https://bugs.openldap.org/show_bug.cgi?id=9656
--- Comment #6 from ktmdms@gmail.com ktmdms@gmail.com --- (In reply to David Coutadeur from comment #5)
"If for some reasons, any parameter is not found, it will be given its default value."
this is true for ppm parameters, not for password policy parameters. Especially, pwdCheckModule does not have default values.
when using ppm.so in OpenLDAP 2.4 the ppm.so,while included in the schema, didn't need the fully qualified pathname (I assume that the path was handled via the modulepath statement in the slapd.conf) and I don't know that that particular change is documented anywhere particularly succinctly.
I don't think ppolicy can guess any extension path... Neither in 2.4 nor in 2.5.
it worked as such in 2.4, doesn't work as such in 2.5. Don't know why but it did and is right now.
Either 1). slapd shouldn't start if these parameters are requirements when using ppolicy
These parameters can evolve while OpenLDAP is running. As I explained before, it is the responsability of the admin to ensure the pwdCheckModule parameter is set accordingly.
Granted, my resonsibility, but then it's your responsibility to make sure that changes from one version to the next are clearly documented so I know what I'm supposed to be doing. as I said, I didn't find the documentation particularly clear on this point.
2). slapd shouldn't crash and should give a warning that default values are being used and one should verify if those defaults are valid or simply warn that ppolicy won't be used as necessary settings have not been populated.
slapd can't know any requirement about a given extended module.
Essentially, what I'm reading here is "too bad, so sad, we're not going to make slapd handle this gracefully".