Full_Name: David Coutadeur Version: 2.4.39 OS: Debian wheezy 64 URL: http://62.210.236.82/incoming/ppm-1.0.tar.gz Submission from: (NULL) (92.103.166.6) Hi, I am proposing this module extending password policy for integration into contrib/slapd-modules. (see URL attached) I get inspired by the ltb check password module, but I finally rewrote everything from scratch to better include new functionnalities. You can consider this as a replacement for ITS Incoming/7412 The code has been tested a little, and a work has been done to make the code cleaner, but do not hesitate for any suggestion or remark. David
dcoutadeur@linagora.com wrote: > Full_Name: David Coutadeur > Version: 2.4.39 > OS: Debian wheezy 64 > URL: http://62.210.236.82/incoming/ppm-1.0.tar.gz > Submission from: (NULL) (92.103.166.6) > > > > Hi, > > I am proposing this module extending password policy for integration into > contrib/slapd-modules. (see URL attached) > > I get inspired by the ltb check password module, but I finally rewrote > everything from scratch to better include new functionnalities. > > You can consider this as a replacement for ITS Incoming/7412 > > The code has been tested a little, and a work has been done to make the code > cleaner, but do not hesitate for any suggestion or remark. I took a brief look at it. The config file syntax seems a bit awkward, how do you distinguish a new class name from an existing reserved keyword? I'd like to hear other people's opinion on the actual checks being performed. > David > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Hi, I have released a new version of ppm: password policy module version 1.1 http://62.210.236.82/incoming/ppm-1.1.tar.gz The goal was to : - make the code more modular, - make the configuration file simpler, - simplify the configuration data structure To answer your question : > how do you distinguish a new class name from an existing reserved keyword? In version 1.0 : you can't, because everything is defining a class by default. But in fact, the need to have many class is not very common... In version 1.1 : class parameters begin by the keyword "class-". Furthermore, a regex table of allowed parameters is available. Thanks in advance for your interrest. David Le 2014-04-10 10:57, Howard Chu a écrit : > dcoutadeur@linagora.com wrote: > >> Full_Name: David Coutadeur Version: 2.4.39 OS: Debian wheezy 64 URL: http://62.210.236.82/incoming/ppm-1.0.tar.gz [1] Submission from: (NULL) (92.103.166.6) Hi, I am proposing this module extending password policy for integration into contrib/slapd-modules. (see URL attached) I get inspired by the ltb check password module, but I finally rewrote everything from scratch to better include new functionnalities. You can consider this as a replacement for ITS Incoming/7412 The code has been tested a little, and a work has been done to make the code cleaner, but do not hesitate for any suggestion or remark. > > I took a brief look at it. The config file syntax seems a bit awkward, how do you distinguish a new class name from an existing reserved keyword? > > I'd like to hear other people's opinion on the actual checks being performed. > >> David Links: ------ [1] http://62.210.236.82/incoming/ppm-1.0.tar.gz
Hi, The ppm module is still alive, and is evolving. Last version is 1.2, and source code is now available on Github : https://github.com/davidcoutadeur/ppm There are also plans to package it. If anybody is interrested, I am always glad to hear about comments, ideas, improvements,... Sincerely, David
Hi, I am considering solutions to give the password policy module its configuration in cn=config, and not in a flat configuration file. However, If I create a ppm.la overlay to register a ppm configuration schema, I won't be able to read it in the ppm.so which is loaded dynamically by the ppolicy overlay. Indeed, ppolicy is dynamically including the ppm.so code through libtool, so there is no link at all between ppm.so and ppm.la. Does anybody have an idea on how a module called by the ppolicy could read some configuration in cn=config ? Thanks in advance ! David Le 12/11/2014 10:41, David Coutadeur a écrit : > > Hi, > > The ppm module is still alive, and is evolving. > Last version is 1.2, and source code is now available on Github : > > https://github.com/davidcoutadeur/ppm > > There are also plans to package it. > If anybody is interrested, I am always glad to hear about comments, > ideas, improvements,... > > Sincerely, > > David
Hi David, Is it still desired to see this contributed to the Openldap project?
IMHO additional password checks should be immplemented in slapo-ppolicy based on attributes in the relevant pwdPolicy entry.
Hello, Yes, it is still desired to include ppm as a contrib module. If ppm is interesting for enough people, it would be great to have it by default in OpenLDAP. For information, there is a new version of ppm in preparation that is taking advantage of the new ppolicy internet draft features, and particularly the ability to have the ppm configuration stored in an attribute of the ppolicy: https://github.com/ltb-project/ppm/issues/20 Thus, the integration of ppm is even better.
(In reply to David Coutadeur from comment #7) > Hello, > > Yes, it is still desired to include ppm as a contrib module. > If ppm is interesting for enough people, it would be great to have it by > default in OpenLDAP. > > For information, there is a new version of ppm in preparation that is taking > advantage of the new ppolicy internet draft features, and particularly the > ability to have the ppm configuration stored in an attribute of the ppolicy: > https://github.com/ltb-project/ppm/issues/20 > Thus, the integration of ppm is even better. Great! I see you're on top of the fact that slapo-ppolicy was updated in master/RE25 for draft 10. Please test against the RE25 branch and let us know if there are any issues, so we can be on top of them right away. :)
Just for tracability, I have made some new tests on master branch on the ppolicy: see https://bugs.openldap.org/show_bug.cgi?id=9156 David
We believe this was fixed as a part of 9400. Can you confirm? *** This issue has been marked as a duplicate of issue 9400 ***
sorry updated wrong bug.
