[Issue 9740] olcPPolicyCheckModule not working in 2.6.0
https://bugs.openldap.org/show_bug.cgi?id=9740
--- Comment #2 from David Coutadeur <david.coutadeur(a)gmail.com> ---
(In reply to Ondřej Kuzník from comment #1)
On Fri, Nov 05, 2021 at 11:51:51AM +0000, openldap-its(a)openldap.org
wrote:
> Following: https://bugs.openldap.org/show_bug.cgi?id=9666, we must now use the
> olcPPolicyCheckModule directive in the overlay configuration, instead of the
> pwdCheckModule in the password policy.
>
> I have 3 remarks:
>
> 1/ it's a pity we can't define the chosen module in the corresponding
ppolicy.
> It prevents having multiple extension to password policies (one for each
> policy)
Hi David,
the problem is you have to load/unload it every time you run a password
change, that has been causing issues. You can use the same
implementation and pass policy specific configuration in pwdCheckModuleArg.
What is your usecase where you'd need different modules in the same
server?
No particular use case.
It's just that before ppm, LTB project maintained another module named
"check-password", and maybe it can help the transition to announce that
OpenLDAP support multiple modules at one time... But again there is no real use
case.
> 2/ it does not seem to work. (ie the extended module is not launched). See
> below for my config and data.
Just checking you are actually building with --enable-modules?
Yes indeed.
If it can help:
./configure --prefix=${LDAPDIR} --libdir=${LDAPDIR}/${_LIB}
--enable-modules=yes --enable-overlays=mod --enable-backends=mod
--enable-dynamic=yes --with-tls=openssl --enable-debug --with-cyrus-sasl
--enable-spasswd --enable-ppolicy=mod --enable-crypt --enable-slapi
--enable-mdb=mod --enable-ldap=mod --enable-meta=mod --enable-sock=mod
--enable-wrappers --enable-rlookups --enable-argon2=yes --enable-otp=mod
--enable-balancer=mod --enable-sql=no --enable-ndb=no --enable-wt=no
--enable-perl=no
> 3/ the slapo-ppolicy is quite unclear about the configuration. For example, I
> can read:
>
> ( 1.3.6.1.4.1.4754.2.99.1
> NAME 'pwdPolicyChecker'
> AUXILIARY
> SUP top
> MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule ) )
>
> Does pwdCheckModule and pwdUseCheckModule still have sense?
pwdCheckModule is preserved for backwards compatibility and using it
provokes a warning in the logs to let the admin know it is actually
ignored.
Thanks for the clarification.
Actually, I meant the documentation of slapo-ppolicy (man page)
it could be nice to explain:
- what is deprecated
- what is each attribute made for
pwdUseCheckModule is new and allows the policy admin decide whether the
module is to be used in this particular policy or not.
Regards,
--
You are receiving this mail because:
You are on the CC list for the issue.