Full_Name: Jarbas Peixoto Junior Version: 2.4.11 / 2.4.17 / 2.4.20 OS: Gnu/Linux Debian URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (200.152.34.143) Possible bug in Overlay pPolicy I have OpenLDAP installed via the Debian Lenny package functioning normally. Aiming to test the version of Debian Squeeze in the test machine installed package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11). However, when testing the overlay pPolicy noticed that a wrong password authentication, runs all objects in the ldap database, causing a "delay" that does not exist in version Lenny. Below is some information that may be useful in detecting the problem: File: slapd.conf ==================== moduleload ppolicy overlay ppolicy ppolicy_default "cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br" ppolicy_use_lockout ==================== ldapsearch -LLL -x -H ldap://squeeze -b ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br '(cn=default)' dn: cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,d c=br objectClass: top objectClass: device objectClass: pwdPolicy pwdAttribute: userPassword description:: UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M= pwdAllowUserChange: TRUE pwdFailureCountInterval: 3600 pwdGraceAuthNLimit: 5 pwdInHistory: 0 pwdLockoutDuration: 60 pwdMaxAge: 7776000 pwdMinAge: 0 pwdMinLength: 6 pwdSafeModify: FALSE pwdCheckQuality: 1 pwdExpireWarning: 600 cn: default pwdMustChange: FALSE pwdMaxFailure: 10 pwdLockout: FALSE date ; ldapsearch -LLL -x -H ldap://squeeze -b ou=usuarios,dc=previdencia,dc=gov,dc=br -D uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime pwdAccountLockedTime modifyTimeStamp ; date Qua Dez 2 16:14:56 AMST 2009 ldap_bind: Invalid credentials (49) Qua Dez 2 16:15:36 AMST 2009 ldapsearch -LLL -x -H ldap://squeeze -b ou=usuarios,dc=previdencia,dc=gov,dc=br '(uid=jarbas.peixoto)' cn mail pwdFailureTime pwdAccountLockedTime modifyTimeStamp dn: uid=jarbas.peixoto,ou=Pessoas,ou=Usuarios,dc=previdencia,dc=gov,dc=br mail: jarbas.peixoto@previdencia.gov.br cn: Jarbas Peixoto Junior pwdAccountLockedTime: 20091202161422Z pwdFailureTime: 20091202162324Z pwdFailureTime: 20091202162805Z pwdFailureTime: 20091202162925Z pwdFailureTime: 20091202164558Z pwdFailureTime: 20091202164702Z pwdFailureTime: 20091202165016Z pwdFailureTime: 20091202181310Z pwdFailureTime: 20091202182914Z pwdFailureTime: 20091202183248Z pwdFailureTime: 20091202190153Z pwdFailureTime: 20091202191147Z pwdFailureTime: 20091202191544Z pwdFailureTime: 20091202191644Z modifyTimestamp: 20091202191724Z date ; ldapsearch -LLL -x -H ldap://squeeze -b ou=usuarios,dc=previdencia,dc=gov,dc=br -D uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime pwdAccountLockedTime modifyTimeStamp ; date Qua Dez 2 16:19:03 AMST 2009 ldap_bind: Invalid credentials (49) Qua Dez 2 16:19:44 AMST 2009 ldapsearch -LLL -x -H ldap://squeeze -b ou=usuarios,dc=previdencia,dc=gov,dc=br '(uid=jarbas.peixoto)' cn mail pwdFailureTime pwdAccountLockedTime modifyTimeStamp dn: uid=jarbas.peixoto,ou=Pessoas,ou=Usuarios,dc=previdencia,dc=gov,dc=br mail: jarbas.peixoto@previdencia.gov.br cn: Jarbas Peixoto Junior pwdAccountLockedTime: 20091202161422Z pwdFailureTime: 20091202162324Z pwdFailureTime: 20091202162805Z pwdFailureTime: 20091202162925Z pwdFailureTime: 20091202164558Z pwdFailureTime: 20091202164702Z pwdFailureTime: 20091202165016Z pwdFailureTime: 20091202181310Z pwdFailureTime: 20091202182914Z pwdFailureTime: 20091202183248Z pwdFailureTime: 20091202190153Z pwdFailureTime: 20091202191147Z pwdFailureTime: 20091202191544Z pwdFailureTime: 20091202191644Z pwdFailureTime: 20091202192051Z modifyTimestamp: 20091202192133Z I tried to identify any problems that may be in the logs. I made the following: /etc/init.d/slapd stop Stopping OpenLDAP: