jarbas.junior@gmail.com wrote:

Full_Name: Jarbas Peixoto Junior Version: 2.4.11 / 2.4.17 / 2.4.20 OS: Gnu/Linux Debian URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (200.152.34.143)

Possible bug in Overlay pPolicy

I have OpenLDAP installed via the Debian Lenny package functioning normally.

Aiming to test the version of Debian Squeeze in the test machine installed package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11).

However, when testing the overlay pPolicy noticed that a wrong password authentication, runs all objects in the ldap database, causing a "delay" that does not exist in version Lenny.

Below is some information that may be useful in detecting the problem:

File: slapd.conf

moduleload ppolicy overlay ppolicy ppolicy_default "cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br" ppolicy_use_lockout ====================

ldapsearch -LLL -x -H ldap://squeeze -b ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,dc=br '(cn=default)' dn: cn=default,ou=LdapPassword,ou=Politicas,ou=Builtin,dc=previdencia,dc=gov,d c=br objectClass: top objectClass: device objectClass: pwdPolicy pwdAttribute: userPassword description:: UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M= pwdAllowUserChange: TRUE pwdFailureCountInterval: 3600 pwdGraceAuthNLimit: 5 pwdInHistory: 0 pwdLockoutDuration: 60 pwdMaxAge: 7776000 pwdMinAge: 0 pwdMinLength: 6 pwdSafeModify: FALSE pwdCheckQuality: 1 pwdExpireWarning: 600 cn: default pwdMustChange: FALSE pwdMaxFailure: 10 pwdLockout: FALSE

date ; ldapsearch -LLL -x -H ldap://squeeze -b ou=usuarios,dc=previdencia,dc=gov,dc=br -D uid=jarbas.peixoto,ou=pessoas,ou=usuarios,dc=previdencia,dc=gov,dc=br -w wrong-password '(uid=jarbas.peixoto)' cn mail pwdFailureTime pwdAccountLockedTime modifyTimeStamp ; date Qua Dez 2 16:14:56 AMST 2009 ldap_bind: Invalid credentials (49) Qua Dez 2 16:15:36 AMST 2009

grep 'access_allowed: search access to' /var/log/debug | wc -l 83714

The question is: why access all entries in LDAP?

Don't know. This would have to be the result of a search operation, but there is no search code in ppolicy.c. Since ppolicy cannot be the culprit, we'll need to see the rest of your config to track down the issue.