https://bugs.openldap.org/show_bug.cgi?id=9740
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- On Fri, Nov 05, 2021 at 11:51:51AM +0000, openldap-its@openldap.org wrote:
Following: https://bugs.openldap.org/show_bug.cgi?id=9666, we must now use the olcPPolicyCheckModule directive in the overlay configuration, instead of the pwdCheckModule in the password policy.
I have 3 remarks:
1/ it's a pity we can't define the chosen module in the corresponding ppolicy. It prevents having multiple extension to password policies (one for each policy)
Hi David, the problem is you have to load/unload it every time you run a password change, that has been causing issues. You can use the same implementation and pass policy specific configuration in pwdCheckModuleArg.
What is your usecase where you'd need different modules in the same server?
2/ it does not seem to work. (ie the extended module is not launched). See below for my config and data.
Just checking you are actually building with --enable-modules?
3/ the slapo-ppolicy is quite unclear about the configuration. For example, I can read:
( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' AUXILIARY SUP top MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule ) )Does pwdCheckModule and pwdUseCheckModule still have sense?
pwdCheckModule is preserved for backwards compatibility and using it provokes a warning in the logs to let the admin know it is actually ignored.
pwdUseCheckModule is new and allows the policy admin decide whether the module is to be used in this particular policy or not.
Regards,