Re: (ITS#8208) ppolicy supportedControl not visible in root DSE

Wednesday, 29 July 2015

robert.brooks(a)reporo.com wrote:
...
 with ppolicy overlay loaded (and functioning) the following root DSE
is= :
...
 [..]
 I would expect to see output similar to...
=20
 http://docs.forgerock.org/en/opendj/2.6.0/dev-guide/index/chap-getting-=
directory-info.html#read-root-dse
...
 D0D
 specifilllly line 12 (and maybe line 40). 
It's a bit hard to follow line number references in a web page. :-/
But I guess you mean the OIDs coming from draft-vchu-ldap-pwd-policy [1].=

Note that AFAIK OpenDJ supports old draft-vchu-ldap-pwd-policy which is v=
ery
outdated and not supported by LDAP servers without Netscape roots.

slapo-ppolicy implements draft-behera-ldap-password-policy [2].

...
 # Search the root DSE for the password policy (works
 # with Netscape Directory Server)
 pam_lookup_policy yes
=20
 does not make pam_ldap to interact with password policies against when
 configured in openldap. 
Using pam_ldap is NOT recommended nowadays for a bunch of reasons. Use
nss-pam-ldapd, sssd or OpenLDAP's slapo-nssov. AFAIK all of them support
draft-behera-ldap-password-policy.

But such usage discussion belong on the openldap-technical mailing list a=
nd
not in the ITS.

Ciao, Michael.

[1] https://tools.ietf.org/html/draft-vchu-ldap-pwd-policy

[2] https://tools.ietf.org/html/draft-behera-ldap-password-policy

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006