6411 – Possible bug in Overlay pPolicy

Issue 6411 - Possible bug in Overlay pPolicy

Summary: Possible bug in Overlay pPolicy

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-12-02 20:25 UTC by jarbas.junior@gmail.com
Modified:	2010-01-06 18:35 UTC (History)
CC List:	0 users

See Also:

Attachments
ldap-squeeze.tgz (2.83 KB, application/x-gzip) 2009-12-03 11:55 UTC, jarbas.junior@gmail.com	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description jarbas.junior@gmail.com 2009-12-02 20:25:20 UTC

Full_Name: Jarbas Peixoto Junior
Version: 2.4.11 / 2.4.17 / 2.4.20
OS: Gnu/Linux Debian
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (200.152.34.143)


Possible bug in Overlay pPolicy

I have OpenLDAP installed via the Debian Lenny package functioning normally.

Aiming to test the version of Debian Squeeze in the test machine installed
package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11).

However, when testing the overlay pPolicy noticed that a wrong password
authentication, runs all objects in the ldap database, causing a "delay" that
does not exist in version Lenny.

Below is some information that may be useful in detecting the problem:

File: slapd.conf
====================
moduleload      ppolicy
overlay ppolicy
ppolicy_default	"cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br"
ppolicy_use_lockout
====================

ldapsearch -LLL -x -H ldap://squeeze -b
ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br
'(cn=default)'
dn: cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,d
 c=br
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdAttribute: userPassword
description:: UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M=
pwdAllowUserChange: TRUE
pwdFailureCountInterval: 3600
pwdGraceAuthNLimit: 5
pwdInHistory: 0
pwdLockoutDuration: 60
pwdMaxAge: 7776000
pwdMinAge: 0
pwdMinLength: 6
pwdSafeModify: FALSE
pwdCheckQuality: 1
pwdExpireWarning: 600
cn: default
pwdMustChange: FALSE
pwdMaxFailure: 10
pwdLockout: FALSE

date ; ldapsearch -LLL -x -H ldap://squeeze -b
ou=usuarios,dc=previdencia,dc=gov,dc=br -D
uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w
wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime
pwdAccountLockedTime modifyTimeStamp ; date
Qua Dez  2 16:14:56 AMST 2009
ldap_bind: Invalid credentials (49)
Qua Dez  2 16:15:36 AMST 2009

ldapsearch -LLL -x -H ldap://squeeze -b ou=usuarios,dc=previdencia,dc=gov,dc=br
'(uid=jarbas.peixoto)' cn mail pwdFailureTime pwdAccountLockedTime
modifyTimeStamp
dn: uid=jarbas.peixoto,ou=Pessoas,ou=Usuarios,dc=previdencia,dc=gov,dc=br
mail: jarbas.peixoto@previdencia.gov.br
cn: Jarbas Peixoto Junior
pwdAccountLockedTime: 20091202161422Z
pwdFailureTime: 20091202162324Z
pwdFailureTime: 20091202162805Z
pwdFailureTime: 20091202162925Z
pwdFailureTime: 20091202164558Z
pwdFailureTime: 20091202164702Z
pwdFailureTime: 20091202165016Z
pwdFailureTime: 20091202181310Z
pwdFailureTime: 20091202182914Z
pwdFailureTime: 20091202183248Z
pwdFailureTime: 20091202190153Z
pwdFailureTime: 20091202191147Z
pwdFailureTime: 20091202191544Z
pwdFailureTime: 20091202191644Z
modifyTimestamp: 20091202191724Z

date ; ldapsearch -LLL -x -H ldap://squeeze -b
ou=usuarios,dc=previdencia,dc=gov,dc=br -D
uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w
wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime
pwdAccountLockedTime modifyTimeStamp ; date
Qua Dez  2 16:19:03 AMST 2009
ldap_bind: Invalid credentials (49)
Qua Dez  2 16:19:44 AMST 2009

