12:41 p.m.
https://bugs.openldap.org/show_bug.cgi?id=9813
Issue ID: 9813
Summary: Incompatibility between remoteauth and ppolicy
overlays
Product: OpenLDAP
Version: unspecified
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: overlays
Assignee: bugs(a)openldap.org
Reporter: thierry.pubellier(a)paris.fr
Target Milestone: ---
Hi,
We are planning to use OpenLDAP as a proxy for some users in our Active
Directory servers, using remoteauth overlay.
We want this OpenLDAP instance to also implement an account lockout policy,
preventing the lockout on our internal Active Directory servers.
But there seems to be an incompatibility between remoteauth and ppolicy
overlays : remoteauth won't remote authenticate a user if local userPassword
attribute exists, while ppolicy overlay needs this attribute.
Could there be a configuration parameter in ppolicy to allow lockout
checks/modifications (which seemed to be the default behavior of OpenLDAP
before ITS#7089) ?
I can provide a patch if allowed.
Thanks by advance,
Best regards,
Thierry
--
You are receiving this mail because:
You are on the CC list for the issue.
8:55 a.m.
New subject: [Issue 9813] Incompatibility between remoteauth and ppolicy overlays
https://bugs.openldap.org/show_bug.cgi?id=9813
Ondřej Kuzník <ondra(a)mistotebe.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.openldap.org/s
| |how_bug.cgi?id=7089
Severity|normal |enhancement
--- Comment #1 from Ondřej Kuzník <ondra(a)mistotebe.net> ---
Hi Thierry,
yes, this seems like an unsupported combination of features. If you were to put
this in, now that ITS#9343 has been merged (staged for 2.7), it might be
possible to make a distinction between a default policy and one that was
applied explicitly through a rule or pwdPolicySubentry.
--
You are receiving this mail because:
You are on the CC list for the issue.
2:21 p.m.
New subject: [Issue 9813] Incompatibility between remoteauth and ppolicy overlays
https://bugs.openldap.org/show_bug.cgi?id=9813
--- Comment #2 from Thierry PUBELLIER <thierry.pubellier(a)paris.fr> ---
(In reply to Ondřej Kuzník from comment #1)
Hi Thierry,
yes, this seems like an unsupported combination of features. If you were to
put this in, now that ITS#9343 has been merged (staged for 2.7), it might be
possible to make a distinction between a default policy and one that was
applied explicitly through a rule or pwdPolicySubentry.
Hi Ondřej,
Thanks for your answer.
Combining remoteauth and ppolicy with this new feature from ITS#9343 may be a
real plus for security and protection of internal directories, providing
lockout capabilities.
It's really easier to configure and use than the almost equivalent solution
with saslauthd, and allows to have multiple remote domains simply.
If you estimate this an interesting feature, I already have a fully functional
patch that declares a new configuration option (ppolicy_always_check), which
makes ppolicy always checks for lockout.
May I submit it ?
Best regards,
Thierry
--
You are receiving this mail because:
You are on the CC list for the issue.
8:53 a.m.
New subject: [Issue 9813] Incompatibility between remoteauth and ppolicy overlays
https://bugs.openldap.org/show_bug.cgi?id=9813
Howard Chu <hyc(a)openldap.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |CONFIRMED
Keywords|needs_review |
Target Milestone|--- |2.7.0
Ever confirmed|0 |1
--
You are receiving this mail because:
You are on the CC list for the issue.
5:23 a.m.
New subject: [Issue 9813] Incompatibility between remoteauth and ppolicy overlays
https://bugs.openldap.org/show_bug.cgi?id=9813
--- Comment #3 from Ondřej Kuzník <ondra(a)mistotebe.net> ---
Hi Thierry, have you tested the code that's in master to check whether it
actually covers your usecase?
--
You are receiving this mail because:
You are on the CC list for the issue.
3:19 a.m.
New subject: [Issue 9813] Incompatibility between remoteauth and ppolicy overlays
https://bugs.openldap.org/show_bug.cgi?id=9813
Ondřej Kuzník <ondra(a)mistotebe.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.openldap.org/s
| |how_bug.cgi?id=9343
--
You are receiving this mail because:
You are on the CC list for the issue.
90
days inactive
623
days old
5 comments
1 participants
participants (1)
-
openldap-its@openldap.org