[Date Prev][Date Next] [Chronological] [Thread] [Top]
Configuring Password Policy - Control not working

To: openldap-software@OpenLDAP.org
Subject: Configuring Password Policy - Control not working
From: "tj.murphy@virgin.net" <tj.murphy@virgin.net>
Date: Wed, 21 Jun 2006 15:39:57 +0000 (UTC)
Hi,

I've installed openldap-2.3.20 but password policy does not appear to be 
working as I expect.

I initially installed openldap with the following configuration
  ./configure -q --enable-syncprov=no --enable-ppolicy=yes --enable-accesslog=yes
--with-cyrus-sasl=yes

This I believe installed openldap with ppolicy overlay statically linked in.
I ran
  make depend
  make
  make test
and all tests worked ok, including the password policy test22 (from logs, 
it recognised ppolicy was available and didn't just skip the test)

I then installed openldap to the default location
  make install

I edited slapd.conf and added ppolicy overlay commands to the end of the file:
  overlay ppolicy
  ppolicy_default "cn=Standard Policy,ou=Policies,dc=example,dc=org"
and included the schema at the top underneath other schema includes
  include         /usr/local/etc/openldap/schema/ppolicy.schema

Using ldapadd and ldif, I added ppolicy entries

dn: ou=Policies, dc=example,dc=org
objectClass: top
objectClass: organizationalUnit
ou: Policies

dn: cn=Standard Policy, ou=Policies, dc=example,dc=org
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: Standard Policy
pwdAttribute: userPassword
pwdLockoutDuration: 0
pwdInHistory: 6
pwdCheckQuality: 2
pwdExpireWarning: 1000
pwdMaxAge: 30000
pwdMinLength: 5
pwdGraceAuthnLimit: 3
pwdAllowUserChange: TRUE
pwdMustChange: TRUE
pwdMaxFailure: 3
pwdFailureCountInterval: 0
pwdSafeModify: TRUE
pwdLockout: TRUE

I then ran openldap (note: have also configured TLS):
  /usr/local/libexec/slapd -h "ldap:/// ldaps:///" -d -1

but got the following warning:
  WARNING: No dynamic config support for overlay ppolicy.
  config_build_entry: "olcOverlay={0}ppolicy"

I checked if the password policy control was supported
ldapsearch -x -b "" -s base "" supportedFeatures supportedControl supportedExtension

and got something like:
  supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
  supportedControl: 2.16.840.1.113730.3.4.18
  supportedControl: 2.16.840.1.113730.3.4.2
  supportedControl: 1.3.6.1.4.1.4203.1.10.1
  supportedControl: 1.2.840.113556.1.4.319
  supportedControl: 1.2.826.0.1.334810.2.3
  supportedControl: 1.2.826.0.1.3344810.2.3
  supportedControl: 1.3.6.1.1.13.2
  supportedControl: 1.3.6.1.1.13.1
  supportedControl: 1.3.6.1.1.12
  supportedExtension: 1.3.6.1.4.1.1466.20037
  supportedExtension: 1.3.6.1.4.1.4203.1.11.1
  supportedExtension: 1.3.6.1.4.1.4203.1.11.3
  supportedFeatures: 1.3.6.1.1.14
  supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
  supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
  supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
  supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
  supportedFeatures: 1.3.6.1.4.1.4203.1.5.5

but it was missing password policy control 1.3.6.1.4.1.42.2.27.8.5.1

Can anyone help explain why this is the case? 

My custom client is not working, I think the missing control is causing my 
problems.

In an effort to figure out what was going on, I've seen people have entries in 
slapd.conf like this
modulepath    /usr/local/libexec/openldap
moduleload    ppolicy.la

So I tried to get this working (thought it might have something to do with 
dynamic support), however, I failed miserably to get /usr/local/libexec/openldap/ppolicy.
la to build.

  ./configure -q --with-cyrus-sasl=yes --enable-overlays=yes --enable-modules=yes 
--enable-dynamic=yes

or..

./configure -q --enable-syncprov=no --enable-ppolicy=yes --enable-accesslog=yes --
with-cyrus-sasl=yes --enable-overlays=yes  --enable-modules=yes --enable-
dynamic=yes

On investigation, I understand that password policy is not available as a 
dynamic module (http://www.openldap.org/faq/data/cache/362.html) , modules 
are only available to backends !?

My custom client provides request controls, setting the password policy control 
to be critical, i.e. must be supported by the server. This is an extract 
of the debug:

do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
=> get_ctrls
ber_scanf fmt ({m) ber:
ber_scanf fmt (b) ber:
=> get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (critical)
<= get_ctrls: n=1 rc=2 err="passwordPolicyRequest control invalid criticality"
send_ldap_result: conn=2 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=2
ber_flush: 63 bytes to sd 14
do_bind: get_ctrls failed
connection_get(14): got connid=2
connection_read(14): checking for input on id=2
ber_get_next
TLS trace: SSL3 alert read:warning:close notify

The custom client receives error code 2, which I believe (from http://www.directory-
info.com/LDAP/LDAPErrorCodes.html) is:
2-> LDAP_PROTOCOL_ERROR: Indicates that the server has received an invalid
or malformed request from the client.

I would have expected error code 12 as the server didn't support the control:
12 -> LDAP_UNAVAILABLE_CRITICAL_EXTENSION: Indicates that the LDAP server 
was unable to satisfy a request because one or more critical extensions 
were not available. Either the server does not support the control or the 
control is not appropriate for the operation type.

If anyone can help or point me in a direction where I may be able to get to 
the bottom of this problem, I'd greatly appreciate it.

Thanks
Tony
Follow-Ups:
- Re: Configuring Password Policy - Control not working
  - From: Howard Chu <hyc@symas.com>
Prev by Date: kill ldap: -INT or -HUP
Next by Date: Re: kill ldap: -INT or -HUP
Index(es):
- Chronological
- Thread