Full_Name: Robert Brooks Version: openldap-2.4.41 OS: Ubuntu 14.04 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (38.99.38.134) Hi, with ppolicy overlay loaded (and functioning) the following root DSE is: structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: dc=ldap,dc=example,dc=org supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: CRAM-MD5 entryDN: subschemaSubentry: cn=Subschema I would expect to see output similar to... http://docs.forgerock.org/en/opendj/2.6.0/dev-guide/index/chap-getting-directory-info.html#read-root-dse D0D specifilllly line 12 (and maybe line 40). I believe this is why the following pam_ldap config: # Search the root DSE for the password policy (works # with Netscape Directory Server) pam_lookup_policy yes does not make pam_ldap to interact with password policies against when configured in openldap. Regards, Rob
robert.brooks@reporo.com wrote: > Full_Name: Robert Brooks > Version: openldap-2.4.41 > OS: Ubuntu 14.04 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (38.99.38.134) > > > Hi, > > with ppolicy overlay loaded (and functioning) the following root DSE is: > I believe this is why the following pam_ldap config: > > # Search the root DSE for the password policy (works > # with Netscape Directory Server) > pam_lookup_policy yes > > does not make pam_ldap to interact with password policies against when > configured in openldap. No. That controls compatibility with the obsolete/non-standard Netscape-specific password policy attributes. But pam_ldap itself is also obsolete. Pretty sure Ubuntu ships with nslcd and nss-pam-ldapd now. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
robert.brooks@reporo.com wrote: > with ppolicy overlay loaded (and functioning) the following root DSE is: > [..] > I would expect to see output similar to... > > http://docs.forgerock.org/en/opendj/2.6.0/dev-guide/index/chap-getting-directory-info.html#read-root-dse > D0D > specifilllly line 12 (and maybe line 40). It's a bit hard to follow line number references in a web page. :-/ But I guess you mean the OIDs coming from draft-vchu-ldap-pwd-policy [1]. Note that AFAIK OpenDJ supports old draft-vchu-ldap-pwd-policy which is very outdated and not supported by LDAP servers without Netscape roots. slapo-ppolicy implements draft-behera-ldap-password-policy [2]. > # Search the root DSE for the password policy (works > # with Netscape Directory Server) > pam_lookup_policy yes > > does not make pam_ldap to interact with password policies against when > configured in openldap. Using pam_ldap is NOT recommended nowadays for a bunch of reasons. Use nss-pam-ldapd, sssd or OpenLDAP's slapo-nssov. AFAIK all of them support draft-behera-ldap-password-policy. But such usage discussion belong on the openldap-technical mailing list and not in the ITS. Ciao, Michael. [1] https://tools.ietf.org/html/draft-vchu-ldap-pwd-policy [2] https://tools.ietf.org/html/draft-behera-ldap-password-policy
changed state Open to Closed
Hello, I’m not sure I understand the outcome of the discussion here, why is 1.3.6.1.4.1.42.2.27.8.5.1 absent from the supportedControl returned by the rootDSE? (1.3.6.1.4.1.42.2.27.8.5.1 being LDAP_CONTROL_PASSWORDPOLICYREQUEST) This prevents client to know that the server supports ppolicy. Côme
come@opensides.be wrote: > I'm not sure I understand the outcome of the discussion > here, why i s 1.3.6.1.4.1.42.2.27.8.5.1 absent from the > supportedControl returned by the rootDSE? > (1.3.6.1.4.1.42.2.27.8.5.1 being > LDAP_CONTROL_PASSWORDPOLICYREQUEST) This prevents client to > know that the server supports ppolicy. Frankly I can't imagine how to make it more clear than I already did. Please re-read my follow-up here: https://www.openldap.org/its/index.cgi?findid=8208#followup2 Especially note that the original poster did *not* mention OID 1.3.6.1.4.1.42.2.27.8.5.1 to be missing. (It's present in all my OpenLDAP servers.) The original poster asked for another outdated password policy mechanism. Ciao, Michael.