[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs

To: Matthieu Cerda <kegeruneku+openldap@ironflake.org>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
From: Ozgur Karatas <mueddib@openldap.org>
Date: Wed, 21 Dec 2016 23:44:15 +0200
Authentication-results: mxback4o.mail.yandex.net; dkim=pass header.i=@yandex.com.tr
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.com.tr; s=mail; t=1482356655; bh=2JySBJPyXs11xov44tkNNuI3Mhlre/l0+5h4I7BN0bk=; h=From:To:In-Reply-To:References:Subject:Message-Id:Date; b=FTMnvOrE1UDCO0O3I6a9gM2ePnWDpzjyJ+mrv01NuIqKXjaxWIuue17no38S5CRUO hLadv5v8Ook5sn1JypWAD1quxMCy4e9mL0Pmw0sxackN31utYKIePHsbM/P7/6yLWt Pc9v3VRi8x2sXdyBWHjlrvpVrzPPlOaEZ3HPJga0=
Envelope-from: mueddib@yandex.com.tr
In-reply-to: <5e90d04befa90e72a414a447ab2995db@ironflake.org>
References: <5e90d04befa90e72a414a447ab2995db@ironflake.org>


21.12.2016, 23:34, "Matthieu Cerda" <kegeruneku+openldap@ironflake.org>:
> Hello folks,

Hello,

The "deleted access denied by read" error has been fixed to OpenLDAP next version, I remember.
I think it was from that slapo-ppolicy and has been fix in the 2.4.11 version.

http://www.openldap.org/devel/cvsweb.cgi/Attic/CHANGES

Regards,

--
Ozgur Karatas

m: mueddib@openldap.org

w: http://www.openldap.org
f: https://www.facebook.com/openldap
t: https://www.twitter.com/openldaporg
i: irc.freenode.net #openldap

> I just stumbled upon a (maybe not) surprising technical issue with my
> OpenLDAP setup: ppolicy seems unable to update pwdAccountLockedTime on
> my users.
>
> Setup:
>
> * OpenLDAP 2.4.40(+dfsg-1+deb8u2) on Debian jessie
>
> * Password policy and ACLs:
>
> ---8<---
> dn: cn=default,ou=policies,dc=company,dc=com
> objectClass: top
> objectClass: person
> objectClass: pwdPolicy
> cn: passwordDefault
> cn: default
> pwdAttribute: userPassword
> sn: passwordDefault
> pwdAllowUserChange: TRUE
> pwdCheckQuality: 0
> pwdExpireWarning: 0
> pwdFailureCountInterval: 0
> pwdGraceAuthNLimit: 0
> pwdInHistory: 3
> pwdLockout: TRUE
> pwdLockoutDuration: 300
> pwdMaxAge: 0
> pwdMaxFailure: 3
> pwdMinAge: 0
> pwdMinLength: 8
> pwdMustChange: FALSE
> pwdSafeModify: FALSE
> ---8<---
>
> ---8<---
> access to attrs=userPassword,shadowLastChange
>          by dn="uid=mcerda,ou=people,dc=company,dc=com" write
>          by self write
>          by anonymous auth
>          by * none
>
> access to dn.base="" by * read
>
> access to *
>          by dn="uid=mcerda,ou=people,dc=company,dc=com" write
>          by users read
>          by * none
> ---8<---
>
> * pwdFailureTime gets updated on each failed login attempt on users
> until pwdMaxFailure is reached (3)
>
> * Testing for account locking is done both by observing we appearance in
> user object and using '-e ppolicy' on ldapsearch (ppolicy_use_lockout is
> enabled)
>
> Everytime an user reaches pwdMaxFailure count, the debug log (level
> 65535) gives:
>
> ---8<---
> 585947a5 => mdb_entry_get: found entry:
> "cn=default,ou=policies,dc=company,dc=com"
> 585947a5 mdb_entry_get: rc=0
> 585947a5 mdb_modify: uid=fbar,ou=people,dc=company,dc=com
> 585947a5 slap_queue_csn: queueing 0x65696ef4bce0
> 20161220150053.705334Z#000000#000#000000
> 585947a5 mdb_dn2entry("uid=fbar,ou=people,dc=company,dc=com")
> 585947a5 => mdb_dn2id("uid=fbar,ou=people,dc=company,dc=com")
> 585947a5 <= mdb_dn2id: got id=0x9
> 585947a5 => mdb_entry_decode:
> 585947a5 <= mdb_entry_decode
> 585947a5 mdb_modify_internal: 0x00000009:
> uid=fbar,ou=people,dc=company,dc=com
> 585947a5 => access_allowed: result not in cache (pwdAccountLockedTime)
> 585947a5 => access_allowed: delete access to
> "uid=fbar,ou=people,dc=company,dc=com" "pwdAccountLockedTime" requested
> 585947a5 => dn: [2]
> 585947a5 => acl_get: [3] attr pwdAccountLockedTime
> 585947a5 => acl_mask: access to entry
> "uid=fbar,ou=people,dc=company,dc=com", attr "pwdAccountLockedTime"
> requested
> 585947a5 => acl_mask: to all values by "", (=0)
> 585947a5 <= check a_dn_pat: uid=mcerda,ou=people,dc=company,dc=com
> 585947a5 <= check a_dn_pat: users
> 585947a5 <= check a_dn_pat: anonymous
> 585947a5 <= acl_mask: [3] applying read(=rscxd) (stop)
> 585947a5 <= acl_mask: [3] mask: read(=rscxd)
> 585947a5 => slap_access_allowed: delete access denied by read(=rscxd)
> 585947a5 => access_allowed: no more rules
> 585947a5 mdb_modify: modify failed (50)
> 585947a5 send_ldap_result: conn=1000 op=0 p=3
> 585947a5 send_ldap_result: err=50 matched="" text=""
> 585947a5 slap_graduate_commit_csn: removing 0x6569601047f0
> 20161220150053.705334Z#000000#000#000000
> 585947a5 send_ldap_response: msgid=1 tag=97 err=49
> ---8<---
>
> I can't see a reason why the update gets denied. Setting the global ACL
> to:
>
> ---8<---
> access to *
>          by dn="uid=mcerda,ou=people,dc=company,dc=com" write
>          by * write
> ---8<---
>
> fixes the issue (but I obviously not want an open bar slapd).
>
> The documentation (http://www.openldap.org/doc/admin24/overlays.html)
> advises nothing about ACLs.
>
> Is this and issue or a misconfiguration ?
>
> Thanks in advance,
> --
> Matthieu Cerda

References:
- ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
  - From: Matthieu Cerda <kegeruneku+openldap@ironflake.org>

Prev by Date: RE: PID File
Next by Date: memberOf overlay issues with 2.4.44 + ITS 8432 patch
Index(es):
- Chronological
- Thread