[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
- To: openldap-technical@openldap.org
- Subject: Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
- From: Matthieu Cerda <kegeruneku+openldap@ironflake.org>
- Date: Thu, 22 Dec 2016 11:23:28 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ironflake.org; h= user-agent:message-id:references:in-reply-to:subject:subject :from:from:date:date:content-type:content-type:mime-version :received:received; s=berkano; t=1482402208; x=1484216609; bh=H0 H6bgb8VmZKmwt/PewtAXlr2TauucjFpdOeM15nNTw=; b=YIkEZYrrJ90IiTWL4V FEbAni9NOMvJbvJVE/1rcjOz7c7NgxI8uKlFLEoJAuLoAn5h8fyF34RmD9qEQ7iw I3n1zbHscGX/vqDPIrmO3tF+120/ThFlB1991tTco5MewtrosPWwBa8kOVQDFLoC o8XwEk6dgMMmiem3lPsnv75ec=
- In-reply-to: <e198790c-7e28-354b-c67e-41d8e12aa779@symas.com>
- References: <5e90d04befa90e72a414a447ab2995db@ironflake.org> <WM!a627752d55829ff9e4035bf19272d3bad5fdf8397e9dafdbe6c18995baabf9de8d608c8b7e4a902ec66d357d475a3668!@mailstronghold-1.zmailcloud.com> <e198790c-7e28-354b-c67e-41d8e12aa779@symas.com>
- User-agent: Roundcube Webmail/1.2.0
Hello Howard and Ozgur,
My answers are inlined in the following text.
I attached a copy of the slapd.conf if you would like to take a look.
Thanks for taking the time to answer my questions, it's appreciated.
Have a nice day !
Howard Chu wrote :
Matthieu Cerda wrote:
Hello folks,
I just stumbled upon a (maybe not) surprising technical issue with my
OpenLDAP setup: ppolicy seems unable to update pwdAccountLockedTime on
my users.
(...)
The documentation (http://www.openldap.org/doc/admin24/overlays.html)
advises nothing about ACLs.
That is not the documentation, that is only a guide. The manpages are
the authoritative documentation.
Got it, i was misled by the '/doc' in the URL I guess.
Is this and issue or a misconfiguration ?
Read the slapo-ppolicy(5) manpage.
(Note: the default password policy I use has pwdLockout: TRUE,
pwdMaxFailure: 3 and pwdLockoutDuration:0)
The manpage says nothing about ACL's except: 'Note that some of the
policies do not take effect when the operation is performed with the
rootdn identity; all the operations, when performed with any other
identity, may be subjected to constraints, like access control.'
To clarify, I'm obviously not testing the ppolicy on a rootdn (the
database does not have any actually), it is a random user without any
specific privilege (besides beeing allowed access to * with read rights
when authenticated).
My current understanding of ppolicy pwdLockout attribute is that when a
user exceeds its pwdMaxFailure count when pwdLockout is TRUE, the
overlay itself sets pwdAccountLockedTime internally according to the
pwdLockoutDuration value, bypassing ACLs (in this case, my setup should
work). If it is not the case, who needs write access to the attribute ?
Do I need a rootdn set, even if I do not use it, for this to work
properly maybe ?
Thanks in advance,
Ozgur Karatas wrote:
Hello,
The "deleted access denied by read" error has been fixed to OpenLDAP
next version, I remember.
I think it was from that slapo-ppolicy and has been fix in the 2.4.11
version.
http://www.openldap.org/devel/cvsweb.cgi/Attic/CHANGES
Well this is a 2.4.40 OpenLDAP, it should be OK then ?
---8<---
# slapd -V
@(#) $OpenLDAP: slapd (Jan 16 2016 23:00:08) $
root@chimera:/tmp/buildd/openldap-2.4.40+dfsg/debian/build/servers/slapd
---8<---
I also tried with LTB project's 2.4.44 release with the same results,
so I doubt this is a known bug (or even a bug at all), I think my
configuration is incorrect but I am currently incapable or seeing why.
Regards,
--
Ozgur Karatas
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/ppolicy.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel none
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_mdb
# Load overlays
moduleload ppolicy
moduleload syncprov
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
# Default password hashing algorithm
password-hash {SSHA}
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by dn="uid=mcerda,ou=people,dc=company,dc=com" write
by self write
by anonymous auth
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="uid=mcerda,ou=people,dc=company,dc=com" write
by users read
by * none
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="uid=mcerda,ou=people,dc=company,dc=com" write
# by dnattr=owner write
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Specific Backend Directives for mdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend mdb
#######################################################################
# Specific Directives for database #1, of type mdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database mdb
# The base of your directory in database #1
suffix "dc=company,dc=com"
# Enable ppolicy
overlay ppolicy
# Default ppolicy configuration
ppolicy_default "cn=default,ou=policies,dc=company,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn "cn=admin,dc=company,dc=com"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# Maximun db size
maxsize 536870912
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
#######################################################################
# Specific Directives for database #2, of type 'other' (can be mdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"