ldapsearch -LLL -x -H ldap://squeeze -b ou=usuarios,dc=previdencia,dc=gov,dc=br
'(uid=jarbas.peixoto)' cn mail pwdFailureTime pwdAccountLockedTime
modifyTimeStamp
dn: uid=jarbas.peixoto,ou=Pessoas,ou=Usuarios,dc=previdencia,dc=gov,dc=br
mail: jarbas.peixoto@previdencia.gov.br
cn: Jarbas Peixoto Junior
pwdAccountLockedTime: 20091202161422Z
pwdFailureTime: 20091202162324Z
pwdFailureTime: 20091202162805Z
pwdFailureTime: 20091202162925Z
pwdFailureTime: 20091202164558Z
pwdFailureTime: 20091202164702Z
pwdFailureTime: 20091202165016Z
pwdFailureTime: 20091202181310Z
pwdFailureTime: 20091202182914Z
pwdFailureTime: 20091202183248Z
pwdFailureTime: 20091202190153Z
pwdFailureTime: 20091202191147Z
pwdFailureTime: 20091202191544Z
pwdFailureTime: 20091202191644Z
pwdFailureTime: 20091202192051Z
modifyTimestamp: 20091202192133Z

I tried to identify any problems that may be in the logs. I made the following:

/etc/init.d/slapd stop
Stopping OpenLDAP: slapd.

> /var/log/debug

/etc/init.d/slapd start
Starting OpenLDAP: slapd.

tail /var/log/debug -n 50
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi807249521$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=douglas.dcosta,ou=Pessoas,ou=Usuarios,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi813149827$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi813149622$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi808649957$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=apssc-fcn333$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi808638963$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=mgapssba055$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br" "objectClass"
requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi808644351$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi813148464$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi813148430$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=fnsi808643444$,ou=Windows,ou=Hosts,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=admin.udsl,ou=Servicos,ou=Usuarios,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access to
"uid=admin.listas,ou=Servicos,ou=Usuarios,dc=previdencia,dc=gov,dc=br"
"objectClass" requested 
Dec  2 18:01:59 squeeze slapd[21772]: <= root access granted 
Dec  2 18:01:59 squeeze slapd[21772]: => access_allowed: search access granted
by manage(=mwrscxd) 
Dec  2 18:01:59 squeeze slapd[21772]: => bdb_entry_get: found entry:
"uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br" 
Dec  2 18:01:59 squeeze slapd[21772]: => bdb_entry_get: found entry:
"cn=default,ou=ldappassword,ou=politicas,ou=builtin,dc=previdencia,dc=gov,dc=br"

Dec  2 18:01:59 squeeze slapd[21772]: => bdb_entry_get: found entry:
"uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br" 
Dec  2 18:01:59 squeeze slapd[21772]: <= acl_access_allowed: granted to database
root 
Dec  2 18:01:59 squeeze slapd[21772]: conn=1000 op=0 RESULT tag=97 err=49 text=

Dec  2 18:01:59 squeeze slapd[21772]: conn=1000 fd=15 closed (connection lost)

grep 'access_allowed: search access to' /var/log/debug | wc -l
83714

The question is: why access all entries in LDAP?

Does anyone have any tips, or it may be some as yet unidentified BUG?

As tests, I installed the version 2.4.20 and had the same behavior.

Best Regards,
Jarbas

Comment 1 Quanah Gibson-Mount 2009-12-03 00:55:33 UTC

--On Wednesday, December 02, 2009 8:25 PM +0000 jarbas.junior@gmail.com 
wrote:

> Full_Name: Jarbas Peixoto Junior
> Version: 2.4.11 / 2.4.17 / 2.4.20
> OS: Gnu/Linux Debian
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (200.152.34.143)

ppolicy doesn't execute searches.  Please provide your entire slapd.conf, 
minus passwords.

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Comment 2 Howard Chu 2009-12-03 00:57:05 UTC

