https://bugs.openldap.org/show_bug.cgi?id=9740
Issue ID: 9740
Summary: olcPPolicyCheckModule not working in 2.6.0
Product: OpenLDAP
Version: 2.6.0
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: david.coutadeur(a)gmail.com
Target Milestone: ---
Following:
https://bugs.openldap.org/show_bug.cgi?id=9666, we must now use the
olcPPolicyCheckModule directive in the overlay configuration, instead of the
pwdCheckModule in the password policy.
I have 3 remarks:
1/ it's a pity we can't define the chosen module in the corresponding ppolicy.
It prevents having multiple extension to password policies (one for each
policy)
2/ it does not seem to work. (ie the extended module is not launched). See
below for my config and data.
3/ the slapo-ppolicy is quite unclear about the configuration. For example, I
can read:
( 1.3.6.1.4.1.4754.2.99.1
NAME 'pwdPolicyChecker'
AUXILIARY
SUP top
MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule ) )
Does pwdCheckModule and pwdUseCheckModule still have sense?
Here is my configuration:
dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: {0}ppolicy
olcPPolicyDefault: cn=default,ou=ppolicies,dc=my-domain,dc=com
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyForwardUpdates: FALSE
olcPPolicyDisableWrite: FALSE
olcPPolicySendNetscapeControls: FALSE
olcPPolicyCheckModule: /usr/local/openldap/libexec/openldap/ppm.so
Here are my data:
dn: cn=default,ou=ppolicies,dc=my-domain,dc=com
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
objectClass: organizationalRole
cn: default
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdMaxAge: 7776000
pwdInHistory: 5
pwdLockout: TRUE
pwdMaxFailure: 5
pwdFailureCountInterval: 86400
pwdMinLength: 8
pwdMaxLength: 30
pwdExpireWarning: 432000
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdMaxIdle: 31536000
pwdCheckModuleArg:
bWluUXVhbGl0eSAzCmNoZWNrUkROIDAKZm9yYmlkZGVuQ2hhcnMKbWF4Q29uc2VjdXRpdmVQZXJDbGFzcyAwCnVzZUNyYWNrbGliIDAKY3JhY2tsaWJEaWN0IC92YXIvY2FjaGUvY3JhY2tsaWIvY3JhY2tsaWJfZGljdApjbGFzcy11cHBlckNhc2UgQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVogMCAxCmNsYXNzLWxvd2VyQ2FzZSBhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiAwIDEKY2xhc3MtZGlnaXQgMDEyMzQ1Njc4OSAwIDEKY2xhc3Mtc3BlY2lhbCA8Piw/Oy46LyHCp8O5JSrCtV7CqCTCo8KyJsOpfiIjJ3soWy18w6hgX1zDp17DoEApXcKwPX0rIDAgMQ==
dn: uid=jack.oneill,ou=people,dc=my-domain,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Jack O Neill
givenName: Jack
mail: jack.oneill(a)my-example.com
sn: O Neill
uid: jack.oneill
userPassword:
{ARGON2}$argon2id$v=19$m=65536,t=2,p=1$LiSaGIqce9o2C6T8d2BOfg$BpPpokTfKY9/X7/jkvG1SXBcsNnm95UbTGSstc2aHKk
--
You are receiving this mail because:
You are on the CC list for the issue.