[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs



Matthieu Cerda wrote:
Hello folks,

I just stumbled upon a (maybe not) surprising technical issue with my
OpenLDAP setup: ppolicy seems unable to update pwdAccountLockedTime on
my users.

Setup:

* OpenLDAP 2.4.40(+dfsg-1+deb8u2) on Debian jessie

* Password policy and ACLs:

---8<---
dn: cn=default,ou=policies,dc=company,dc=com
objectClass: top
objectClass: person
objectClass: pwdPolicy
cn: passwordDefault
cn: default
pwdAttribute: userPassword
sn: passwordDefault
pwdAllowUserChange: TRUE
pwdCheckQuality: 0
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 300
pwdMaxAge: 0
pwdMaxFailure: 3
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: FALSE
---8<---

---8<---
access to attrs=userPassword,shadowLastChange
        by dn="uid=mcerda,ou=people,dc=company,dc=com" write
        by self write
        by anonymous auth
        by * none

access to dn.base="" by * read

access to *
        by dn="uid=mcerda,ou=people,dc=company,dc=com" write
        by users read
        by * none
---8<---

* pwdFailureTime gets updated on each failed login attempt on users
until pwdMaxFailure is reached (3)

* Testing for account locking is done both by observing we appearance in
user object and using '-e ppolicy' on ldapsearch (ppolicy_use_lockout is
enabled)

Everytime an user reaches pwdMaxFailure count, the debug log (level
65535) gives:

---8<---
585947a5 => mdb_entry_get: found entry:
"cn=default,ou=policies,dc=company,dc=com"
585947a5 mdb_entry_get: rc=0
585947a5 mdb_modify: uid=fbar,ou=people,dc=company,dc=com
585947a5 slap_queue_csn: queueing 0x65696ef4bce0
20161220150053.705334Z#000000#000#000000
585947a5 mdb_dn2entry("uid=fbar,ou=people,dc=company,dc=com")
585947a5 => mdb_dn2id("uid=fbar,ou=people,dc=company,dc=com")
585947a5 <= mdb_dn2id: got id=0x9
585947a5 => mdb_entry_decode:
585947a5 <= mdb_entry_decode
585947a5 mdb_modify_internal: 0x00000009:
uid=fbar,ou=people,dc=company,dc=com
585947a5 => access_allowed: result not in cache (pwdAccountLockedTime)
585947a5 => access_allowed: delete access to
"uid=fbar,ou=people,dc=company,dc=com" "pwdAccountLockedTime" requested
585947a5 => dn: [2]
585947a5 => acl_get: [3] attr pwdAccountLockedTime
585947a5 => acl_mask: access to entry
"uid=fbar,ou=people,dc=company,dc=com", attr "pwdAccountLockedTime"
requested
585947a5 => acl_mask: to all values by "", (=0)
585947a5 <= check a_dn_pat: uid=mcerda,ou=people,dc=company,dc=com
585947a5 <= check a_dn_pat: users
585947a5 <= check a_dn_pat: anonymous
585947a5 <= acl_mask: [3] applying read(=rscxd) (stop)
585947a5 <= acl_mask: [3] mask: read(=rscxd)
585947a5 => slap_access_allowed: delete access denied by read(=rscxd)
585947a5 => access_allowed: no more rules
585947a5 mdb_modify: modify failed (50)
585947a5 send_ldap_result: conn=1000 op=0 p=3
585947a5 send_ldap_result: err=50 matched="" text=""
585947a5 slap_graduate_commit_csn: removing 0x6569601047f0
20161220150053.705334Z#000000#000#000000
585947a5 send_ldap_response: msgid=1 tag=97 err=49
---8<---

I can't see a reason why the update gets denied. Setting the global ACL to:

---8<---
access to *
        by dn="uid=mcerda,ou=people,dc=company,dc=com" write
        by * write
---8<---

fixes the issue (but I obviously not want an open bar slapd).

The documentation (http://www.openldap.org/doc/admin24/overlays.html)
advises nothing about ACLs.

That is not the documentation, that is only a guide. The manpages are the authoritative documentation.

Is this and issue or a misconfiguration ?

Read the slapo-ppolicy(5) manpage.

Thanks in advance,

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/