OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Archive.Software Bugs/4025
Full headers

From: stran@amnh.org
Subject: Ppolicy overlay: objectIdentifierMatch rule doesn't understand descriptions
Compose comment
Download message
State:
0 replies:
11 followups: 1 2 3 4 5 6 7 8 9 10 11

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 13 Sep 2005 02:01:39 GMT
From: stran@amnh.org
To: openldap-its@OpenLDAP.org
Subject: Ppolicy overlay: objectIdentifierMatch rule doesn't understand descriptions
Full_Name: Samuel Tran
Version: 2.3.7
OS: Debian Linux Sarge
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (66.114.85.133)


I am trying to implement the password policy overlay.

When I try to create a dn that would hold the password policy, I get the
following error:

stran@educ236:~$ ldapmodify -vv -x -W -D
"uid=stran,ou=people,dc=example,dc=com" -H ldap://localhost -f
passwd_cn.ldif 
ldap_initialize( ldap://localhost )
Enter LDAP Password: 
replace cn:
        password
replace objectClass:
        organizationalRole
        pwdPolicy
replace pwdattribute:
        userpassword
modifying entry "cn=password,ou=Policies,dc=example,dc=com"
modify complete
ldap_modify: Invalid syntax (21)
        additional info: pwdattribute: value #0 invalid per syntax


Followup 1

Download message
Subject: (ITS#4025)
From: Samuel Tran <stran@amnh.org>
To: openldap-its@openldap.org
Date: Tue, 13 Sep 2005 14:01:19 -0400
On Howard's suggestion I tried using the userPassword OID instead and
got another error message:

stran@educ236:~$ ldapmodify -vv -x -W -D
"uid=stran,ou=people,dc=example,dc=com" -H ldap://localhost -f
passwd_cn.ldif 
ldap_initialize( ldap://localhost )
Enter LDAP Password: 
replace cn:
        password
replace objectClass:
        organizationalRole
        pwdPolicy
replace pwdattribute:
        2.5.4.35
modifying entry "cn=password,ou=Policies,dc=example,dc=com"
modify complete
ldap_modify: No such object (32)
        matched DN: ou=Policies,dc=example,dc=com



Followup 2

Download message
Date: Tue, 13 Sep 2005 22:02:29 -0400 (EDT)
Subject: (ITS#4025)
From: "Samuel Tran" <stran@amnh.org>
To: openldap-its@OpenLDAP.org
Using the numeric OID actually worked. I wrongly used ldapmodify instead
of ldapadd. However using the name 'userPassword' still does not work.

Sam



Followup 3

Download message
Date: Tue, 27 Sep 2005 07:30:06 -0700
From: Howard Chu <hyc@symas.com>
To: stran@amnh.org
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4025) Ppolicy overlay: objectIdentifierMatch rule doesn't
 understand descriptions
stran@amnh.org wrote:
> Full_Name: Samuel Tran
> Version: 2.3.7
> OS: Debian Linux Sarge
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (66.114.85.133)
>
>
> I am trying to implement the password policy overlay.
>
> When I try to create a dn that would hold the password policy, I get the
> following error:
>
> stran@educ236:~$ ldapmodify -vv -x -W -D
> "uid=stran,ou=people,dc=example,dc=com" -H ldap://localhost -f
> passwd_cn.ldif 
> ldap_initialize( ldap://localhost )
> Enter LDAP Password: 
> replace cn:
>         password
> replace objectClass:
>         organizationalRole
>         pwdPolicy
> replace pwdattribute:
>         userpassword
> modifying entry "cn=password,ou=Policies,dc=example,dc=com"
> modify complete
> ldap_modify: Invalid syntax (21)
>         additional info: pwdattribute: value #0 invalid per syntax
>
>
>   
The ppolicy overlay code in HEAD has been patched to allow descriptions 
in addition to numeric OIDs.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/



