Issue 8208 - ppolicy supportedControl not visible in root DSE
Summary: ppolicy supportedControl not visible in root DSE
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: ---
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-29 18:04 UTC by robert.brooks@reporo.com
Modified: 2017-09-14 19:50 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description robert.brooks@reporo.com 2015-07-29 18:04:30 UTC 
Full_Name: Robert Brooks
Version: openldap-2.4.41
OS: Ubuntu 14.04
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (38.99.38.134)


Hi,

with ppolicy overlay loaded (and functioning) the following root DSE is:

structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=ldap,dc=example,dc=org
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
entryDN:
subschemaSubentry: cn=Subschema

I would expect to see output similar to...

http://docs.forgerock.org/en/opendj/2.6.0/dev-guide/index/chap-getting-directory-info.html#read-root-dse
D0D
specifilllly line 12 (and maybe line 40).

I believe this is why the following pam_ldap config:

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
pam_lookup_policy yes

does not make pam_ldap to interact with password policies against when
configured in openldap.

Regards,

Rob
Comment 1 Howard Chu 2015-07-29 18:27:12 UTC 
robert.brooks@reporo.com wrote:
> Full_Name: Robert Brooks
> Version: openldap-2.4.41
> OS: Ubuntu 14.04
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (38.99.38.134)
>
>
> Hi,
>
> with ppolicy overlay loaded (and functioning) the following root DSE is:

> I believe this is why the following pam_ldap config:
>
> # Search the root DSE for the password policy (works
> # with Netscape Directory Server)
> pam_lookup_policy yes
>
> does not make pam_ldap to interact with password policies against when
> configured in openldap.

No. That controls compatibility with the obsolete/non-standard 
Netscape-specific password policy attributes.

But pam_ldap itself is also obsolete. Pretty sure Ubuntu ships with nslcd and 
nss-pam-ldapd now.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/
Comment 2 Michael Ströder 2015-07-29 18:29:20 UTC 
robert.brooks@reporo.com wrote:
> with ppolicy overlay loaded (and functioning) the following root DSE is:
> [..]
> I would expect to see output similar to...
> 
> http://docs.forgerock.org/en/opendj/2.6.0/dev-guide/index/chap-getting-directory-info.html#read-root-dse
> D0D
> specifilllly line 12 (and maybe line 40).

It's a bit hard to follow line number references in a web page. :-/
But I guess you mean the OIDs coming from draft-vchu-ldap-pwd-policy [1].

Note that AFAIK OpenDJ supports old draft-vchu-ldap-pwd-policy which is very
outdated and not supported by LDAP servers without Netscape roots.

slapo-ppolicy implements draft-behera-ldap-password-policy [2].

> # Search the root DSE for the password policy (works
> # with Netscape Directory Server)
> pam_lookup_policy yes
> 
> does not make pam_ldap to interact with password policies against when
> configured in openldap.

Using pam_ldap is NOT recommended nowadays for a bunch of reasons. Use
nss-pam-ldapd, sssd or OpenLDAP's slapo-nssov. AFAIK all of them support
draft-behera-ldap-password-policy.

But such usage discussion belong on the openldap-technical mailing list and
not in the ITS.

Ciao, Michael.

[1] https://tools.ietf.org/html/draft-vchu-ldap-pwd-policy

[2] https://tools.ietf.org/html/draft-behera-ldap-password-policy
Comment 3 Howard Chu 2015-10-25 08:50:11 UTC 
changed state Open to Closed
Comment 4 come@opensides.be 2017-09-14 15:05:00 UTC 
Hello,

I’m not sure I understand the outcome of the discussion here, why is 1.3.6.1.4.1.42.2.27.8.5.1 absent from the supportedControl returned by the rootDSE?
(1.3.6.1.4.1.42.2.27.8.5.1 being LDAP_CONTROL_PASSWORDPOLICYREQUEST)
This prevents client to know that the server supports ppolicy.

Côme
Comment 5 Michael Ströder 2017-09-14 19:50:46 UTC 
come@opensides.be wrote:
> I'm not sure I understand the outcome of the discussion
> here, why i s 1.3.6.1.4.1.42.2.27.8.5.1 absent from the
> supportedControl returned by the rootDSE?
> (1.3.6.1.4.1.42.2.27.8.5.1 being
> LDAP_CONTROL_PASSWORDPOLICYREQUEST) This prevents client to
> know that the server supports ppolicy.

Frankly I can't imagine how to make it more clear than I already 
did. Please re-read my follow-up here:

https://www.openldap.org/its/index.cgi?findid=8208#followup2

Especially note that the original poster did *not* mention OID 
1.3.6.1.4.1.42.2.27.8.5.1 to be missing.
(It's present in all my OpenLDAP servers.)
The original poster asked for another outdated password policy 
mechanism.

Ciao, Michael.