I'm running 2.3.39 and using ppolicy to enforce our password policy. Got an LDIF file:
dn: cn=npg2810,ou=policies,dc=nasascience,dc=nasa,dc=gov cn: npg2810 objectClass: top objectClass: pwdPolicy objectClass: organizationalRole objectClass: pwdPolicyChecker description: OpenLDAP ppolicy to implement NPG2810-like restrictions pwdAttribute: userPassword
When I try to slapadd it, I get an error indicating it doesn't like "userPassword":
sudo sbin/slapadd -l ldifs/6_policies.ldif str2entry: invalid value for attributeType pwdAttribute #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=51)
The ppolicy.schema file says:
#5.2.1 pwdAttribute # # This holds the name of the attribute to which the password policy is # applied. For example, the password policy may be applied to the # userPassword attribute.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
And my slapd.conf includes ppolicy.schema in addition to core.schema, cosine.schema, and inetorgperson.schema.
Oddly, replacing the "userPassword" value with a random number, like "42" or "3.14159" causes no error.
I cannot find userPassword defined in any of the schemas, tho it is commented out in core.schema. If I uncomment it from core.schema it complains that it's a dupe:
sbin/slapadd -l ldifs/6_policies.ldif schema/core.schema: line 244: Duplicate attributeType: "2.5.4.35" slapadd: bad configuration file!
What am I missing? Thanks.
Chris Shenton chris.shenton@nasa.gov writes:
I'm running 2.3.39 and using ppolicy to enforce our password policy. Got an LDIF file:
dn: cn=npg2810,ou=policies,dc=nasascience,dc=nasa,dc=gov cn: npg2810 objectClass: top objectClass: pwdPolicy objectClass: organizationalRole objectClass: pwdPolicyChecker description: OpenLDAP ppolicy to implement NPG2810-like restrictions pwdAttribute: userPassword
pwdAttribute value should contain the OID of attribute type userpassword, which is 2.5.4.35
-Dieter
Dieter Kluenter skrev, on 23-02-2008 09:11:
I'm running 2.3.39 and using ppolicy to enforce our password policy. Got an LDIF file:
dn: cn=npg2810,ou=policies,dc=nasascience,dc=nasa,dc=gov cn: npg2810 objectClass: top objectClass: pwdPolicy objectClass: organizationalRole objectClass: pwdPolicyChecker description: OpenLDAP ppolicy to implement NPG2810-like restrictions pwdAttribute: userPassword
pwdAttribute value should contain the OID of attribute type userpassword, which is 2.5.4.35
Well, it works (now, it didn't the first time) with userPassword on my (production) rigs, too. Both should work, but if I (now) put the OID value into the ldif, it magically gets transformed into the string userPassword.
Best,
--Tonni
On Feb 23, 2008, at 3:11 AM, Dieter Kluenter wrote:
Chris Shenton chris.shenton@nasa.gov writes:
I'm running 2.3.39 and using ppolicy to enforce our password policy. Got an LDIF file:
dn: cn=npg2810,ou=policies,dc=nasascience,dc=nasa,dc=gov cn: npg2810 objectClass: top objectClass: pwdPolicy objectClass: organizationalRole objectClass: pwdPolicyChecker description: OpenLDAP ppolicy to implement NPG2810-like restrictions pwdAttribute: userPassword
pwdAttribute value should contain the OID of attribute type userpassword, which is 2.5.4.35
Thanks, that got me going. I could swear I used "userPassword" in a previous version of OpenLDAP.
Perhaps the docs and LDIF file should mention that you need to use the OID rather than the name? Both the man page for slapo-ppolicy and draft-behera-ldap-password- policy-xx.txt say "userPassword".
Thanks.
Can someone verify this is correct. I seem to be able to use pwdAttribute with the only acceptable value of userPassword.
Thanks sellers
On Feb 29, 2008, at 10:54 AM, Chris Shenton wrote:
On Feb 23, 2008, at 3:11 AM, Dieter Kluenter wrote:
Chris Shenton chris.shenton@nasa.gov writes:
I'm running 2.3.39 and using ppolicy to enforce our password policy. Got an LDIF file:
dn: cn=npg2810,ou=policies,dc=nasascience,dc=nasa,dc=gov cn: npg2810 objectClass: top objectClass: pwdPolicy objectClass: organizationalRole objectClass: pwdPolicyChecker description: OpenLDAP ppolicy to implement NPG2810-like restrictions pwdAttribute: userPassword
pwdAttribute value should contain the OID of attribute type userpassword, which is 2.5.4.35
Thanks, that got me going. I could swear I used "userPassword" in a previous version of OpenLDAP.
Perhaps the docs and LDIF file should mention that you need to use the OID rather than the name? Both the man page for slapo-ppolicy and draft-behera-ldap-password- policy-xx.txt say "userPassword".
Thanks.
______________________________________________ Chris G. Sellers | NITLE - Technology Team 734.661.2318 | chris.sellers@nitle.org AIM: imthewherd | GoogleTalk: cgseller@gmail.com
Hi,
Chris Shenton chris.shenton@nasa.gov writes:
On Feb 23, 2008, at 3:11 AM, Dieter Kluenter wrote:
Chris Shenton chris.shenton@nasa.gov writes:
I'm running 2.3.39 and using ppolicy to enforce our password policy. Got an LDIF file:
[...]
pwdAttribute: userPassword
pwdAttribute value should contain the OID of attribute type userpassword, which is 2.5.4.35
Thanks, that got me going. I could swear I used "userPassword" in a previous version of OpenLDAP.
