[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy: invalid value for attributeType pwAttribute -- for "userPassword"

Chris Shenton skrev, on 22-02-2008 23:53:

I'm running 2.3.39 and using ppolicy to enforce our password policy. Got an LDIF file:

I run ppolicy too at my sites.

dn: cn=npg2810,ou=policies,dc=nasascience,dc=nasa,dc=gov
cn: npg2810
objectClass: top
objectClass: pwdPolicy
objectClass: organizationalRole
objectClass: pwdPolicyChecker
description: OpenLDAP ppolicy to implement NPG2810-like restrictions
pwdAttribute:                   userPassword

When I try to slapadd it, I get an error indicating it doesn't like "userPassword":

sudo sbin/slapadd -l ldifs/6_policies.ldif
str2entry: invalid value for attributeType pwdAttribute #0 (syntax
slapadd: could not parse entry (line=51)

I had this on my FC6 test machine the first time I ever tried out ppolicy. But I'd run the tests in the build directory after building Buchan's srpm and all tests had passed, including test022-ppolicy. Running that test again populated $BUILD_DIR/{testdata,testrun} with data for that test and I noticed that the ldif used for the test used the OID for userPassword, rather than the string. So I put that in my ldif and it worked.

If you notice, you also get for the syntax. According to my present OL 2.4.8 setup, using gq, the correct syntax is{128} (with length).

I've never had it since, have no idea why it ever occurred in the first place.

The ppolicy.schema file says:

#5.2.1  pwdAttribute
#   This holds the name of the attribute to which the password policy is
#   applied.  For example, the password policy may be applied to the
#   userPassword attribute.

attributetype (
      NAME 'pwdAttribute'
      EQUALITY objectIdentifierMatch
      SYNTAX )

Ah. This is interesting, read on ...

And my slapd.conf includes ppolicy.schema in addition to core.schema, cosine.schema, and inetorgperson.schema.

Oddly, replacing the "userPassword" value with a random number, like "42" or "3.14159" causes no error.

I cannot find userPassword defined in any of the schemas, tho it is commented out in core.schema. If I uncomment it from core.schema it complains that it's a dupe:

sbin/slapadd -l ldifs/6_policies.ldif
schema/core.schema: line 244: Duplicate attributeType: ""
slapadd: bad configuration file!

This is because it's built into slapd as a hard-coded entry in $BUILD_DIR/servers/slapd/schema_prep.c. There it is defined as:

       { "userPassword", "( NAME 'userPassword' "
                        "DESC 'RFC4519/2307: password of user' "
                        "EQUALITY octetStringMatch "
                        "SYNTAX{128} )"

Notice the syntax? How it differs from the schema definition?

What am I missing?

That would have to be 1: experience and 2: inventiveness.

FWIW I read draft-behera thoroughly and through the whole draft it stresses that user password MUST be a single value attribute, while the above stanza makes it into a multi-value attribute. In accord with the IETF definition. I filed an ITS about this to which Howard replied words to the effect of "Probably ...". I'd noticed that if a user had access to a GUI such as phpldapAdmin or gq he could give himself whatever extra passwords he wanted and all would work. That is not what I, as admin, want. So I now patch schema_prep.c for all my builds, thus:

{ "userPassword", "( NAME 'userPassword' "
     "DESC 'RFC4519/2307 adapted for draft behera: password of user' "
     "EQUALITY octetStringMatch "

On the one hand IETF decrees that userPassword MUST be multi-value and on the other single-valued, go figure: "let not thy left hand know what thy right hand doeth".



Tony Earnshaw
Email: tonni at hetnet dot nl