[Date Prev][Date Next] [Chronological] [Thread] [Top]

Ppolicy DIGEST-MD5 ignore expired password

To: openldap-software@openldap.org
Subject: Ppolicy DIGEST-MD5 ignore expired password
From: "Jiri Netolicky" <netolish@gmail.com>
Date: Wed, 25 Apr 2007 16:26:46 +0200
Content-disposition: inline

Have a nice day.

I have to implement password policy in our OpenLdap. During testing futures
of ppolicy module I found that they ignore expired password when I authenticate
user by SASL DIGEST-MD5.
When I try on exprired account:

ldapwhoami -xD "cn=Kokos Velky,ou=TestUsers,ou=People,o=Ceske drahy,c=CZ"

the answer is: ldap_bind: Invalid credentials (49)
and in slapd log:

ppolicy_bind: Entry cn=Kokos Velky,ou=TestUsers,ou=People,o=Ceske
drahy,c=CZ has an expired password: 0 grace logins

But when I try

ldapwhoami -Y DIGEST-MD5 -U kokos1

the answer is
SASL/DIGEST-MD5 authentication started
SASL username: kokos1
SASL SSF: 128
SASL installing layers
dn:cn=kokos velky,ou=testusers,ou=people,o=ceske drahy,c=cz
Result: Success (0)

In slapd.conf I have

sasl-regexp
       uid=(.*),cn=digest-md5,cn=auth
       "ldap:///o=Ceske drahy,c=CZ??sub?(&(uid=$1)(|(objectClass=inetOrgPerson)
(objectClass=applicationProcess)))"

What I am doing wrong?

Many thanks for advice.
Jiri Netolicky

Follow-Ups:
- Re: Ppolicy DIGEST-MD5 ignore expired password
  - From: Howard Chu <hyc@symas.com>

Prev by Date: segmentation fault using the refint overlay
Next by Date: Re: Ppolicy DIGEST-MD5 ignore expired password
Index(es):
- Chronological
- Thread