https://bugs.openldap.org/show_bug.cgi?id=9740
--- Comment #2 from David Coutadeur david.coutadeur@gmail.com --- (In reply to Ondřej Kuzník from comment #1)
On Fri, Nov 05, 2021 at 11:51:51AM +0000, openldap-its@openldap.org wrote:
Following: https://bugs.openldap.org/show_bug.cgi?id=9666, we must now use the olcPPolicyCheckModule directive in the overlay configuration, instead of the pwdCheckModule in the password policy.
I have 3 remarks:
1/ it's a pity we can't define the chosen module in the corresponding ppolicy. It prevents having multiple extension to password policies (one for each policy)
Hi David, the problem is you have to load/unload it every time you run a password change, that has been causing issues. You can use the same implementation and pass policy specific configuration in pwdCheckModuleArg.
What is your usecase where you'd need different modules in the same server?
No particular use case.
It's just that before ppm, LTB project maintained another module named "check-password", and maybe it can help the transition to announce that OpenLDAP support multiple modules at one time... But again there is no real use case.
2/ it does not seem to work. (ie the extended module is not launched). See below for my config and data.
Just checking you are actually building with --enable-modules?
Yes indeed.
If it can help:
./configure --prefix=${LDAPDIR} --libdir=${LDAPDIR}/${_LIB} --enable-modules=yes --enable-overlays=mod --enable-backends=mod --enable-dynamic=yes --with-tls=openssl --enable-debug --with-cyrus-sasl --enable-spasswd --enable-ppolicy=mod --enable-crypt --enable-slapi --enable-mdb=mod --enable-ldap=mod --enable-meta=mod --enable-sock=mod --enable-wrappers --enable-rlookups --enable-argon2=yes --enable-otp=mod --enable-balancer=mod --enable-sql=no --enable-ndb=no --enable-wt=no --enable-perl=no
3/ the slapo-ppolicy is quite unclear about the configuration. For example, I can read:
( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' AUXILIARY SUP top MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule ) )Does pwdCheckModule and pwdUseCheckModule still have sense?
pwdCheckModule is preserved for backwards compatibility and using it provokes a warning in the logs to let the admin know it is actually ignored.
Thanks for the clarification. Actually, I meant the documentation of slapo-ppolicy (man page) it could be nice to explain: - what is deprecated - what is each attribute made for
pwdUseCheckModule is new and allows the policy admin decide whether the module is to be used in this particular policy or not.
Regards,