Hi David, Please open a merge request at https://git.openldap.org with your 2.5 based module so it can be considered for inclusion in OpenLDAP 2.5. Regards, Quanah
Hi Quanah, Ok, thanks for the update, I will do as requested. David
Hello, I have made some progress in ppm integration, but I have some blocking questions: - I suppose you want a merge request on openldap/openldap master branch and not OPENLDAP_REL_ENG_2_5, am I right? - I get a segfault when my client first connects to slapd when I compile master branch with: ``` ./configure --prefix=/usr/local/openldap --libdir=/usr/local/openldap/lib64 --enable-overlays --enable-modules --enable-dynamic=yes --with-tls=openssl --enable-debug --with-cyrus-sasl --enable-spasswd --enable-ppolicy --enable-crypt --enable-ldap -enable-slapi --enable-meta --enable-sock --enable-wrappers --enable-rlookups ``` Do you have the same error? Is this due to a specific option? ppm was working with my last test with Ondrej 6 month ago, so I suppose when this segfault is fixed it will work quite fast. - I noticed nssov overlay does not compile correctly: there is a missing #include <errno.h> somewhere, and other remaining bugs. - do you expect other integration things than the code deployed into contrib/slapd-modules with an appropriate Makefile, README, LICENSE,...? - about the Notice, I have made two separate files in the ppm directory: LICENSE and NOTICES. The license is the OpenLDAP License. The notice is the following: "The attached modifications to OpenLDAP Software are subject to the following notice: Copyright 2021 David Coutadeur Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License." Does it seem correct to you?
For reference, my merge request: https://git.openldap.org/openldap/openldap/-/merge_requests/252
(In reply to David Coutadeur from comment #14) > Hello, > > I have made some progress in ppm integration, but I have some blocking > questions: > > - I suppose you want a merge request on openldap/openldap master branch and > not OPENLDAP_REL_ENG_2_5, am I right? Correct, all merges go against master. > - I get a segfault when my client first connects to slapd when I compile > master branch with: > Do you have the same error? Is this due to a specific option? I've not encountered any segfaults, so it may be a compile specific option. The master branch goes through constant CI/CD with the full test suite and is not exhibiting any problems. I will see if I can reproduce the issue with your specific compile options. > - I noticed nssov overlay does not compile correctly: there is a missing > #include <errno.h> somewhere, and other remaining bugs. Ok, feel free to open up issue reports about it. > - do you expect other integration things than the code deployed into > contrib/slapd-modules with an appropriate Makefile, README, LICENSE,...? Yes. > - about the Notice, I have made two separate files in the ppm directory: > LICENSE and NOTICES. The license is the OpenLDAP License. The notice is the > following: The IPR notification goes into this bug, not as a separate file. The LICENSE file itself sounds fine.
(In reply to Quanah Gibson-Mount from comment #16) > > - I get a segfault when my client first connects to slapd when I compile > > master branch with: Also please provide the exact configuration file or cn=config database you are testing with.
(In reply to Quanah Gibson-Mount from comment #17) > (In reply to Quanah Gibson-Mount from comment #16) > > > > - I get a segfault when my client first connects to slapd when I compile > > > master branch with: > > Also please provide the exact configuration file or cn=config database you > are testing with. Additionally, file the fact it's crashing as its own issue with the above config as an attachment.
For reference (also discussed in the Merge request) Hi, I have opened two separate bug reports for the compiling issues: - [Issue 9477] slapd on master branch segfaults at first connection establishment with an LDAP client - [Issue 9478] compilation issue of nssov overlay on master branch I have also fixed other reported issues: - ppm.conf file was indeed confusing, I renamed it as an ppm.example, useful for anybody wanting a quick example of parameters. It is also helpful for the test suite. - NOTICES is deleted - exit(): thanks for the remark, I have adapted the code for not exiting Thanks to Howard's quick fixes of 9477 and 9478, I was able to test ppm from compilation to applicative tests. I have tested each ppm feature separately, with success. For me, everything is fine. Please don't hesitate if you have other remarks.
Commits: • f3975b3f by David Coutadeur at 2021-03-26T15:01:36+00:00 Proposing ppolicy extended module for OpenLDAP (issue #7832) • c81bb207 by David Coutadeur at 2021-03-26T15:01:36+00:00 clean and homogenize ppm files for integration into contrib (issue #7832 !252)
Additional work needed on the Makefile
https://git.openldap.org/openldap/openldap/-/merge_requests/309
Commits: • 136eedda by Quanah Gibson-Mount at 2021-04-02T19:00:56+00:00 ITS#7832 - Fix Makefile so that it installs into DESTDIR Tweak CRACKLIB linking so that it doesn't depend on gmake
Hello, I have just opened a new MR: https://git.openldap.org/openldap/openldap/-/merge_requests/509 to upgrade ppm to 2.1 release: Changes: - Reject password if it contains tokens from an attribute of the LDAP entry https://github.com/ltb-project/ppm/issues/17
(In reply to David Coutadeur from comment #24) > Hello, > I have just opened a new MR: > https://git.openldap.org/openldap/openldap/-/merge_requests/509 to upgrade > ppm to 2.1 release: > > Changes: > - Reject password if it contains tokens from an attribute of the LDAP entry > https://github.com/ltb-project/ppm/issues/17 You should file a new issue for this, rather than commenting in this issue. Thanks