Full_Name: Manikya Version: 2.4.44 OS: Solaris 11.3 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (141.143.213.56) Solaris ldap clients are configured for pam_ldap and requires a control to validate users for password less logins. http://docs.oracle.com/cd/E19253-01/816-4556/schemas-250/index.html From open-ds documentation. account usability control The account usability control provides a pair of request and response controls that can be used to determine whether a user account may be used for authenticating to the server. The request control has an OID of 1.3.6.1.4.1.42.2.27.9.5.8 and does not include a value. It should only be included in search request messages. The corresponding response control has an OID of 1.3.6.1.4.1.42.2.27.9.5.8 (the same as the request control), and it will be included in any search result entry messages for a search request that includes the account usability request control. The value for the account usability response control is encoded as follows: ACCOUNT_USABLE_RESPONSE ::= CHOICE { is_available [0] INTEGER, -- Seconds before expiration -- is_not_available [1] MORE_INFO } MORE_INFO ::= SEQUENCE { inactive [0] BOOLEAN DEFAULT FALSE, reset [1] BOOLEAN DEFAULT FALSE, expired [2] BOOLEAN DEFAULT_FALSE, remaining_grace [3] INTEGER OPTIONAL, seconds_before_unlock [4] INTEGER OPTIONAL } If the user account is available, then the control will include the number of seconds until the user's password expires, or -1 if password expiration is not enabled. If the user's account is not available, then the control will provide the reason it is unavailable.
Question about a proposed workaround: Would it be possible to use slapo-ppolicy to set the pwdPolicySubentry attribute for each user to provide the desired 1.3.6.1.4.1.42.2.27.9.5.8 control response (see http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control), i.e., can pwdPolicySubentry be used supply the sub-entry and related operational attributes needed to validate users for password-less logins?
Please disregard the previous workaround proposal, it was incorrect. The corrected workaround proposal: The idea is to determine the account/password state on the client side (since there's no easy way to get the server to provide the state without using the user's password). This was accomplished in a prototype by retrieving the /pwdPolicySubentry/, the policy setting, other operational attributes such as /pwdChangedTime/, /pwdAccountLockedTime/, /pwdFailureTime/, and /pwdGraceUseTime/. These were used to determine the account/password state. Is this reasonable and safe to do? On 08/02/2017 07:31 AM, Ben Chang wrote: > Question about a proposed workaround: > > Would it be possible to use slapo-ppolicy to set the pwdPolicySubentry > attribute for each user to provide the desired > 1.3.6.1.4.1.42.2.27.9.5.8 control response (see > http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control), > i.e., can pwdPolicySubentry be used supply the sub-entry and related > operational attributes needed to validate users for password-less logins? >
Solaris needs to follow the ppolicy draft, not implement it's own proprietary bits.
We will be implementing this.
Commits: • 1129df53 by Ondřej Kuzník at 2020-07-07T16:43:35+01:00 ITS#8701 Expose account usability in libldap • 63440f03 by Ondřej Kuzník at 2020-07-07T16:43:37+01:00 ITS#8701 Add account usability to ldapsearch • bdc9dbc5 by Ondřej Kuzník at 2020-07-07T16:43:37+01:00 ITS#8701 Implement account usability in ppolicy
• c7b008ee by Ondřej Kuzník at 2020-07-21T10:48:47+01:00 ITS#8701 Fix documentation