Hello Howard and Ozgur,
My answers are inlined in the following text.
I attached a copy of the slapd.conf if you would like to take a look.
Thanks for taking the time to answer my questions, it's appreciated. Have a nice day !
Howard Chu wrote :
Matthieu Cerda wrote:
Hello folks,
I just stumbled upon a (maybe not) surprising technical issue with my OpenLDAP setup: ppolicy seems unable to update pwdAccountLockedTime on my users.
(...)
The documentation (http://www.openldap.org/doc/admin24/overlays.html) advises nothing about ACLs.
That is not the documentation, that is only a guide. The manpages are the authoritative documentation.
Got it, i was misled by the '/doc' in the URL I guess.
Is this and issue or a misconfiguration ?
Read the slapo-ppolicy(5) manpage.
(Note: the default password policy I use has pwdLockout: TRUE, pwdMaxFailure: 3 and pwdLockoutDuration:0)
The manpage says nothing about ACL's except: 'Note that some of the policies do not take effect when the operation is performed with the rootdn identity; all the operations, when performed with any other identity, may be subjected to constraints, like access control.'
To clarify, I'm obviously not testing the ppolicy on a rootdn (the database does not have any actually), it is a random user without any specific privilege (besides beeing allowed access to * with read rights when authenticated).
My current understanding of ppolicy pwdLockout attribute is that when a user exceeds its pwdMaxFailure count when pwdLockout is TRUE, the overlay itself sets pwdAccountLockedTime internally according to the pwdLockoutDuration value, bypassing ACLs (in this case, my setup should work). If it is not the case, who needs write access to the attribute ?
Do I need a rootdn set, even if I do not use it, for this to work properly maybe ?
Thanks in advance,
Ozgur Karatas wrote: Hello,
The "deleted access denied by read" error has been fixed to OpenLDAP next version, I remember. I think it was from that slapo-ppolicy and has been fix in the 2.4.11 version.
Well this is a 2.4.40 OpenLDAP, it should be OK then ?
---8<--- # slapd -V @(#) $OpenLDAP: slapd (Jan 16 2016 23:00:08) $ root@chimera:/tmp/buildd/openldap-2.4.40+dfsg/debian/build/servers/slapd ---8<---
I also tried with LTB project's 2.4.44 release with the same results, so I doubt this is a known bug (or even a bug at all), I think my configuration is incorrect but I am currently incapable or seeing why.
Regards,
Ozgur Karatas