"Pierangelo Masarati" ando@sys-net.it 11/19/06 10:21 AM >>>
Hello All,
I configured OpenLDAP-2.3.29 with the following options.
./configure --with-threads=posix --with-tls=openssl --enable-dynamic --with-cyrus-sasl --enable-modules--enable-ldbm=mod --enable-crypt --enable-lmpasswd --enable-ldap=mod --enable-meta=mod --enable-rewrite --enable-null=mod --enable-monitor=mod --enable-accesslog --enable-denyop --enable-dyngroup --enable-dynlist --enable-lastmod --enable-ppolicy --enable-proxycache --enable-refint --enable-retcode --enable-rwm --enable-syncprov --enable-translucent --enable-unique --enable-valsort --enable-aci --enable-bdb=mod --enable-hdb=mod --enable-ldbm-api=berkeley --enable-spasswd --enable-wrappers --prefix=/usr/local/encap/openldap
My slapd.conf is:
include /usr/local/encap/openldap/etc/openldap/schema/core.schema include /usr/local/encap/openldap/etc/openldap/schema/cosine.schema include /usr/local/encap/openldap/etc/openldap/schema/inetorgperson.schema include /usr/local/encap/openldap/etc/openldap/schema/openldap.schema include
/usr/local/encap/openldap/etc/openldap/schema/nis.schema
include /usr/local/encap/openldap/etc/openldap/schema/samba3.schema include /usr/local/encap/openldap/etc/openldap/schema/ppolicy.schema
allow bind_anon_dn
pidfile /usr/local/encap/openldap/var/run/slapd.pid argsfile /usr/local/encap/openldap/var/run/slapd.args
database bdb suffix "dc=my-domain,dc=com" rootdn "cn=Manager,dc=my-domain,dc=com"
rootpw secret
directory /usr/local/encap/openldap/var/openldap-data
index objectClass eq
overlay ppolicy ppolicy_default "cn=Standard Policy,ou=Policies,dc=my-domain,dc=com" ppolicy_use_lockout
access to attrs=userpassword by self write by * auth
access to * by self write by * read
loglevel -1
########################################################################
Now when I try to do this:
prakash@linux:~> ldapsearch -H ldap://localhost -D "cn=Manager,dc=my-domain,dc=com" -x -W -b "dc=my-domain,dc=com" -e ppolicy "cn=Manager" Enter LDAP Password:
I get the proper result.
# extended LDIF # # LDAPv3 # base <dc=my-domain,dc=com> with scope subtree # filter: cn=Manager # requesting: ALL #
# Manager, my-domain.com dn: cn=Manager,dc=my-domain,dc=com objectClass: organizationalRole cn: Manager description: LDAP Directory Manager
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
But in the server logs, I see,
Nov 18 09:55:31 linux slapd[11135]: => get_ctrls: oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical) Nov 18 09:55:31 linux slapd[11135]: <= get_ctrls: n=1 rc=0 err="" Nov 18 09:55:31 linux slapd[11135]: attrs: Nov 18 09:55:31 linux slapd[11135]: Nov 18 09:55:31 linux slapd[11135]: conn=0 op=1 SRCH base="dc=my-domain,dc=com" scope=2 deref=0 filter="(cn=manager)" Nov 18 09:55:31 linux slapd[11135]: slap_global_control: unavailable control: 1.3.6.1.4.1.42.2.27.8.5.1
Is this the reason, why I am not able to get my ppolicy controls to work? How do I make this control available?
That message is only telling you that ppolicy is not recognized as a global control; in fact, it's only supported within the naming context you configured the ppolicy overlay for. As a consequence, handling of that control is deferred. You're simply logging at a too verbose level, and erroneously interpreting the resulting logs. The control does nothing in the operation above likely because there's nothing to do (i.e. you didn't provide an incorrect password multiple times, and your password is not about to expire, or simply because you auth'ed as the rootdn).
Did you read the man page and the draft that control is about? What are you expecting it to do, otherwise?
p.
Hello,
Thanks for the reply. Makes sense. Actually my issue was initially getting ppolicy overlay to work. Should I open a new thread on that or should I use this thread for that too?
Prakash