[Date Prev][Date Next] [Chronological] [Thread] [Top]

Password change problem after adding ppolicy

To: openldap-software@openldap.org
Subject: Password change problem after adding ppolicy
From: Simon Gao <gao@schrodinger.com>
Date: Mon, 11 Jun 2007 18:08:41 -0700
User-agent: Thunderbird 2.0.0.0 (X11/20070521)

Hi,

I am trying to make ppolicy work when chain overlay is also configured.

Password lockout works. But changing password stopped working after
adding ppolicy.  Here is part of log for changing password on a client
that binds to one consumer:

==============================================================================
Jun 11 17:20:18 ldap2 slapd[4090]: do_modify
Jun 11 17:20:18 ldap2 slapd[4090]: do_modify: dn
(uid=user1,ou=people,dc=example,dc=com)
Jun 11 17:20:18 ldap2 slapd[4090]: >>> dnPrettyNormal:
<uid=user1,ou=people,dc=example,dc=com>
Jun 11 17:20:18 ldap2 slapd[4090]: <<< dnPrettyNormal:
<uid=user1,ou=people,dc=example,dc=com>,
<uid=user1,ou=people,dc=example,dc=com>
Jun 11 17:20:18 ldap2 slapd[4090]: modifications:
Jun 11 17:20:18 ldap2 slapd[4090]:      replace: userPassword
Jun 11 17:20:18 ldap2 slapd[4090]:              one value, length 41
Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 MOD
dn="uid=user1,ou=people,dc=example,dc=com"
Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 MOD attr=userPassword
Jun 11 17:20:18 ldap2 slapd[4090]:
bdb_dn2entry("uid=user1,ou=people,dc=example,dc=com")
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=10 matched=""
text=""
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result:
referral="ldaps://provider/uid=user1,ou=people,dc=example,dc=com"
Jun 11 17:20:18 ldap2 slapd[4090]: >>> dnPrettyNormal:
<uid=user1,ou=people,dc=example,dc=com>
Jun 11 17:20:18 ldap2 slapd[4090]: <<< dnPrettyNormal:
<uid=user1,ou=people,dc=example,dc=com>,
<uid=user1,ou=people,dc=example,dc=com>
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=50 matched=""
text="Must supply old password to be changed as well as new one"
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: conn=17 op=7 p=3
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result: err=10 matched=""
text=""
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_result:
referral="ldaps://provider/uid=user1,ou=people,dc=example,dc=com"
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_response: msgid=8 tag=103
err=10
Jun 11 17:20:18 ldap2 slapd[4090]: send_ldap_response:
ref="ldaps://provider/uid=user1,ou=people,dc=example,dc=com"
Jun 11 17:20:18 ldap2 slapd[4090]: conn=17 op=7 RESULT tag=103 err=10 text=
===============================================================================

Even though both old and new password were given, they seems not being
passed over to provider.

With chain overlay, how should I set up ppolicy so that real user's
password being passed along to provider properly?

My provider slapd.conf set up is:

.....
index nisMapName,nisMapEntry            eq,pres,sub
index entryCSN,entryUUID                eq

overlay ppolicy
ppolicy_default "cn=passwdpolicy,ou=policies,dc=example,dc=com"
ppolicy_use_lockout

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

Simon

Follow-Ups:
- Re: Password change problem after adding ppolicy
  - From: Simon Gao <gao@schrodinger.com>
- Re: Password change problem after adding ppolicy
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: Does chain overlay support sasl binding?
Next by Date: Regarding backend database in openldap !!
Index(es):
- Chronological
- Thread