[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#9046) Regex Constraint Overlay Error
Full_Name: Mar.a Rojo Gonz.lez
Version: 2.4.44
OS: CentOS Linux release 7.6.1810
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (212.0.110.2)
Hello,
We installed a fresh OpenLDAP server and created the following test backend:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 a008278f
dn: olcDatabase={3}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {3}hdb
olcDbDirectory: /var/lib/ldap2
olcSuffix: dc=example,dc=org
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonym
ous auth by dn="cn=admin,dc=example,dc=org" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=org" write by
* read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=example,dc=org
olcRootPW:: e1NTSEF9RnZwTERwWkFQRlhId012TnhBWXpkemY3b0JUN2tNR3M=
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
structuralObjectClass: olcHdbConfig
entryUUID: 238efe88-303a-1039-97b5-d1f261d139b7
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20190701105301Z
entryCSN: 20190701105301.031755Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20190701105301Z
Then we added the following constraint using ldapadd:
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap/
olcModuleLoad: constraint.la
dn: olcOverlay=constraint,olcDatabase={3}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcConstraintConfig
olcOverlay: constraint
olcConstraintAttribute: userPassword regex ^[^{].*
Finally, we tested some combinations of passwords and constraints (replacing the
previous olcConstraintAttribute) and these are the results:
# Operation Password Constraint Result
1 ldapmodify hola ^[^{].* err=0
2 ldapmodify {hola ^[^{].* err=19
3 ldappasswd hola ^[^{].* err=19
4 ldappasswd {hola ^[^{].* err=19
5 ldapmodify hola ^[^H].* err=0
6 ldapmodify Hola ^[^H].* err=19
7 ldappasswd hola ^[^H].* err=0
8 ldappasswd Hola ^[^H].* err=0
where the ldapmodify was executed as follows:
ldapmodify -x -D "cn=person1,ou=people,dc=example,dc=org" -W
Enter LDAP Password:
dn: cn=person1,ou=people,dc=example,dc=org
changetype: modify
replace: userPassword
userPassword: hola
modifying entry "cn=person1,ou=people,dc=example,dc=org"
and ldappasswd was run as such:
ldappasswd -x -D "cn=person1,ou=people,dc=example,dc=org" -w pass -a pass -s
hola
Result: Constraint violation (19)
The unexpected results were:
# Operation Password Constraint Result
3 ldappasswd hola ^[^{].* err=19
8 ldappasswd Hola ^[^H].* err=0
Here is some sample output from the slapd log files:
Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 fd=26 ACCEPT from
IP=[::1]:33328 (IP=[::]:389)
Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=0 BIND
dn="cn=person1,ou=people,dc=example,dc=org" method=128
Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=0 BIND
dn="cn=person1,ou=people,dc=example,dc=org" mech=SIMPLE ssf=0
Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=0 RESULT tag=97 err=0
text=
Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=1 EXT
oid=1.3.6.1.4.1.4203.1.11.1
Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=1 PASSMOD old new
Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=1 RESULT oid= err=19
text=(#001
Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 op=2 UNBIND
Jul 1 18:18:42 pruebasldap2 slapd[7160]: conn=1112 fd=26 closed
Note the strange text on the RESULT. We consistently found the same error text
when we executed executing test #3.
Do you know what may be causing this behaviour?
Thank you in advance.