https://bugs.openldap.org/show_bug.cgi?id=9813
Issue ID: 9813 Summary: Incompatibility between remoteauth and ppolicy overlays Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: thierry.pubellier@paris.fr Target Milestone: ---
Hi,
We are planning to use OpenLDAP as a proxy for some users in our Active Directory servers, using remoteauth overlay.
We want this OpenLDAP instance to also implement an account lockout policy, preventing the lockout on our internal Active Directory servers.
But there seems to be an incompatibility between remoteauth and ppolicy overlays : remoteauth won't remote authenticate a user if local userPassword attribute exists, while ppolicy overlay needs this attribute.
Could there be a configuration parameter in ppolicy to allow lockout checks/modifications (which seemed to be the default behavior of OpenLDAP before ITS#7089) ?
I can provide a patch if allowed.
Thanks by advance,
Best regards,
Thierry
https://bugs.openldap.org/show_bug.cgi?id=9813
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=7089 Severity|normal |enhancement
--- Comment #1 from Ondřej Kuzník ondra@mistotebe.net --- Hi Thierry, yes, this seems like an unsupported combination of features. If you were to put this in, now that ITS#9343 has been merged (staged for 2.7), it might be possible to make a distinction between a default policy and one that was applied explicitly through a rule or pwdPolicySubentry.
https://bugs.openldap.org/show_bug.cgi?id=9813
--- Comment #2 from Thierry PUBELLIER thierry.pubellier@paris.fr --- (In reply to Ondřej Kuzník from comment #1)
Hi Thierry, yes, this seems like an unsupported combination of features. If you were to put this in, now that ITS#9343 has been merged (staged for 2.7), it might be possible to make a distinction between a default policy and one that was applied explicitly through a rule or pwdPolicySubentry.
Hi Ondřej,
Thanks for your answer.
Combining remoteauth and ppolicy with this new feature from ITS#9343 may be a real plus for security and protection of internal directories, providing lockout capabilities.
It's really easier to configure and use than the almost equivalent solution with saslauthd, and allows to have multiple remote domains simply.
If you estimate this an interesting feature, I already have a fully functional patch that declares a new configuration option (ppolicy_always_check), which makes ppolicy always checks for lockout. May I submit it ?
Best regards,
Thierry
https://bugs.openldap.org/show_bug.cgi?id=9813
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |CONFIRMED Keywords|needs_review | Target Milestone|--- |2.7.0 Ever confirmed|0 |1
https://bugs.openldap.org/show_bug.cgi?id=9813
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9343
https://bugs.openldap.org/show_bug.cgi?id=9813
--- Comment #3 from Ondřej Kuzník ondra@mistotebe.net --- Hi Thierry, have you tested the code that's in master to check whether it actually covers your usecase?
-
openldap-its@openldap.org