://www.openldap.org/project/
>>
>