Hello !
I have two issues regarding ppolicy. I use debian jessie backports (slapd 2.4.44).
1) I use "olcPPolicyHashCleartext: TRUE" so the clients send cleartext passwords and slapd hashes it before writing in database for security reasons (and slapd can perform password quality checks). But I need exceptions for that. Indeed for some reason I have to use EAP-MD5 and EAP-MD5 makes it mandatory to store cleartext passwords in LDAP. So I would like to find a way to use "olcPPolicyHashCleartext: TRUE" on some OUs, but not on others. Any way to do that ?
Maybe setting up a second mdb database with a different ppolicy overlay configuration ("olcPPolicyHashCleartext: FALSE") and the same olcSuffix than the existing database ? A search on the base DN would then need to cover the two databases.
2) syncrepl of (for example) pwdChangedTime. This attribute is not synced to my consumers, even though the schema is imported on the consumer, the module is configured and the overlay is also configured. Syncrepl for attributes non related to ppolicy works fine. Somehow ppolicy is working on the consumers though, since after a failed bindind on the consumer I can see pwdFailureTime on this consumer. Any idea ? (I tried slapd -d -1 but didn't find something relevant, I can paste the resuslts here if needed)
Regards,
********* provider
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 fb6dde8c dn: olcOverlay={1}ppolicy objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyDefault: cn=default,ou=ppolicies,dc=acme,dc=fr olcPPolicyHashCleartext: TRUE structuralObjectClass: olcPPolicyConfig entryUUID: 3528350a-0f9a-1037-89da-e5a4ba1189f6 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20170807085738Z entryCSN: 20170807085738.529346Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170807085738Z
********* provider
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 295fad94 dn: cn=module{2} objectClass: olcModuleList cn: module{2} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}ppolicy.la structuralObjectClass: olcModuleList entryUUID: 6e4da4de-0a3e-1037-9174-b1e488f02d8a creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20170731131804Z entryCSN: 20170731131804.891811Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170731131804Z
********* consumer
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 4758a296 dn: olcOverlay={0}ppolicy objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyDefault: cn=default,ou=ppolicies,dc=acme,dc=fr olcPPolicyHashCleartext: TRUE structuralObjectClass: olcPPolicyConfig entryUUID: e5a3785a-0d8c-1037-908e-d903a2095e18 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20170804181719Z entryCSN: 20170804181719.336420Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170804181719Z
********* consumer
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 d0060305 dn: cn=module{1} objectClass: olcModuleList cn: module{1} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}ppolicy.la structuralObjectClass: olcModuleList entryUUID: e560e800-0d8c-1037-908d-d903a2095e18 creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20170804181718Z entryCSN: 20170804181718.900179Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170804181718Z
********* consumer
olcSyncrepl: {0}rid=2 provider=ldap://ldap-provider-dev.acme starttls=critical tls_reqcert=demand bindmethod=simple binddn="cn=replication,ou=Applications ,dc=acme,dc=fr" credentials=xxx searchbase="dc=acme,dc=fr" schemache cking=off type=refreshAndPersist filter="(objectClass=*)" attrs="*" scope=s ub retry="60 +"