[Date Prev][Date Next] [Chronological] [Thread] [Top]

Password Policy and SASL DIGEST-MD5

To: <openldap-technical@openldap.org>
Subject: Password Policy and SASL DIGEST-MD5
From: "alessandro patrissi" <Alessandro.Patrissi@commprove.com>
Date: Fri, 6 Jun 2008 15:34:30 +0200

Hi everyone,

I'm using openldap-2.4.8 and cyrus-sasl-2.1.22.

I've enabled password policy in my OpenLdap Server and I've seen that when I authenticate myself using SASL DIGEST-MD5 I can make any searches even if my account is locked.

In fact I have the following results:

./ldapsearch -b 'uid=apatrissi,ou=people,dc=my-domain,dc=com' -D 'uid=apatrissi,ou=people,dc=my-domain,dc=com' -x -W -e ppolicy '(objectClass=*)'
Enter LDAP Password:
ldap_bind: Invalid credentials (49); Account locked

./ldapsearch -b 'uid=apatrissi,ou=people,dc=my-domain,dc=com' -W -Y DIGEST-MD5 -U apatrissi '(objectClass=*)'
DIGEST-MD5 -U apatrissi '(objectClass=*)'
Enter LDAP Password:
SASL/DIGEST-MD5 authentication started
SASL username: apatrissi
SASL SSF: 128
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=apatrissi,ou=people,dc=my-domain,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
#

# apatrissi, people, my-domain.com
dn: uid=apatrissi,ou=people,dc=my-domain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: people
cn: Alessandro Patrissi
givenName: Alessandro
sn: Patrissi
uid: apatrissi
userPassword:: YWxleA==
mail: alessandro.patrissi@commprove.com
telephoneNumber: +0039
description: test LDAP

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Where I can look to solve the problem?

Thanks a lot,

Alessandro Patrissi

Prev by Date: Password policy questions
Next by Date: can syncrepl do this?
Index(es):
- Chronological
- Thread