Achilleas Mantzios wrote:
On 10/07/2014 11:56, Howard Chu wrote:
> Achilleas Mantzios wrote:
>> Hello list,
>> I have managed successfully to setup a fully functional openldap server on
FreeBSD.
>> So far, I had success with : ppolicy, ACLs, legacy SQL exposed as LDAP, SASL
authentication.
>> My only problem thus far is combining SASL with ppolicy. When binding with
classic simple
>> authentication using -D dn, then ppolicy overlay has the expected effect.
>> However when using SASL (SASL/SCRAM-SHA-1) with -U, while it works correctly
converting uid to DN
>> with authz-regexp, it does not seem to look for ppolicy (default or derived from
pwdPolicySubentry).
>> Moreover, enforced violations of ppolicy (e.g. failed attempted authentications
>= pwdMaxFailure)
>> when done via SASL seem to have no effect on ppolicy attributes, e.g.
pwdAccountLockedTime,
>> while they work fine when binding with simple authentication.
>>
>> Is there any way to overcome this? Or is ppolicy honored only via simple DN
binds?
>
> ppolicy is only honored by Simple Binds. There was some discussion, a long time ago,
about how to make SASL use/recognize LDAP password policy, but it never went anywhere.
>
Thank you, I am sure there are reasons for this, if you don't bother, you might give
some pointers to this discussion?
https://www.google.ie/?gws_rd=ssl#q=site:www.openldap.org+sasl+ppolicy
http://www.openldap.org/lists/openldap-software/200704/msg00298.html
http://www.openldap.org/lists/ietf-ldapext/200512/msg00001.html
Also, is there any non-programmatic workaround for this?
Don't know, but I haven't looked either.
It can be done if someone writes the code and gets it approved by both the
SASL and LDAP spec folks. Patches welcome.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/