[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5648) ppolicy controls entries without objectclass pwdPolicy

dieter@dkluenter.de wrote:
> Full_Name: Dieter Kluenter
> Version: 2.4.11
> OS: openSUSE-11.0
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> Hello,
> man slapo-ppolicy(5) says that the overlay depends on objectclass pwdPolicy and
> Every  account that should be subject to password policy control should have
> pwdPolicySubentry...

As usual, it's important that you read every word in the manpage and not skip 
over anything. The manpage says:

Every account that should be subject to password policy control should have a 
pwdPolicySubentry attribute containing the DN of a valid pwdPolicy entry, or 
they can simply use the configured default.

This means the pwdPolicy entry is some other entry, not that user entries must 
have the pwdPolicy class. Yes, the overlay depends on the pwdPolicy class 
because entries of pwdPolicy class must be used to store the policy 
definitions. It doesn't say that user entries must have pwdPolicy class and it 
would be stupid to store the policy definitions in the user entries. And it 
would be pointless to require a pwdPolicySubentry attribute to point to the 
relevant policy if the policy was simply stored in the user entry.

Use your brain.

This ITS will be closed.

> But ppolicy is controlling every enty, even those without attribute pwdPolicy
> and attribute pwdPolicySubentry.
> I have created a test entry, which is not subject to password policy but got
> locked out after 3 binds with wrong password.
> dn: cn=pw tester,o=avci,c=de
> cn: pw tester
> createTimestamp: 20080808132851Z
> creatorsName: cn=admin,o=avci,c=de
> description: Password Tester
> entryCSN: 20080808132851.203028Z#000000#000#000000
> entryDN: cn=pw tester,o=avci,c=de
> entryUUID: af06a7e2-f999-102c-8d8e-df96a2a401d4
> hasSubordinates: FALSE
> modifiersName: cn=admin,o=avci,c=de
> modifyTimestamp: 20080808132851Z
> objectClass: person
> pwdAccountLockedTime: 20080808133126Z
> pwdChangedTime: 20080808132851Z
> pwdFailureTime: 20080808133058Z
> pwdFailureTime: 20080808133109Z
> pwdFailureTime: 20080808133126Z
> sn: tester
> structuralObjectClass: person
> subschemaSubentry: cn=Subschema
> userPassword: tested
> -Dieter

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/