Have a nice day.
I have to implement password policy in our OpenLdap. During testing futures of ppolicy module I found that they ignore expired password when I authenticate user by SASL DIGEST-MD5. When I try on exprired account:
ldapwhoami -xD "cn=Kokos Velky,ou=TestUsers,ou=People,o=Ceske drahy,c=CZ"
the answer is: ldap_bind: Invalid credentials (49) and in slapd log:
ppolicy_bind: Entry cn=Kokos Velky,ou=TestUsers,ou=People,o=Ceske drahy,c=CZ has an expired password: 0 grace logins
But when I try
ldapwhoami -Y DIGEST-MD5 -U kokos1
the answer is SASL/DIGEST-MD5 authentication started SASL username: kokos1 SASL SSF: 128 SASL installing layers dn:cn=kokos velky,ou=testusers,ou=people,o=ceske drahy,c=cz Result: Success (0)
In slapd.conf I have
sasl-regexp uid=(.*),cn=digest-md5,cn=auth "ldap:///o=Ceske drahy,c=CZ??sub?(&(uid=$1)(|(objectClass=inetOrgPerson) (objectClass=applicationProcess)))"
What I am doing wrong?
Many thanks for advice. Jiri Netolicky
Jiri Netolicky wrote:
Have a nice day.
I have to implement password policy in our OpenLdap. During testing futures of ppolicy module I found that they ignore expired password when I authenticate user by SASL DIGEST-MD5. When I try on exprired account:
Correct. Password policies as currently defined in LDAP only affect Simple Binds.
Jiri Netolicky wrote:
Have a nice day.
I have to implement password policy in our OpenLdap. During testing futures of ppolicy module I found that they ignore expired password when I authenticate user by SASL DIGEST-MD5. When I try on exprired account:
Correct. Password policies as currently defined in LDAP only affect Simple Binds.
Many thanks for quick answer.
Do you plan in near future implement password policy in other authentication methods? If not the only way for me is disable SASL authentication and force bind authentication secured by SSL or TLS.
Jiri Netolicky wrote:
Jiri Netolicky wrote:
Have a nice day.
I have to implement password policy in our OpenLdap. During testing futures of ppolicy module I found that they ignore expired password when I authenticate user by SASL DIGEST-MD5. When I try on exprired account:
Correct. Password policies as currently defined in LDAP only affect Simple Binds.
Many thanks for quick answer.
Do you plan in near future implement password policy in other authentication methods? If not the only way for me is disable SASL authentication and force bind authentication secured by SSL or TLS.
It is certainly desirable, but pushing the SASL specification is really outside the scope of LDAP. So yes, we are pushing for this, but have no idea how long it will take.
openldap-software@openldap.org
-
Howard Chu -
Jiri Netolicky