[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL not honoring slapo-ppolicy

To: openldap-technical@openldap.org
Subject: SASL not honoring slapo-ppolicy
From: Achilleas Mantzios <achill@matrix.gatewaynet.com>
Date: Thu, 10 Jul 2014 11:12:16 +0300
User-agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0

Hello list,
I have managed successfully to setup a fully functional openldap server on FreeBSD.
So far, I had success with : ppolicy, ACLs, legacy SQL exposed as LDAP, SASL authentication.
My only problem thus far is combining SASL with ppolicy. When binding with classic simple
authentication using -D dn, then ppolicy overlay has the expected effect.
However when using SASL (SASL/SCRAM-SHA-1) with -U, while it works correctly converting uid to DN
with authz-regexp, it does not seem to look for ppolicy (default or derived from pwdPolicySubentry).
Moreover, enforced violations of ppolicy (e.g. failed attempted authentications >= pwdMaxFailure)
when done via SASL seem to have no effect on ppolicy attributes, e.g. pwdAccountLockedTime,
while they work fine when binding with simple authentication.

Is there any way to overcome this? Or is ppolicy honored only via simple DN binds?

--
Achilleas Mantzios
Head of IT DEV
IT DEPT
Dynacom Tankers Mgmt

Follow-Ups:
- Re: SASL not honoring slapo-ppolicy
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Antw: Re: creating a cn=config modules
Next by Date: Re: SASL not honoring slapo-ppolicy
Index(es):
- Chronological
- Thread