OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/8208
Full headers

From: robert.brooks@reporo.com
Subject: ppolicy supportedControl not visible in root DSE
Compose comment
Download message
State:
0 replies:
4 followups: 1 2 3 4

Major security issue: yes  no

Notes:

Notification:


Date: Wed, 29 Jul 2015 18:04:30 +0000
From: robert.brooks@reporo.com
To: openldap-its@OpenLDAP.org
Subject: ppolicy supportedControl not visible in root DSE
Full_Name: Robert Brooks
Version: openldap-2.4.41
OS: Ubuntu 14.04
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (38.99.38.134)


Hi,

with ppolicy overlay loaded (and functioning) the following root DSE is:

structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=ldap,dc=example,dc=org
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
entryDN:
subschemaSubentry: cn=Subschema

I would expect to see output similar to...

http://docs.forgerock.org/en/opendj/2.6.0/dev-guide/index/chap-getting-directory-info.html#read-root-dse
D0D
specifilllly line 12 (and maybe line 40).

I believe this is why the following pam_ldap config:

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
pam_lookup_policy yes

does not make pam_ldap to interact with password policies against when
configured in openldap.

Regards,

Rob

Followup 1

Download message
Subject: Re: (ITS#8208) ppolicy supportedControl not visible in root DSE
To: robert.brooks@reporo.com, openldap-its@OpenLDAP.org
From: Howard Chu <hyc@symas.com>
Date: Wed, 29 Jul 2015 19:27:12 +0100
robert.brooks@reporo.com wrote:
> Full_Name: Robert Brooks
> Version: openldap-2.4.41
> OS: Ubuntu 14.04
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (38.99.38.134)
>
>
> Hi,
>
> with ppolicy overlay loaded (and functioning) the following root DSE is:

> I believe this is why the following pam_ldap config:
>
> # Search the root DSE for the password policy (works
> # with Netscape Directory Server)
> pam_lookup_policy yes
>
> does not make pam_ldap to interact with password policies against when
> configured in openldap.

No. That controls compatibility with the obsolete/non-standard 
Netscape-specific password policy attributes.

But pam_ldap itself is also obsolete. Pretty sure Ubuntu ships with nslcd and 
nss-pam-ldapd now.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 2

Download message
Date: Wed, 29 Jul 2015 20:29:20 +0200
From: =?UTF-8?Q?Michael_Str=c3=b6der?= <michael@stroeder.com>
To: robert.brooks@reporo.com, openldap-its@OpenLDAP.org
Subject: Re: (ITS#8208) ppolicy supportedControl not visible in root DSE
robert.brooks@reporo.com wrote:
> with ppolicy overlay loaded (and functioning) the following root DSE is=
:
> [..]
> I would expect to see output similar to...
>=20
> http://docs.forgerock.org/en/opendj/2.6.0/dev-guide/index/chap-getting-=
directory-info.html#read-root-dse
> D0D
> specifilllly line 12 (and maybe line 40).

It's a bit hard to follow line number references in a web page. :-/
But I guess you mean the OIDs coming from draft-vchu-ldap-pwd-policy [1].=


Note that AFAIK OpenDJ supports old draft-vchu-ldap-pwd-policy which is v=
ery
outdated and not supported by LDAP servers without Netscape roots.

slapo-ppolicy implements draft-behera-ldap-password-policy [2].

> # Search the root DSE for the password policy (works
> # with Netscape Directory Server)
> pam_lookup_policy yes
>=20
> does not make pam_ldap to interact with password policies against when
> configured in openldap.

Using pam_ldap is NOT recommended nowadays for a bunch of reasons. Use
nss-pam-ldapd, sssd or OpenLDAP's slapo-nssov. AFAIK all of them support
draft-behera-ldap-password-policy.

But such usage discussion belong on the openldap-technical mailing list a=
nd
not in the ITS.

Ciao, Michael.

[1] https://tools.ietf.org/html/draft-vchu-ldap-pwd-policy

[2] https://tools.ietf.org/html/draft-behera-ldap-password-policy





Followup 3

Download message
From: =?ISO-8859-1?Q?C=F4me?= Chilliet <come@opensides.be>
To: openldap-its@openldap.org
Cc: robert.brooks@reporo.com
Subject: Re: (ITS#8208) ppolicy supportedControl not visible in root DSE
Date: Thu, 14 Sep 2017 17:05:00 +0200
Hello,

I=E2=80=99m not sure I understand the outcome of the discussion here, why i=
s 1.3.6.1.4.1.42.2.27.8.5.1 absent from the supportedControl returned by th=
e rootDSE?
(1.3.6.1.4.1.42.2.27.8.5.1 being LDAP_CONTROL_PASSWORDPOLICYREQUEST)
This prevents client to know that the server supports ppolicy.

C=C3=B4me



Followup 4

Download message
Subject: Re: (ITS#8208) ppolicy supportedControl not visible in root DSE
To: come@opensides.be, openldap-its@OpenLDAP.org
From: =?UTF-8?Q?Michael_Str=c3=b6der?= <michael@stroeder.com>
Date: Thu, 14 Sep 2017 21:50:46 +0200
come@opensides.be wrote:
> I'm not sure I understand the outcome of the discussion
> here, why i s 1.3.6.1.4.1.42.2.27.8.5.1 absent from the
> supportedControl returned by the rootDSE?
> (1.3.6.1.4.1.42.2.27.8.5.1 being
> LDAP_CONTROL_PASSWORDPOLICYREQUEST) This prevents client to
> know that the server supports ppolicy.

Frankly I can't imagine how to make it more clear than I already 
did. Please re-read my follow-up here:

https://www.openldap.org/its/index.cgi?findid=8208#followup2

Especially note that the original poster did *not* mention OID 
1.3.6.1.4.1.42.2.27.8.5.1 to be missing.
(It's present in all my OpenLDAP servers.)
The original poster asked for another outdated password policy 
mechanism.

Ciao, Michael.


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org