jarbas.junior@gmail.com wrote:
> Full_Name: Jarbas Peixoto Junior
> Version: 2.4.11 / 2.4.17 / 2.4.20
> OS: Gnu/Linux Debian
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (200.152.34.143)
>
>
> Possible bug in Overlay pPolicy
>
> I have OpenLDAP installed via the Debian Lenny package functioning normally.
>
> Aiming to test the version of Debian Squeeze in the test machine installed
> package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11).
>
> However, when testing the overlay pPolicy noticed that a wrong password
> authentication, runs all objects in the ldap database, causing a "delay" that
> does not exist in version Lenny.
>
> Below is some information that may be useful in detecting the problem:
>
> File: slapd.conf
> ====================
> moduleload      ppolicy
> overlay ppolicy
> ppolicy_default	"cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br"
> ppolicy_use_lockout
> ====================
>
> ldapsearch -LLL -x -H ldap://squeeze -b
> ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br
> '(cn=default)'
> dn: cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,d
>   c=br
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> pwdAttribute: userPassword
> description:: UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M=
> pwdAllowUserChange: TRUE
> pwdFailureCountInterval: 3600
> pwdGraceAuthNLimit: 5
> pwdInHistory: 0
> pwdLockoutDuration: 60
> pwdMaxAge: 7776000
> pwdMinAge: 0
> pwdMinLength: 6
> pwdSafeModify: FALSE
> pwdCheckQuality: 1
> pwdExpireWarning: 600
> cn: default
> pwdMustChange: FALSE
> pwdMaxFailure: 10
> pwdLockout: FALSE
>
> date ; ldapsearch -LLL -x -H ldap://squeeze -b
> ou=usuarios,dc=previdencia,dc=gov,dc=br -D
> uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w
> wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime
> pwdAccountLockedTime modifyTimeStamp ; date
> Qua Dez  2 16:14:56 AMST 2009
> ldap_bind: Invalid credentials (49)
> Qua Dez  2 16:15:36 AMST 2009
>
> grep 'access_allowed: search access to' /var/log/debug | wc -l
> 83714
>
> The question is: why access all entries in LDAP?

Don't know. This would have to be the result of a search operation, but there 
is no search code in ppolicy.c. Since ppolicy cannot be the culprit, we'll 
need to see the rest of your config to track down the issue.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 3 jarbas.junior@gmail.com 2009-12-03 11:55:24 UTC

Attached to the configuration file server testing openldap squeeze.

I made some changes to the file /etc/ldap/slapd.overlay.conf being
included by /etc/ldap/slapd.conf and discovered that the problem is
with the overlay rwm, because when I comment that overlay the problem
does not appear.

If I keep the following entries rwm overlay the problem happen again:

moduleload rwm
overlay rwm

Even with the other settings overlay rwm commented the problem continues.

Any ideas?


2009/12/2 Howard Chu <hyc@symas.com>:
> jarbas.junior@gmail.com wrote:
>>
>> Full_Name: Jarbas Peixoto Junior
>> Version: 2.4.11 / 2.4.17 / 2.4.20
>> OS: Gnu/Linux Debian
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (200.152.34.143)
>>
>>
>> Possible bug in Overlay pPolicy
>>
>> I have OpenLDAP installed via the Debian Lenny package functioning
>> normally.
>>
>> Aiming to test the version of Debian Squeeze in the test machine installed
>> package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11).
>>
>> However, when testing the overlay pPolicy noticed that a wrong password
>> authentication, runs all objects in the ldap database, causing a "delay"
>> that
>> does not exist in version Lenny.
>>
>> Below is some information that may be useful in detecting the problem:
>>
>> File: slapd.conf
>> ====================
>> moduleload      ppolicy
>> overlay ppolicy
>> ppolicy_default
>> "cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br"
>> ppolicy_use_lockout
>> ====================
>>
>> ldapsearch -LLL -x -H ldap://squeeze -b
>> ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br
>> '(cn=default)'
>> dn:
>> cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,d
>>  c=br
>> objectClass: top
>> objectClass: device
>> objectClass: pwdPolicy
>> pwdAttribute: userPassword
>> description::
>> UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M=
>> pwdAllowUserChange: TRUE
>> pwdFailureCountInterval: 3600
>> pwdGraceAuthNLimit: 5
>> pwdInHistory: 0
>> pwdLockoutDuration: 60
>> pwdMaxAge: 7776000
>> pwdMinAge: 0
>> pwdMinLength: 6
>> pwdSafeModify: FALSE
>> pwdCheckQuality: 1
>> pwdExpireWarning: 600
>> cn: default
>> pwdMustChange: FALSE
>> pwdMaxFailure: 10
>> pwdLockout: FALSE
>>
>> date ; ldapsearch -LLL -x -H ldap://squeeze -b
>> ou=usuarios,dc=previdencia,dc=gov,dc=br -D
>> uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w
>> wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime
>> pwdAccountLockedTime modifyTimeStamp ; date
>> Qua Dez  2 16:14:56 AMST 2009
>> ldap_bind: Invalid credentials (49)
>> Qua Dez  2 16:15:36 AMST 2009
>>
>> grep 'access_allowed: search access to' /var/log/debug | wc -l
>> 83714
>>
>> The question is: why access all entries in LDAP?
>
> Don't know. This would have to be the result of a search operation, but
> there is no search code in ppolicy.c. Since ppolicy cannot be the culprit,
> we'll need to see the rest of your config to track down the issue.
>
> --
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/
>

Comment 4 jarbas.junior@gmail.com 2010-01-06 13:53:47 UTC

Please close this its.