slapd. > /var/log/debug /etc/init.d/slapd start Starting OpenLDAP: slapd. tail /var/log/debug -n 50 Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=fnsi807249521$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=douglas.dcosta,ou=Pessoas,ou=Usuarios,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=fnsi813149827$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=fnsi813149622$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=fnsi808649957$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=apssc-fcn333$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=fnsi808638963$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=mgapssba055$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=fnsi808644351$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=fnsi813148464$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=fnsi813148430$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=fnsi808643444$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=admin.udsl,ou=Servicos,ou=Usuarios,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to "uid=admin.listas,ou=Servicos,ou=Usuarios,dc=previdencia,dc=gov,dc=br" "objectClass" requested Dec 2 18:01:59 squeeze slapd[21772]: <= root access granted Dec 2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted by manage(=mwrscxd) Dec 2 18:01:59 squeeze slapd[21772]: => bdb_entry_get: found entry: "uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br" Dec 2 18:01:59 squeeze slapd[21772]: => bdb_entry_get: found entry: "cn=default,ou=ldappassword,ou=politicas,ou=builtin,dc=previdencia,dc=gov,dc=br" Dec 2 18:01:59 squeeze slapd[21772]: => bdb_entry_get: found entry: "uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br" Dec 2 18:01:59 squeeze slapd[21772]: <= acl_access_allowed: granted to database root Dec 2 18:01:59 squeeze slapd[21772]: conn=1000 op=0 RESULT tag=97 err=49 text= Dec 2 18:01:59 squeeze slapd[21772]: conn=1000 fd=15 closed (connection lost) grep 'access_allowed: search access to' /var/log/debug | wc -l 83714 The question is: why access all entries in LDAP? Does anyone have any tips, or it may be some as yet unidentified BUG? As tests, I installed the version 2.4.20 and had the same behavior. Best Regards, Jarbas
--On Wednesday, December 02, 2009 8:25 PM +0000 jarbas.junior@gmail.com wrote: > Full_Name: Jarbas Peixoto Junior > Version: 2.4.11 / 2.4.17 / 2.4.20 > OS: Gnu/Linux Debian > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (200.152.34.143) ppolicy doesn't execute searches. Please provide your entire slapd.conf, minus passwords. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
jarbas.junior@gmail.com wrote: > Full_Name: Jarbas Peixoto Junior > Version: 2.4.11 / 2.4.17 / 2.4.20 > OS: Gnu/Linux Debian > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (200.152.34.143) > > > Possible bug in Overlay pPolicy > > I have OpenLDAP installed via the Debian Lenny package functioning normally. > > Aiming to test the version of Debian Squeeze in the test machine installed > package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11). > > However, when testing the overlay pPolicy noticed that a wrong password > authentication, runs all objects in the ldap database, causing a "delay" that > does not exist in version Lenny. > > Below is some information that may be useful in detecting the problem: > > File: slapd.conf > ==================== > moduleload ppolicy > overlay ppolicy > ppolicy_default "cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br" > ppolicy_use_lockout > ==================== > > ldapsearch -LLL -x -H ldap://squeeze -b > ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br > '(cn=default)' > dn: cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,d > c=br > objectClass: top > objectClass: