[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy in back_ldap?

> On 04/22/2010 12:26 PM, masarati@aero.polimi.it wrote:
>>> On 04/22/2010 11:38 AM, masarati@aero.polimi.it wrote:
>>>>> Hey guys,
>>>> Hi.  What version?  Also, I's not clear (to me) whether you're
>>>> configuring
>>>> slapo-ppolicy also on the proxy.  If this is the case, I think you're
>>>> not
>>>> doing the right thing.
>>> 2.4.18
>>> I have ppolicy setup on both masters as well as the proxy (as an
>>> overlay
>>> to back_ldap) because it was the only way I could see the values from
>>> the masters when queries where made to proxy (which I need to be able
>>> to
>>> do).
>> Not sure what you mean by "see"; do you mean they be returned in search
>> requests?  This, from a proxy standpoint, should not be an issue, as
>> they
>> are treated much like any other attribute.  Did you load ppolicy.schema
>> on
>> the proxy server?  Do ACLs allow to return them?  Are you explicitly
>> requesting operational attributes?
> By 'see' I do mean search requests directed at the proxy. If the ACL's
> are fine when searching on the masters then it should be fine on the
> proxy, right (proxy relies on the masters for ACL's)?

It depends on how you configure things, that's why I'm asking.  If the
proxy has no ACLs, then anything the remote host returns is passed to the
client.  Otherwise, the proxy performs its own checking (which, obviously,
can only further restrict).  I'm asking because you are hiding essential
information on how your system is configured, and that doesn't help

> The schema is loading and yes I am requesting operational attributes

How are you requesting operational attributes?  Did you add '+' to the
requested attrs?

> but
> this is through phpldapamin's "show internal attributes" button. Maybe
> I'll try through ldapsearch tool next time I am ready to try a few more
> things.

Yes, I was assuming (since you didn't tell) that you were using
ldapsearch.  Please make sure what's being requested (by looking at both
the proxy and the remote host's logs.  Check, don't assume.

> I've noticed the following in the logs though which confuses me even more:
> PROXIED attributeDescription "PWDHISTORY" inserted.
> PROXIED attributeDescription "PWDPOLICYSUBENTRY" inserted.
> PROXIED attributeDescription "PWDCHANGEDTIME" inserted.
> PROXIED attributeDescription "PWDCHANGEDTIME" inserted.

This is a clear indication the schema is ***not*** loaded.  That's why I
asked.  The ppolicy schema is loaded by default when slapo-ppolicy is
built statically in slapd.  Otherwise you need to either load
ppolicy.schema, or load the ppolicy.la module.  In any case, the schema
must be present also on the proxy, even though the proxy does not need to
have the overlay instantiated.  It would be waaaaaay easier if you posted
your remote host & proxy configuration, and detailed how OpenLDAP was
built (namely, static or dynamic modules).