In 2.4.21 Version works fine.

Tanks
Jarbas

2009/12/3 Jarbas Peixoto Júnior <jarbas.junior@gmail.com>:
> Attached to the configuration file server testing openldap squeeze.
>
> I made some changes to the file /etc/ldap/slapd.overlay.conf being
> included by /etc/ldap/slapd.conf and discovered that the problem is
> with the overlay rwm, because when I comment that overlay the problem
> does not appear.
>
> If I keep the following entries rwm overlay the problem happen again:
>
> moduleload rwm
> overlay rwm
>
> Even with the other settings overlay rwm commented the problem continues.
>
> Any ideas?
>
>
> 2009/12/2 Howard Chu <hyc@symas.com>:
>> jarbas.junior@gmail.com wrote:
>>>
>>> Full_Name: Jarbas Peixoto Junior
>>> Version: 2.4.11 / 2.4.17 / 2.4.20
>>> OS: Gnu/Linux Debian
>>> URL: ftp://ftp.openldap.org/incoming/
>>> Submission from: (NULL) (200.152.34.143)
>>>
>>>
>>> Possible bug in Overlay pPolicy
>>>
>>> I have OpenLDAP installed via the Debian Lenny package functioning
>>> normally.
>>>
>>> Aiming to test the version of Debian Squeeze in the test machine installed
>>> package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11).
>>>
>>> However, when testing the overlay pPolicy noticed that a wrong password
>>> authentication, runs all objects in the ldap database, causing a "delay"
>>> that
>>> does not exist in version Lenny.
>>>
>>> Below is some information that may be useful in detecting the problem:
>>>
>>> File: slapd.conf
>>> ====================
>>> moduleload      ppolicy
>>> overlay ppolicy
>>> ppolicy_default
>>> "cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br"
>>> ppolicy_use_lockout
>>> ====================
>>>
>>> ldapsearch -LLL -x -H ldap://squeeze -b
>>> ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br
>>> '(cn=default)'
>>> dn:
>>> cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,d
>>>  c=br
>>> objectClass: top
>>> objectClass: device
>>> objectClass: pwdPolicy
>>> pwdAttribute: userPassword
>>> description::
>>> UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M=
>>> pwdAllowUserChange: TRUE
>>> pwdFailureCountInterval: 3600
>>> pwdGraceAuthNLimit: 5
>>> pwdInHistory: 0
>>> pwdLockoutDuration: 60
>>> pwdMaxAge: 7776000
>>> pwdMinAge: 0
>>> pwdMinLength: 6
>>> pwdSafeModify: FALSE
>>> pwdCheckQuality: 1
>>> pwdExpireWarning: 600
>>> cn: default
>>> pwdMustChange: FALSE
>>> pwdMaxFailure: 10
>>> pwdLockout: FALSE
>>>
>>> date ; ldapsearch -LLL -x -H ldap://squeeze -b
>>> ou=usuarios,dc=previdencia,dc=gov,dc=br -D
>>> uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w
>>> wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime
>>> pwdAccountLockedTime modifyTimeStamp ; date
>>> Qua Dez  2 16:14:56 AMST 2009
>>> ldap_bind: Invalid credentials (49)
>>> Qua Dez  2 16:15:36 AMST 2009
>>>
>>> grep 'access_allowed: search access to' /var/log/debug | wc -l
>>> 83714
>>>
>>> The question is: why access all entries in LDAP?
>>
>> Don't know. This would have to be the result of a search operation, but
>> there is no search code in ppolicy.c. Since ppolicy cannot be the culprit,
>> we'll need to see the rest of your config to track down the issue.
>>
>> --
>>  -- Howard Chu
>>  CTO, Symas Corp.           http://www.symas.com
>>  Director, Highland Sun     http://highlandsun.com/hyc/
>>  Chief Architect, OpenLDAP  http://www.openldap.org/project/
>>
>

Comment 5 ando@openldap.org 2010-01-06 18:35:53 UTC

changed state Open to Closed