--0016367f92e6a19d180479d1aa27 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Attached to the configuration file server testing openldap squeeze.
I made some changes to the file /etc/ldap/slapd.overlay.conf being included by /etc/ldap/slapd.conf and discovered that the problem is with the overlay rwm, because when I comment that overlay the problem does not appear.
If I keep the following entries rwm overlay the problem happen again:
moduleload rwm overlay rwm
Even with the other settings overlay rwm commented the problem continues.
Any ideas?
2009/12/2 Howard Chu hyc@symas.com:
jarbas.junior@gmail.com wrote:
Full_Name: Jarbas Peixoto Junior Version: 2.4.11 / 2.4.17 / 2.4.20 OS: Gnu/Linux Debian URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (200.152.34.143)
Possible bug in Overlay pPolicy
I have OpenLDAP installed via the Debian Lenny package functioning normally.
Aiming to test the version of Debian Squeeze in the test machine install=
ed
package slapd (2.4.17-2.1) with the same set of Debian Lenny (2.4.11).
However, when testing the overlay pPolicy noticed that a wrong password authentication, runs all objects in the ldap database, causing a "delay" that does not exist in version Lenny.
Below is some information that may be useful in detecting the problem:
File: slapd.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D moduleload =A0 =A0 =A0ppolicy overlay ppolicy ppolicy_default "cn=3Ddefault,ou=3DLdapPassword,ou=3DPoliticas,ou=3DBuiltin,dc=3Dprevide=
ncia,dc=3Dgov,dc=3Dbr"
ppolicy_use_lockout =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
ldapsearch -LLL -x -H ldap://squeeze -b ou=3DLdapPassword,ou=3DPoliticas,ou=3DBuiltin,dc=3Dprevidencia,dc=3Dgov,=
dc=3Dbr
'(cn=3Ddefault)' dn: cn=3Ddefault,ou=3DLdapPassword,ou=3DPoliticas,ou=3DBuiltin,dc=3Dpreviden=
cia,dc=3Dgov,d
=A0c=3Dbr objectClass: top objectClass: device objectClass: pwdPolicy pwdAttribute: userPassword description:: UG9sw610aWNhIGRlIFNlbmhhIERlZmF1bHQgcGFyYSB0b2RvcyB1c3XDoXJpb3M=3D pwdAllowUserChange: TRUE pwdFailureCountInterval: 3600 pwdGraceAuthNLimit: 5 pwdInHistory: 0 pwdLockoutDuration: 60 pwdMaxAge: 7776000 pwdMinAge: 0 pwdMinLength: 6 pwdSafeModify: FALSE pwdCheckQuality: 1 pwdExpireWarning: 600 cn: default pwdMustChange: FALSE pwdMaxFailure: 10 pwdLockout: FALSE
date ; ldapsearch -LLL -x -H ldap://squeeze -b ou=3Dusuarios,dc=3Dprevidencia,dc=3Dgov,dc=3Dbr -D uid=3Djarbas.peixoto,ou=3Dpessoas,ou=3Dusuarios,dc=3Dprevidencia,dc=3Dgo=
v,dc=3Dbr -w
wrong-password '(uid=3Djarbas.peixoto)' cn mail pwdFailureTime pwdAccountLockedTime modifyTimeStamp ; date Qua Dez =A02 16:14:56 AMST 2009 ldap_bind: Invalid credentials (49) Qua Dez =A02 16:15:36 AMST 2009
grep 'access_allowed: search access to' /var/log/debug | wc -l 83714
The question is: why access all entries in LDAP?
Don't know. This would have to be the result of a search operation, but there is no search code in ppolicy.c. Since ppolicy cannot be the culprit=
,
we'll need to see the rest of your config to track down the issue.