Followup 4

Download message
Subject: Re: (ITS#4025) Ppolicy overlay: objectIdentifierMatch rule doesn't
	understand descriptions
From: Samuel Tran <stran@amnh.org>
To: Howard Chu <hyc@symas.com>
Cc: openldap-its@OpenLDAP.org
Date: Tue, 27 Sep 2005 15:15:08 -0400
On Tue, 2005-09-27 at 07:30 -0700, Howard Chu wrote:
> stran@amnh.org wrote:
> > Full_Name: Samuel Tran
> > Version: 2.3.7
> > OS: Debian Linux Sarge
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (66.114.85.133)
> >
> >
> > I am trying to implement the password policy overlay.
> >
> > When I try to create a dn that would hold the password policy, I get
the
> > following error:
> >
> > stran@educ236:~$ ldapmodify -vv -x -W -D
> > "uid=stran,ou=people,dc=example,dc=com" -H ldap://localhost -f
> > passwd_cn.ldif 
> > ldap_initialize( ldap://localhost )
> > Enter LDAP Password: 
> > replace cn:
> >         password
> > replace objectClass:
> >         organizationalRole
> >         pwdPolicy
> > replace pwdattribute:
> >         userpassword
> > modifying entry "cn=password,ou=Policies,dc=example,dc=com"
> > modify complete
> > ldap_modify: Invalid syntax (21)
> >         additional info: pwdattribute: value #0 invalid per syntax
> >
> >
> >   
> The ppolicy overlay code in HEAD has been patched to allow descriptions 
> in addition to numeric OIDs.
> 

Howard,

I just compiled the latest CVS and tried to use the description instead
of the numeric OIDs. Unfortuantely same result:

stran@info-ldap-001:/etc/openldap_REL_ENG_2_3/schema$ ldapmodify -vv -x
-W -D "cn=manager,dc=example,dc=com"
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
dn: cn=PsynchPwd,ou=Policies,dc=example,dc=com
changetype: modify
replace: pwdAttribute
pwdAttribute: userPassword

replace pwdAttribute:
        userPassword
modifying entry "cn=PsynchPwd,ou=Policies,dc=example,dc=com"
modify complete
ldap_modify: Invalid syntax (21)
        additional info: pwdAttribute: value #0 invalid per syntax


Sam



Followup 5

Download message
Date: Tue, 27 Sep 2005 18:06:07 -0700
From: Howard Chu <hyc@symas.com>
To: stran@amnh.org
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4025) Ppolicy overlay: objectIdentifierMatch rule doesn't
 understand descriptions
stran@amnh.org wrote:
> Howard,
>
> I just compiled the latest CVS and tried to use the description instead
> of the numeric OIDs. Unfortuantely same result:
>   

Are you sure you got the latest version (ppolicy.c 1.66)? Are you sure 
you installed it after rebuilding? It works for me.
> stran@info-ldap-001:/etc/openldap_REL_ENG_2_3/schema$ ldapmodify -vv -x
> -W -D "cn=manager,dc=example,dc=com"
> ldap_initialize( <DEFAULT> )
> Enter LDAP Password: 
> dn: cn=PsynchPwd,ou=Policies,dc=example,dc=com
> changetype: modify
> replace: pwdAttribute
> pwdAttribute: userPassword
>
> replace pwdAttribute:
>         userPassword
> modifying entry "cn=PsynchPwd,ou=Policies,dc=example,dc=com"
> modify complete
> ldap_modify: Invalid syntax (21)
>         additional info: pwdAttribute: value #0 invalid per syntax
>
>
> Sam
>
>
>   


-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/



Followup 6

Download message
Subject: Re: (ITS#4025) Ppolicy overlay: objectIdentifierMatch rule doesn't
	understand descriptions
From: Samuel Tran <stran@amnh.org>
To: Howard Chu <hyc@symas.com>
Cc: openldap-its@OpenLDAP.org
Date: Wed, 28 Sep 2005 11:12:22 -0400
On Tue, 2005-09-27 at 18:06 -0700, Howard Chu wrote:
> stran@amnh.org wrote:
> > Howard,
> >
> > I just compiled the latest CVS and tried to use the description
instead
> > of the numeric OIDs. Unfortuantely same result:
> >   
> 
> Are you sure you got the latest version (ppolicy.c 1.66)? Are you sure 
> you installed it after rebuilding? It works for me.

