Achilleas Mantzios wrote:
On 10/07/2014 11:56, Howard Chu wrote:
> Achilleas Mantzios wrote:
>> Hello list,
>> I have managed successfully to setup a fully functional openldap server on
>> So far, I had success with : ppolicy, ACLs, legacy SQL exposed as LDAP, SASL
>> My only problem thus far is combining SASL with ppolicy. When binding with
>> authentication using -D dn, then ppolicy overlay has the expected effect.
>> However when using SASL (SASL/SCRAM-SHA-1) with -U, while it works correctly
converting uid to DN
>> with authz-regexp, it does not seem to look for ppolicy (default or derived from
>> Moreover, enforced violations of ppolicy (e.g. failed attempted authentications
>> when done via SASL seem to have no effect on ppolicy attributes, e.g.
>> while they work fine when binding with simple authentication.
>> Is there any way to overcome this? Or is ppolicy honored only via simple DN
> ppolicy is only honored by Simple Binds. There was some discussion, a long time ago,
about how to make SASL use/recognize LDAP password policy, but it never went anywhere.
Thank you, I am sure there are reasons for this, if you don't bother, you might give
some pointers to this discussion?
Also, is there any non-programmatic workaround for this?
Don't know, but I haven't looked either.
It can be done if someone writes the code and gets it approved by both the
SASL and LDAP spec folks. Patches welcome.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/