Perhaps the docs and LDIF file should mention that you need to use the OID rather than the name? Both the man page for slapo-ppolicy and draft-behera-ldap-password- policy-xx.txt say "userPassword".
The only reference I have at hand right now is my own documentation, but I could swear that the original information had been in some documentation, either man slapo-ppolicy, draft-behera-ldap-password-policy or in ppolicy.c. But someone with more detailed inside knowledge may comment on this issue and clarify.
-Dieter
Dieter Kluenter wrote:
Hi,
Chris Shentonchris.shenton@nasa.gov writes:
On Feb 23, 2008, at 3:11 AM, Dieter Kluenter wrote:
Chris Shentonchris.shenton@nasa.gov writes:
I'm running 2.3.39 and using ppolicy to enforce our password policy. Got an LDIF file:
[...]
pwdAttribute: userPassword
pwdAttribute value should contain the OID of attribute type userpassword, which is 2.5.4.35
Thanks, that got me going. I could swear I used "userPassword" in a previous version of OpenLDAP.
Yes. That is intended to work; the ppolicy overlay installs a handler to map attribute names to their OIDs so that the main slapd code will recognize them.
Perhaps the docs and LDIF file should mention that you need to use the OID rather than the name? Both the man page for slapo-ppolicy and draft-behera-ldap-password- policy-xx.txt say "userPassword".
The only reference I have at hand right now is my own documentation, but I could swear that the original information had been in some documentation, either man slapo-ppolicy, draft-behera-ldap-password-policy or in ppolicy.c. But someone with more detailed inside knowledge may comment on this issue and clarify.
Chris Shenton skrev, on 22-02-2008 23:53:
I'm running 2.3.39 and using ppolicy to enforce our password policy. Got an LDIF file:
I run ppolicy too at my sites.
dn: cn=npg2810,ou=policies,dc=nasascience,dc=nasa,dc=gov cn: npg2810 objectClass: top objectClass: pwdPolicy objectClass: organizationalRole objectClass: pwdPolicyChecker description: OpenLDAP ppolicy to implement NPG2810-like restrictions pwdAttribute: userPassword
When I try to slapadd it, I get an error indicating it doesn't like "userPassword":
sudo sbin/slapadd -l ldifs/6_policies.ldif str2entry: invalid value for attributeType pwdAttribute #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=51)
I had this on my FC6 test machine the first time I ever tried out ppolicy. But I'd run the tests in the build directory after building Buchan's srpm and all tests had passed, including test022-ppolicy. Running that test again populated $BUILD_DIR/{testdata,testrun} with data for that test and I noticed that the ldif used for the test used the OID 2.5.4.35 for userPassword, rather than the string. So I put that in my ldif and it worked.
If you notice, you also get 1.3.6.1.4.1.1466.115.121.1.38 for the syntax. According to my present OL 2.4.8 setup, using gq, the correct syntax is 1.3.6.1.4.1.1466.115.121.1.40{128} (with length).
I've never had it since, have no idea why it ever occurred in the first place.
The ppolicy.schema file says:
#5.2.1 pwdAttribute # # This holds the name of the attribute to which the password policy is # applied. For example, the password policy may be applied to the # userPassword attribute.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
Ah. This is interesting, read on ...
And my slapd.conf includes ppolicy.schema in addition to core.schema, cosine.schema, and inetorgperson.schema.
Oddly, replacing the "userPassword" value with a random number, like "42" or "3.14159" causes no error.
I cannot find userPassword defined in any of the schemas, tho it is commented out in core.schema. If I uncomment it from core.schema it complains that it's a dupe:
sbin/slapadd -l ldifs/6_policies.ldif schema/core.schema: line 244: Duplicate attributeType: "2.5.4.35" slapadd: bad configuration file!
This is because it's built into slapd as a hard-coded entry in $BUILD_DIR/servers/slapd/schema_prep.c. There it is defined as:
{ "userPassword", "( 2.5.4.35 NAME 'userPassword' " "DESC 'RFC4519/2307: password of user' " "EQUALITY octetStringMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )"
Notice the syntax? How it differs from the schema definition?
What am I missing?
That would have to be 1: experience and 2: inventiveness.
FWIW I read draft-behera thoroughly and through the whole draft it stresses that user password MUST be a single value attribute, while the above stanza makes it into a multi-value attribute. In accord with the IETF definition. I filed an ITS about this to which Howard replied words to the effect of "Probably ...". I'd noticed that if a user had access to a GUI such as phpldapAdmin or gq he could give himself whatever extra passwords he wanted and all would work. That is not what I, as admin, want. So I now patch schema_prep.c for all my builds, thus:
{ "userPassword", "( 2.5.4.35 NAME 'userPassword' " "DESC 'RFC4519/2307 adapted for draft behera: password of user' " "EQUALITY octetStringMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} SINGLE-VALUE )"
On the one hand IETF decrees that userPassword MUST be multi-value and on the other single-valued, go figure: "let not thy left hand know what thy right hand doeth".
Best,
--Tonni
openldap-software@openldap.org
-
Chris G. Sellers -
Chris Shenton -
Dieter Kluenter -
Howard Chu -
Tony Earnshaw