Full_Name: Clement OUDOT Version: 2.4.38 OS: GNU/Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (83.145.72.122) Hi, I have configured a ppolicy overlay without olcPPolicyDefault value. So I use pwdPolicySubentry in user entries to bind them to their policy configuration entry. Overlay ppolicy is compiled in slapd, not as module. I use LTB package. If I create an account without pwdPolicySubentry, the attributes pwdChangedTime and pwdFailureTime are generated for this entry. And as the entry is never locked (which is a normal behavior, fixed in http://www.openldap.org/its/index.cgi?findid=6168), the number of values in pwdFailureTime can grow indefinitely. IMHO, no ppolicy operational attributes should be present in an entry not linked to a password policy.
I do not consider this to be a bug. I'd vote for closing it as "won't fix".
Could examine if it's possible to have ppolicy not process entries with no policy. May not be possible w/o unreasonable overhead.
Hi Clément, this should still be possible if you set a default policy with pwdMaxRecordedFailure == 0, is there a reason this would not be appropriate before we go changing the default behaviour? Thanks, Ondrej
I don't think this solves the issue. The problem is on entries that are not linked to any password policy are updated by ppolicy overlay. Adding a parameter in the password policy is not a good solution from my point of view. The entry should never be updated by ppolicy overlay if no ppolicy definition is applied to it. Note that this bug was opened 6 years ago, I did not test recent OpenLDAP versions.
I have created a patchset that attempts to address this and other ppolicy related issues here: https://git.openldap.org/openldap/openldap/-/merge_requests/77 Please review, test and let me know if this addresses the issue and if you have any other comments.
• 49504c16 by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 Fix whitespace in ppolicy.c • 3e0447f4 by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#7089 Skip lockout checks/modifications if password attribute missing • 3ec005a0 by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#7788 Report if there is a policy that applies • 0b6ac3fd by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#7788 Skip lockout processing if no policy applies • a030aacc by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#7788 Allow pwdFailureTime tracking be disabled in policy • 376d5d65 by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#7084 ACL of 'manage' gives pasword administrator access Password administrators can bypass safeModify, password quality checks and trigger reset if policy instructs the server to. • e05c09b9 by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#8762 Clear pwdFailureTime on unlock • 5bf16496 by Ondřej Kuzník at 2020-07-03T20:42:14+00:00 ITS#7084, ITS#7089, ITS#7788 Update test to account for new functionality
Commits: • 109d967f by Ondřej Kuzník at 2021-03-25T19:43:18+00:00 ITS#7788 Hashing should be independent of a useable policy