Re: SASL not honoring slapo-ppolicy

On 10/07/2014 11:56, Howard Chu wrote: > Achilleas Mantzios wrote: >> Hello list, >> I have managed successfully to setup a fully functional openldap server on FreeBSD. >> So far, I had success with : ppolicy, ACLs, legacy SQL exposed as LDAP, SASL authentication. >> My only problem thus far is combining SASL with ppolicy. When binding with classic simple >> authentication using -D dn, then ppolicy overlay has the expected effect. >> However when using SASL (SASL/SCRAM-SHA-1) with -U, while it works correctly converting uid to DN >> with authz-regexp, it does not seem to look for ppolicy (default or derived from pwdPolicySubentry). >> Moreover, enforced violations of ppolicy (e.g. failed attempted authentications >= pwdMaxFailure) >> when done via SASL seem to have no effect on ppolicy attributes, e.g. pwdAccountLockedTime, >> while they work fine when binding with simple authentication. >> >> Is there any way to overcome this? Or is ppolicy honored only via simple DN binds? > > ppolicy is only honored by Simple Binds. There was some discussion, a long time ago, about how to make SASL use/recognize LDAP password policy, but it never went anywhere. > Thank you, I am sure there are reasons for this, if you don't bother, you might give some pointers to this discussion?

Also, is there any non-programmatic workaround for this?