[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slap_global_control - ppolicy
>>> "Pierangelo Masarati" <ando@sys-net.it> 11/19/06 10:21 AM >>>
> Hello All,
>
> I configured OpenLDAP-2.3.29 with the following options.
>
> ./configure --with-threads=posix --with-tls=openssl --enable-dynamic
> --with-cyrus-sasl --enable-modules--enable-ldbm=mod --enable-crypt
> --enable-lmpasswd --enable-ldap=mod --enable-meta=mod --enable-rewrite
> --enable-null=mod --enable-monitor=mod --enable-accesslog
> --enable-denyop --enable-dyngroup --enable-dynlist --enable-lastmod
> --enable-ppolicy --enable-proxycache --enable-refint --enable-retcode
> --enable-rwm --enable-syncprov --enable-translucent --enable-unique
> --enable-valsort --enable-aci --enable-bdb=mod --enable-hdb=mod
> --enable-ldbm-api=berkeley --enable-spasswd --enable-wrappers
> --prefix=/usr/local/encap/openldap
>
> My slapd.conf is:
>
> include
> /usr/local/encap/openldap/etc/openldap/schema/core.schema
> include
> /usr/local/encap/openldap/etc/openldap/schema/cosine.schema
> include
> /usr/local/encap/openldap/etc/openldap/schema/inetorgperson.schema
> include
> /usr/local/encap/openldap/etc/openldap/schema/openldap.schema
> include
/usr/local/encap/openldap/etc/openldap/schema/nis.schema
> include
> /usr/local/encap/openldap/etc/openldap/schema/samba3.schema
> include
> /usr/local/encap/openldap/etc/openldap/schema/ppolicy.schema
>
> allow bind_anon_dn
>
> pidfile /usr/local/encap/openldap/var/run/slapd.pid
> argsfile /usr/local/encap/openldap/var/run/slapd.args
>
> database bdb
> suffix "dc=my-domain,dc=com"
> rootdn "cn=Manager,dc=my-domain,dc=com"
>
> rootpw secret
>
> directory /usr/local/encap/openldap/var/openldap-data
>
> index objectClass eq
>
> overlay ppolicy
> ppolicy_default "cn=Standard Policy,ou=Policies,dc=my-domain,dc=com"
> ppolicy_use_lockout
>
> access to attrs=userpassword
> by self write
> by * auth
>
> access to *
> by self write
> by * read
>
> loglevel -1
>
>
########################################################################
>
> Now when I try to do this:
>
> prakash@linux:~> ldapsearch -H ldap://localhost -D
> "cn=Manager,dc=my-domain,dc=com" -x -W -b "dc=my-domain,dc=com" -e
> ppolicy "cn=Manager"
> Enter LDAP Password:
>
> I get the proper result.
>
> # extended LDIF
> #
> # LDAPv3
> # base <dc=my-domain,dc=com> with scope subtree
> # filter: cn=Manager
> # requesting: ALL
> #
>
> # Manager, my-domain.com
> dn: cn=Manager,dc=my-domain,dc=com
> objectClass: organizationalRole
> cn: Manager
> description: LDAP Directory Manager
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> But in the server logs, I see,
>
> Nov 18 09:55:31 linux slapd[11135]: => get_ctrls:
> oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical)
> Nov 18 09:55:31 linux slapd[11135]: <= get_ctrls: n=1 rc=0 err=""
> Nov 18 09:55:31 linux slapd[11135]: attrs:
> Nov 18 09:55:31 linux slapd[11135]:
> Nov 18 09:55:31 linux slapd[11135]: conn=0 op=1 SRCH
> base="dc=my-domain,dc=com" scope=2 deref=0 filter="(cn=manager)"
> Nov 18 09:55:31 linux slapd[11135]: slap_global_control: unavailable
> control: 1.3.6.1.4.1.42.2.27.8.5.1
>
> Is this the reason, why I am not able to get my ppolicy controls to
> work? How do I make this control available?
That message is only telling you that ppolicy is not recognized as a
global control; in fact, it's only supported within the naming context
you
configured the ppolicy overlay for. As a consequence, handling of that
control is deferred. You're simply logging at a too verbose level, and
erroneously interpreting the resulting logs. The control does nothing
in
the operation above likely because there's nothing to do (i.e. you
didn't
provide an incorrect password multiple times, and your password is not
about to expire, or simply because you auth'ed as the rootdn).
Did you read the man page and the draft that control is about? What are
you expecting it to do, otherwise?
p.
Hello,
Thanks for the reply. Makes sense. Actually my issue was initially
getting ppolicy overlay to work. Should I open a new thread on that or
should I use this thread for that too?
Prakash