Howard,

I first compiled and installed OL 2.3.7 with ppolicy 1.66 from CVS. It
didn't work.

I then checked out CVS 2005-09-27, compiled it and installed it. Same
result.

Today I checked out CVS (2005-09-28), compiled it and installed it. Same
result.

When I use the numeric OID instead, it works.
Is there something else I should pay attention to? I am still using the
slapd.conf file and not the new slapd.d format.

Sam



Followup 7

Download message
Date: Wed, 28 Sep 2005 09:00:43 -0700
From: Howard Chu <hyc@symas.com>
To: Samuel Tran <stran@amnh.org>
CC: openldap-its@openldap.org
Subject: Re: (ITS#4025) Ppolicy overlay: objectIdentifierMatch rule doesn't
 understand descriptions
Samuel Tran wrote:
> On Wed, 2005-09-28 at 08:25 -0700, Howard Chu wrote: 
>   
>> I think it may help to see your slapd.conf at this point.
>
> Howard,
>
> My apologies, I have several test servers and I forgot to add the
> following lines to my slapd.conf on the test server I am working on:
> overlay ppolicy
> ppolicy_default "cn=StdPwd,ou=Policies,dc=amnh,dc=org"
> ppolicy_use_lockout
>
> Now it is working as expected.
>
> Why is it required to specify the overlay in slapd.conf in order to use
> the pwdPolicy objectClass?
>
>   
You can use the objectClass in general, just by loading the schema file. 
But the code patch that changes the behavior of the pwdAttribute 
attributeType resides in the ppolicy overlay. If you don't use the 
overlay, the patch does not take effect. It wasn't clear to me that it 
was a good idea to change the objectIdentifier syntax behavior for all 
of slapd, so the patch is specific to the pwdAttribute attributeType. It 
may be a topic for discussion on -devel, whether a global change is more 
appropriate.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/



Followup 8

Download message
Subject: Re: (ITS#4025) Ppolicy overlay: objectIdentifierMatch rule doesn't
	understand descriptions
From: Samuel Tran <stran@amnh.org>
To: Howard Chu <hyc@symas.com>
Cc: openldap-its@openldap.org
Date: Wed, 28 Sep 2005 12:11:29 -0400
On Wed, 2005-09-28 at 09:00 -0700, Howard Chu wrote:
> Samuel Tran wrote:
> > On Wed, 2005-09-28 at 08:25 -0700, Howard Chu wrote: 
> >   
> >> I think it may help to see your slapd.conf at this point.
> >
> > Howard,
> >
> > My apologies, I have several test servers and I forgot to add the
> > following lines to my slapd.conf on the test server I am working on:
> > overlay ppolicy
> > ppolicy_default "cn=StdPwd,ou=Policies,dc=amnh,dc=org"
> > ppolicy_use_lockout
> >
> > Now it is working as expected.
> >
> > Why is it required to specify the overlay in slapd.conf in order to
use
> > the pwdPolicy objectClass?
> >
> >   
> You can use the objectClass in general, just by loading the schema file. 
> But the code patch that changes the behavior of the pwdAttribute 
> attributeType resides in the ppolicy overlay. If you don't use the 
> overlay, the patch does not take effect. It wasn't clear to me that it 
> was a good idea to change the objectIdentifier syntax behavior for all 
> of slapd, so the patch is specific to the pwdAttribute attributeType. It 
> may be a topic for discussion on -devel, whether a global change is more 
> appropriate.
> 

I saw the new functions you added in your patch.
IMHO the EQUALITY objectIdentifierMatch should be satisfied regardless
of whether the ppolicy is specified or not.

In core.schema there is that attribute 'supportedApplicationContext'
that uses the same equality constraint. I haven't used it. Does it mean
that it won't understand description?

Thanks a lot!