device > objectClass: pwdPolicy > pwdAttribute: userPassword > description:: UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M= > pwdAllowUserChange: TRUE > pwdFailureCountInterval: 3600 > pwdGraceAuthNLimit: 5 > pwdInHistory: 0 > pwdLockoutDuration: 60 > pwdMaxAge: 7776000 > pwdMinAge: 0 > pwdMinLength: 6 > pwdSafeModify: FALSE > pwdCheckQuality: 1 > pwdExpireWarning: 600 > cn: default > pwdMustChange: FALSE > pwdMaxFailure: 10 > pwdLockout: FALSE > > date ; ldapsearch -LLL -x -H ldap://squeeze -b > ou=usuarios,dc=previdencia,dc=gov,dc=br -D > uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w > wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime > pwdAccountLockedTime modifyTimeStamp ; date > Qua Dez 2 16:14:56 AMST 2009 > ldap_bind: Invalid credentials (49) > Qua Dez 2 16:15:36 AMST 2009 > > grep 'access_allowed: search access to' /var/log/debug | wc -l > 83714 > > The question is: why access all entries in LDAP? Don't know. This would have to be the result of a search operation, but there is no search code in ppolicy.c. Since ppolicy cannot be the culprit, we'll need to see the rest of your config to track down the issue. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Attached to the configuration file server testing openldap squeeze. I made some changes to the file /etc/ldap/slapd.overlay.conf being included by /etc/ldap/slapd.conf and discovered that the problem is with the overlay rwm, because when I comment that overlay the problem does not appear. If I keep the following entries rwm overlay the problem happen again: moduleload rwm overlay rwm Even with the other settings overlay rwm commented the problem continues. Any ideas? 2009/12/2 Howard Chu <hyc@symas.com>: > jarbas.junior@gmail.com wrote: >> >> Full_Name: Jarbas Peixoto Junior >> Version: 2.4.11 / 2.4.17 / 2.4.20 >> OS: Gnu/Linux Debian >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (200.152.34.143) >> >> >> Possible bug in Overlay pPolicy >> >> I have OpenLDAP installed via the Debian Lenny package functioning >> normally. >> >> Aiming to test the version of Debian Squeeze in the test machine installed >> package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11). >> >> However, when testing the overlay pPolicy noticed that a wrong password >> authentication, runs all objects in the ldap database, causing a "delay" >> that >> does not exist in version Lenny. >> >> Below is some information that may be useful in detecting the problem: >> >> File: slapd.conf >> ==================== >> moduleload ppolicy >> overlay ppolicy >> ppolicy_default >> "cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br" >> ppolicy_use_lockout >> ==================== >> >> ldapsearch -LLL -x -H ldap://squeeze -b >> ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br >> '(cn=default)' >> dn: >> cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,d >> c=br >> objectClass: top >> objectClass: device >> objectClass: pwdPolicy >> pwdAttribute: userPassword >> description:: >> UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M= >> pwdAllowUserChange: TRUE >> pwdFailureCountInterval: 3600 >> pwdGraceAuthNLimit: 5 >> pwdInHistory: 0 >> pwdLockoutDuration: 60 >> pwdMaxAge: 7776000 >> pwdMinAge: 0 >> pwdMinLength: 6 >> pwdSafeModify: FALSE >> pwdCheckQuality: 1 >> pwdExpireWarning: 600 >> cn: default >> pwdMustChange: FALSE >> pwdMaxFailure: 10 >> pwdLockout: FALSE >> >> date ; ldapsearch -LLL -x -H ldap://squeeze -b >> ou=usuarios,dc=previdencia,dc=gov,dc=br -D >> uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w >> wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime >> pwdAccountLockedTime modifyTimeStamp ; date >> Qua Dez 2 16:14:56 AMST 2009 >> ldap_bind: Invalid credentials (49) >> Qua Dez 2 16:15:36 AMST 2009 >> >> grep 'access_allowed: search access to' /var/log/debug | wc -l >> 83714 >> >> The question is: why access all entries in LDAP? > > Don't know. This would have to be the result of a search operation, but > there is no search code in ppolicy.c. Since ppolicy cannot be the culprit, > we'll need to see the rest of your config to track down the issue. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ >
