Hello All,
I configured OpenLDAP-2.3.29 with the following options.
./configure --with-threads=posix --with-tls=openssl --enable-dynamic --with-cyrus-sasl --enable-modules--enable-ldbm=mod --enable-crypt --enable-lmpasswd --enable-ldap=mod --enable-meta=mod --enable-rewrite --enable-null=mod --enable-monitor=mod --enable-accesslog --enable-denyop --enable-dyngroup --enable-dynlist --enable-lastmod --enable-ppolicy --enable-proxycache --enable-refint --enable-retcode --enable-rwm --enable-syncprov --enable-translucent --enable-unique --enable-valsort --enable-aci --enable-bdb=mod --enable-hdb=mod --enable-ldbm-api=berkeley --enable-spasswd --enable-wrappers --prefix=/usr/local/encap/openldap
My slapd.conf is:
include /usr/local/encap/openldap/etc/openldap/schema/core.schema include /usr/local/encap/openldap/etc/openldap/schema/cosine.schema include /usr/local/encap/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/encap/openldap/etc/openldap/schema/openldap.schema include /usr/local/encap/openldap/etc/openldap/schema/nis.schema include /usr/local/encap/openldap/etc/openldap/schema/samba3.schema include /usr/local/encap/openldap/etc/openldap/schema/ppolicy.schema
allow bind_anon_dn
pidfile /usr/local/encap/openldap/var/run/slapd.pid argsfile /usr/local/encap/openldap/var/run/slapd.args
database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com"
rootpw secret
directory /usr/local/encap/openldap/var/openldap-data
index objectClass eq
overlay ppolicy ppolicy_default "cn=Standard Policy,ou=Policies,dc=my-domain,dc=com" ppolicy_use_lockout
access to attrs=userpassword by self write by * auth
access to * by self write by * read
loglevel -1
########################################################################
Now when I try to do this:
prakash@linux:~> ldapsearch -H ldap://localhost -D "cn=Manager,dc=my-domain,dc=com" -x -W -b "dc=my-domain,dc=com" -e ppolicy "cn=Manager" Enter LDAP Password:
I get the proper result.
# extended LDIF # # LDAPv3 # base <dc=my-domain,dc=com> with scope subtree # filter: cn=Manager # requesting: ALL #
# Manager, my-domain.com dn: cn=Manager,dc=my-domain,dc=com objectClass: organizationalRole cn: Manager description: LDAP Directory Manager
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
But in the server logs, I see,
Nov 18 09:55:31 linux slapd[11135]: => get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical) Nov 18 09:55:31 linux slapd[11135]: <= get_ctrls: n=1 rc=0 err="" Nov 18 09:55:31 linux slapd[11135]: attrs: Nov 18 09:55:31 linux slapd[11135]: Nov 18 09:55:31 linux slapd[11135]: conn=0 op=1 SRCH base="dc=my-domain,dc=com" scope=2 deref=0 filter="(cn=manager)" Nov 18 09:55:31 linux slapd[11135]: slap_global_control: unavailable control: 1.3.6.1.4.1.42.2.27.8.5.1
Is this the reason, why I am not able to get my ppolicy controls to work? How do I make this control available?
That message is only telling you that ppolicy is not recognized as a global control; in fact, it's only supported within the naming context you configured the ppolicy overlay for. As a consequence, handling of that control is deferred. You're simply logging at a too verbose level, and erroneously interpreting the resulting logs. The control does nothing in the operation above likely because there's nothing to do (i.e. you didn't provide an incorrect password multiple times, and your password is not about to expire, or simply because you auth'ed as the rootdn).
Did you read the man page and the draft that control is about? What are you expecting it to do, otherwise?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------