Sam



Followup 9

Download message
Date: Wed, 28 Sep 2005 09:41:36 -0700
From: Howard Chu <hyc@symas.com>
To: Samuel Tran <stran@amnh.org>
CC: openldap-its@openldap.org
Subject: Re: (ITS#4025) Ppolicy overlay: objectIdentifierMatch rule doesn't
 understand descriptions
Samuel Tran wrote:
>> You can use the objectClass in general, just by loading the schema
file.
>> But the code patch that changes the behavior of the pwdAttribute 
>> attributeType resides in the ppolicy overlay. If you don't use the 
>> overlay, the patch does not take effect. It wasn't clear to me that it 
>> was a good idea to change the objectIdentifier syntax behavior for all 
>> of slapd, so the patch is specific to the pwdAttribute attributeType.
It 
>> may be a topic for discussion on -devel, whether a global change is
more 
>> appropriate.
>>
>>     
>
> I saw the new functions you added in your patch.
> IMHO the EQUALITY objectIdentifierMatch should be satisfied regardless
> of whether the ppolicy is specified or not.
>
> In core.schema there is that attribute 'supportedApplicationContext'
> that uses the same equality constraint. I haven't used it. Does it mean
> that it won't understand description?
>   
Correct.

The larger issue here is that OIDs are not maintained in a single table 
in slapd. OIDs for AttributeTypes are recorded separately from OIDs for 
ObjectClasses, Syntaxes, Matching Rules, or any other protocol elements 
that have OIDs. While there is conceptually a single OID namespace, it 
is not implemented as a single namespace inside slapd. So a generic OID 
validator that accepts descriptors would need to look in many tables to 
validate a name.

The other issue is that descriptors aren't guaranteed to be unique. 
E.g., it's possible to have both an AttributeType and an ObjectClass 
with the same name. X.500/ASN.1 doesn't care about descriptor clashes as 
long as OIDs are unique, but this is a problem for LDAP.

The ppolicy patch works because I know that pwdAttribute will only be 
used with OIDs of AttributeTypes. In the general case, we can't make any 
such assumptions, and just searching for the first matching descriptor 
in a variety of tables may yield the wrong numeric OID. For your example 
'supportedApplicationContext' slapd doesn't have any notion of the 
namespace in which ApplicationContext descriptors are registered, so in 
that case the lookup would be futile anyway.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/



Followup 10

Download message
Date: Wed, 28 Sep 2005 09:53:15 -0700
To: hyc@symas.com
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: (ITS#4025) Ppolicy overlay: objectIdentifierMatch rule
  doesn't understand descriptions
Cc: openldap-its@OpenLDAP.org
At 09:00 AM 9/28/2005, hyc@symas.com wrote:
>It wasn't clear to me that it 
>was a good idea to change the objectIdentifier syntax behavior for all 
>of slapd, so the patch is specific to the pwdAttribute attributeType. 

It's clear to me that descriptor matching must be specific
to the attribute type, as one must know what kind of descriptor
is involved in order to do matching as descriptors are only
unique within a particular kind (attributetype, objectclass,
matchingrule, etc.).

Hence, descriptor matching can only be provided in objectIdentifierMatch
for built-in attributetypes.  There really should be
objectClassMatch, attributeTypeMatch, MatchingRuleMatch, etc.

Kurt 



Followup 11

Download message
Date: Wed, 28 Sep 2005 09:57:24 -0700
To: hyc@symas.com, stran@amnh.org
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: (ITS#4025) Ppolicy overlay: objectIdentifierMatch rule
  doesn't understand descriptions
Cc: openldap-its@OpenLDAP.org
At 09:41 AM 9/28/2005, hyc@symas.com wrote:
>While there is conceptually a single OID namespace, it 
>is not implemented as a single namespace inside slapd. 

This is because there is not a single descriptor name
space.  One can have a 'foo' objectClass and a 'foo'
attributeType, both referring to different OIDs.
IIRC, there is even a case of duplicate descriptor use
in the LDAP RFCs...

Kurt 


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org