Please close this its. In 2.4.21 Version works fine. Tanks Jarbas 2009/12/3 Jarbas Peixoto Júnior <jarbas.junior@gmail.com>: > Attached to the configuration file server testing openldap squeeze. > > I made some changes to the file /etc/ldap/slapd.overlay.conf being > included by /etc/ldap/slapd.conf and discovered that the problem is > with the overlay rwm, because when I comment that overlay the problem > does not appear. > > If I keep the following entries rwm overlay the problem happen again: > > moduleload rwm > overlay rwm > > Even with the other settings overlay rwm commented the problem continues. > > Any ideas? > > > 2009/12/2 Howard Chu <hyc@symas.com>: >> jarbas.junior@gmail.com wrote: >>> >>> Full_Name: Jarbas Peixoto Junior >>> Version: 2.4.11 / 2.4.17 / 2.4.20 >>> OS: Gnu/Linux Debian >>> URL: ftp://ftp.openldap.org/incoming/ >>> Submission from: (NULL) (200.152.34.143) >>> >>> >>> Possible bug in Overlay pPolicy >>> >>> I have OpenLDAP installed via the Debian Lenny package functioning >>> normally. >>> >>> Aiming to test the version of Debian Squeeze in the test machine installed >>> package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11). >>> >>> However, when testing the overlay pPolicy noticed that a wrong password >>> authentication, runs all objects in the ldap database, causing a "delay" >>> that >>> does not exist in version Lenny. >>> >>> Below is some information that may be useful in detecting the problem: >>> >>> File: slapd.conf >>> ==================== >>> moduleload ppolicy >>> overlay ppolicy >>> ppolicy_default >>> "cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br" >>> ppolicy_use_lockout >>> ==================== >>> >>> ldapsearch -LLL -x -H ldap://squeeze -b >>> ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br >>> '(cn=default)' >>> dn: >>> cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,d >>> c=br >>> objectClass: top >>> objectClass: device >>> objectClass: pwdPolicy >>> pwdAttribute: userPassword >>> description:: >>> UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M= >>> pwdAllowUserChange: TRUE >>> pwdFailureCountInterval: 3600 >>> pwdGraceAuthNLimit: 5 >>> pwdInHistory: 0 >>> pwdLockoutDuration: 60 >>> pwdMaxAge: 7776000 >>> pwdMinAge: 0 >>> pwdMinLength: 6 >>> pwdSafeModify: FALSE >>> pwdCheckQuality: 1 >>> pwdExpireWarning: 600 >>> cn: default >>> pwdMustChange: FALSE >>> pwdMaxFailure: 10 >>> pwdLockout: FALSE >>> >>> date ; ldapsearch -LLL -x -H ldap://squeeze -b >>> ou=usuarios,dc=previdencia,dc=gov,dc=br -D >>> uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w >>> wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime >>> pwdAccountLockedTime modifyTimeStamp ; date >>> Qua Dez 2 16:14:56 AMST 2009 >>> ldap_bind: Invalid credentials (49) >>> Qua Dez 2 16:15:36 AMST 2009 >>> >>> grep 'access_allowed: search access to' /var/log/debug | wc -l >>> 83714 >>> >>> The question is: why access all entries in LDAP? >> >> Don't know. This would have to be the result of a search operation, but >> there is no search code in ppolicy.c. Since ppolicy cannot be the culprit, >> we'll need to see the rest of your config to track down the issue. >> >> -- >> -- Howard Chu >> CTO, Symas Corp. http://www.symas.com >> Director, Highland Sun http://highlandsun.com/hyc/ >> Chief Architect, OpenLDAP http://www.openldap.org/project/ >> >
changed state Open to Closed