-- =A0-- Howard Chu =A0CTO, Symas Corp. =A0 =A0 =A0 =A0 =A0 http://www.symas.com =A0Director, Highland Sun =A0 =A0 http://highlandsun.com/hyc/ =A0Chief Architect, OpenLDAP =A0http://www.openldap.org/project/
--0016367f92e6a19d180479d1aa27 Content-Type: application/x-gzip; name="ldap-squeeze.tgz" Content-Disposition: attachment; filename="ldap-squeeze.tgz" Content-Transfer-Encoding: base64 X-Attachment-Id: f_g2rgwh8a1
H4sIAISmF0sAA+1aW28bxxXWK/dXDCgjIhNSInVLakBAGUpKhFKXiLJjN06N4e6QnHh3Zz2zK4lu +hP6H5r2IciDn4K+9JV/rN+ZvZDUxVEQKgWKPZDBuZ4558y5ztr4PPLWXRUOVx4NWoDdVmultb2z s9napn4bf3Ycv+32p7sr7fZWa+fTzS1qt9o7ra3NFdZ6PJJmkJiYa8ZWvuN6wM16JOS1itXtdfsq 4DJkz4zQ5veg63eCVdbRbxN5qZ6yDRG7G77How1TKIWz6qyyAxNrHk9/GknOPMGO5Ujz6Y/Tfynm KYN/gQwlGl/L0FNXhkVcc9YjPH0eDPhTYNj7DeCkFAg2/YkpxlNqiQ6iT46SnJZIy9CVEfdBEbMc UCNI/Fg2Aw4EuvniBXA9F99xNuOwtlNPKVYDLGG4ZMNkOFQ6ILz/FmYdMnBWV9m+1CKWl9ywL3w1 wDIMLgWIwX0xhBDTA4m3vjsWAWcCVH0n3Ljrc2Mc8OcnmMxh7sLs8g1XabGeth+y2MiwWL76i+tD aR6MWw/dza3Wp4NfsQW0xEqPIpiXCh+86y3uy09gkw/eEY2j0RV3XZWE8a/bBG2JufvwTYa0/8Gr vUk40iqJHk5TpHzpTvL1UKJMaTzOzrS4lJ6APXBWi9A55rFuMGqdyDhtdKNhgwFp/ZeP8pXL/bmD TkOsFiae/sDslHzHYWoz41yLpLdWmKGD3lD6c/gvud7QSZj6mczbYBGh7kn4Y7IArkdJIMIYjuVt IpixJg4r4ORzUoNluHewqbSDxWb+iDtPoEV0xMn0/aXw6QxfjRjEBJfRZJfkFqz1i2DRPTirWOcL 2pMBSIwNw4HkMbjrO3cvoBkncxzTn7WEiHLBgRmwEUx/9hKffKgMp/8MJEzSCRSGRMTjcWUjMXrD lwN7F4TpOF/PiXXQ6XKtxYhEku3zFfcqA+6+eT32BlaeaqSGQ+sufQlxCvJuHH6MThWRktbdtHcY nHhCwq5ttVrAPkrgzA10w/Ph9QKhkphhhlB+lfAwlh7HPk2yI9xRsjZ3T0ksrU7w7KYQGMR16qad WCm/GY+x0zOVbau2ImbxWLAwCQaQpxqybJrFin22zlgPNyeyQXbJ/cQy4aJrbBSIwZdUIVDx0GOh iqUrB/6EySCCvTK4FOvOQ1c4+cGVz3Dyb4lKc/GJOKAwFE5/5FCki15/o9/vsdoFhkykdMx6Vjf6 wk20jCcbtgEfr9w3AmrS4xOh6w72dTtdoWM5lC6PxSHp85wpGn/DxazZ6Haa1ECqEthND9gSBDRw 37Y/ickdOxFPLzGZ730jJvnW50LL4aRr9Ylx31dXNkAekRux9w+NiBXdfqfbW16YLELUzUQF3lwY k+YrdBpJOs0JDkyE5ntiM9XEz2EaIrSZQSwjxWAlT5dF4KozSLFXKqnxfYgSeyrb5zEfkBavtpgb 7qUZzVNWO7/oPmXnSdi8gOk1u3miQ1peXx65jpcfnx7sOFqp2AsZq4IY7sElNAqqqnYyumLsr/3+ l52/vbDJVL9/SAbb3vyMKc1GMC5yiXAqiMke2a9JdT29ImzAUIHSMZlFMANT9cXrARzFHnD9Stm1 mefuRbOQ10B3pC7pZ6CXJq45eWX3yzrMEgCV9Aof75hkOJTXlUr1A0RVrR+NPbsXVqStr4RDD0RA WLjjckRbI9+JyiYVSXcthw5P34eedMX8Tjjw62qxu5qqPei1rnyGdddiBVoMuG8YAgFs+WosQrgq