Hello All,
I configured OpenLDAP-2.3.29 with the following options.
./configure --with-threads=posix --with-tls=openssl --enable-dynamic
--with-cyrus-sasl --enable-modules--enable-ldbm=mod --enable-crypt
--enable-lmpasswd --enable-ldap=mod --enable-meta=mod --enable-rewrite
--enable-null=mod --enable-monitor=mod --enable-accesslog
--enable-denyop --enable-dyngroup --enable-dynlist --enable-lastmod
--enable-ppolicy --enable-proxycache --enable-refint --enable-retcode
--enable-rwm --enable-syncprov --enable-translucent --enable-unique
--enable-valsort --enable-aci --enable-bdb=mod --enable-hdb=mod
--enable-ldbm-api=berkeley --enable-spasswd --enable-wrappers
--prefix=/usr/local/encap/openldap
My slapd.conf is:
include
/usr/local/encap/openldap/etc/openldap/schema/core.schema
include
/usr/local/encap/openldap/etc/openldap/schema/cosine.schema
include
/usr/local/encap/openldap/etc/openldap/schema/inetorgperson.schema
include
/usr/local/encap/openldap/etc/openldap/schema/openldap.schema
include /usr/local/encap/openldap/etc/openldap/schema/nis.schema
include
/usr/local/encap/openldap/etc/openldap/schema/samba3.schema
include
/usr/local/encap/openldap/etc/openldap/schema/ppolicy.schema
allow bind_anon_dn
pidfile /usr/local/encap/openldap/var/run/slapd.pid
argsfile /usr/local/encap/openldap/var/run/slapd.args
database bdb
suffix "dc=my-domain,dc=com"
rootdn "cn=Manager,dc=my-domain,dc=com"
rootpw secret
directory /usr/local/encap/openldap/var/openldap-data
index objectClass eq
overlay ppolicy
ppolicy_default "cn=Standard Policy,ou=Policies,dc=my-domain,dc=com"
ppolicy_use_lockout
access to attrs=userpassword
by self write
by * auth
access to *
by self write
by * read
loglevel -1
########################################################################
Now when I try to do this:
prakash@linux:~> ldapsearch -H ldap://localhost -D
"cn=Manager,dc=my-domain,dc=com" -x -W -b "dc=my-domain,dc=com" -e
ppolicy "cn=Manager"
Enter LDAP Password:
I get the proper result.
# extended LDIF
#
# LDAPv3
# base <dc=my-domain,dc=com> with scope subtree
# filter: cn=Manager
# requesting: ALL
#
# Manager,
my-domain.com
dn: cn=Manager,dc=my-domain,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Directory Manager
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
But in the server logs, I see,
Nov 18 09:55:31 linux slapd[11135]: => get_ctrls:
oid="1.3.6.1.4.1.42.2.27.8.5.1" (noncritical)
Nov 18 09:55:31 linux slapd[11135]: <= get_ctrls: n=1 rc=0 err=""
Nov 18 09:55:31 linux slapd[11135]: attrs:
Nov 18 09:55:31 linux slapd[11135]:
Nov 18 09:55:31 linux slapd[11135]: conn=0 op=1 SRCH
base="dc=my-domain,dc=com" scope=2 deref=0 filter="(cn=manager)"
Nov 18 09:55:31 linux slapd[11135]: slap_global_control: unavailable
control: 1.3.6.1.4.1.42.2.27.8.5.1
Is this the reason, why I am not able to get my ppolicy controls to
work? How do I make this control available?
That message is only telling you that ppolicy is not recognized as a
global control; in fact, it's only supported within the naming context you
configured the ppolicy overlay for. As a consequence, handling of that
control is deferred. You're simply logging at a too verbose level, and
erroneously interpreting the resulting logs. The control does nothing in
the operation above likely because there's nothing to do (i.e. you didn't
provide an incorrect password multiple times, and your password is not
about to expire, or simply because you auth'ed as the rootdn).
Did you read the man page and the draft that control is about? What are
you expecting it to do, otherwise?
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati(a)sys-net.it
------------------------------------------