Hello.
I'd like to know if the "Account Usability Control" (oid=1.3.6.1.4.1.42.2.27.9.5.8) is supported by OpenLDAP.
I ran:
--($:~)-- ldapsearch -h winds06 -p 389 -b '' -s base '(objectClass=*)' supportedControl # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectClass=*) # requesting: supportedControl #
# dn: supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.334810.2.3 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
According to this, the required control isn't listed. Is this just because of a misconfiguration of my OpenLDAP 2.3.35 server? Some other server implements that, but I'd rather like to use OpenLDAP instead of this other server, as OpenLDAP is available for more platforms.
One source of information I found is at http://www.willeke.com:9080/wikildap/Wiki.jsp?page=DefinitionAccountUsabilit... Because of the non-standard port of this server, I'm copying the information:
The account usability control provides a pair of request and response controls that can be used to determine whether a user account may be used for authenticating to the server.
The request control has an OID of 1.3.6.1.4.1.42.2.27.9.5.8 and does not include a value. It should only be included in search request messages.
The corresponding response control has an OID of 1.3.6.1.4.1.42.2.27.9.5.8 (the same as the request control), and it will be included in any search result entry messages for a search request that includes the account usability request control.
The value for the account usability response control will be encoded as follows:
ACCOUNT_USABLE_RESPONSE ::= CHOICE { is_available [0] INTEGER, -- Seconds before expiration -- is_not_available [1] MORE_INFO }
MORE_INFO ::= SEQUENCE { inactive [0] BOOLEAN DEFAULT FALSE, reset [1] BOOLEAN DEFAULT FALSE, expired [2] BOOLEAN DEFAULT_FALSE, remaining_grace [3] INTEGER OPTIONAL, seconds_before_unlock [4] INTEGER OPTIONAL }
If the user account is available, then the control will include the number of seconds until the user's password expires, or -1 if password expiration is not enabled. If the user's account is not available, then the control will provide the reason it is unavailable.
This control is required to get password less logins to work.
Thanks a lot,
Alexander
Alexander Skwar wrote:
Hello.
I'd like to know if the "Account Usability Control" (oid=1.3.6.1.4.1.42.2.27.9.5.8) is supported by OpenLDAP.
I'm not aware of any support for that control. Note that the control you mention seems to be part of a vendor-specific (Sun) password policy. OpenLDAP supports password policy based on <draft-behera-ldap-password-policy>.
If you really need that control, I suggest you consider implementing support for the whole policy it is part of, assuming it is documented appropriately. This could possibly be implemented along the lines of slapo-ppolicy(5) as a run-time loadable custom module (an overlay, in OpenLDAP's nomenclature).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Alexander Skwar -
Kurt Zeilenga -
Pierangelo Masarati