zXa33zBilg0mFDGucElwsrhibMhCBYbHRDMskK76aiyBifYqF5dK0VGb2LHYLfLK7nZlx7r7BA45 Mcn0B4qIYCKXaqZ9kBw05JiHfCR044NCTDWyUik08kWRnVCQTLMRG+A8mzZkkXcoDVSJkgtKMwL+ ToQ2hNIlukhCJ5WqTSDy0LtRtf5t+ncrbMNCQcps6Sfvxjo+oqVhtJTOyJWV8hTl4WqsSWR7PTlE 5CZevDQCw1/gTxEeW9MESKNAe4TcLitA2BAUBmSjBsUMZ9N/pGpns4Jl6bYN0chc5uqNRiK9ExuT G6OiBTXDD2ayVkNdhUJXxNsCA82ZsEGJOfZdijCEqBueNJHPJydoVypY3jDJoNji4tItpOMNHkVa XafTFZtG94/2G7aRluGEJu1/QTnzxSTKulhHGWRBT8Vm7p003bfL5gf6SNMSY88taPGED6L15BhX 1+Dz6xoqaagGkM/WV4jLDqWByKlEx/M0FMOyfqj0FdfI60bZ6MIhAu5OTYTIhFpk6HmCnuXni5Sl qyBVavRJb9INp3QDtrUvfGSDME277z6VTV2CmYQupHyJjOVc5NoG44AG2jmNwYxJ8jiTbv+kYRvP nh3tZ5d1M+xDceeL8qyWPX1+cN7rvFxeInBfHqBwb9CxIhFYzEj6L0+65wdnvYx/JCgQRV5BCIpN HSrvQ1vJrM2/G6w9fgqTS/whSczN8LdJEfVYhTJWy4x2s4IirWlsVRFkxxSRMB9w0ghP8d1D+Z4M Yi3EXnVGWdXJi6PBhH1MlQPqvf/t21cJKyu3LWf5Z9j33+3te95/W7tbm5vZ+y89/G6ttNq7O+1W +f77e8AH3n8X3Oky3oGX50bh//Kogvj14OYSX2xXbTw5Oz99Dvy2eqF80j5KJVTzC0rTrFeH+3uX iYmEyyJBLzgQ8aVYHkE3nXUe3Z3sEmcDeaM5S80ZrBH/ZlMGnhylJj2PtW2VsMrOzk57R92Xi8zS +47yp+9jhCYb6o0Ix2llstTk9CZ32dNnwVzez35fe2LIEb9tIZG1kbztkS6eIbG9Utqj/hlWW9Kp 83kiEfHDDxcc+QGobl/7yn2jkthK5/zg8OjkYkE2kKsY6fyZLE/6fWsqIw0debzL1/QxIS6kk3XT n9c8jrUc2PotzeDziVDFY6Sr7MHVl2X86+Ob+h/wSNjiymZdnfQ0yjpB4ezF9tF4vwpyxivUhtv6 kg8kLppoW9OCallxEI5kKNYcrGguDFVUaB9aCx6sWh9CNXTaPBMG7tLw+a1deoK8jsEc1+740D4L 51ikPTah9/AavY8ivRbTH3lg82xfxJSJixHmrbTC6X8CgZOyT1Jri3XCAr3nYJtVa+sf11+9qmH/ Xu0b3nzXaf75229azT98+wmG6zRbZdUn7doior0nm/UnW5h5Wr2PzpgsOUAditrY3KLr/k8Kv0Tj HbR9X3yhILpqGcaiDaTUvpvgm+Xd3miNKS2TMHsgEdcRFV8qp1sZeW1LxvvpvI1ygdq5Anlvhq7+ ZLOgrkfvzozPCnbvLkKTuwl9OFnJPFlzx8/dZihxlcfWytcyCQRZD1XfYTf7Rnf/lc0hwN39pX7z 6lJs96rTXdVxQQjm1hjMys1Krj/OeZr1gU6XLQzC92DiXmrvOm2vtv5J/QbmRQ6wCfTfcc7dLLlh zsDci0Z+lTYLYvE4odp8ILV3L62vXn2fUWwpBEnowvHOOvbphJDPjZm5BXUUVNXaR7CeBY0EG2f2 E2r91vhRaOLbo3145Nuj9IhSrwN5Jp86Efdkq16b45r69Xouo1X27OToq2cH0KwR5EOxQDAokJuG QPqilz6TqSSrvXkeGh4hGFRS1S1iYNZNf16nr7YfeDPO1s3HSsjBcnl8cPz5wfnpIfgMwKUICj5y 4zodrjGOfsDj/JnxMThMD1PDgsdiIG807QflpnKZbZwO6dbMbDptNBE6s0zA/jeHlye9o/4F2Nuf hDyQrv0kyxa+QTwGO94k9HFQwU3ez36bdBdGxAusMJ8PhC+8Z+dHBQvlm0IJJZRQQgkllFBCCSWU UEIJJZRQQgkllFBCCSWUUEIJJZRQQgkllFBCCSWUUEIJJZRQQgn/x/Bfxxv0fABQAAA= --0016367f92e6a19d180479d1aa27--
-
jarbas.junior@gmail.com