21.12.2016, 23:34, "Matthieu Cerda" kegeruneku+openldap@ironflake.org:
Hello folks,
Hello,
The "deleted access denied by read" error has been fixed to OpenLDAP next version, I remember. I think it was from that slapo-ppolicy and has been fix in the 2.4.11 version.
http://www.openldap.org/devel/cvsweb.cgi/Attic/CHANGES
Regards,
-- Ozgur Karatas
m: mueddib@openldap.org
w: http://www.openldap.org f: https://www.facebook.com/openldap t: https://www.twitter.com/openldaporg i: irc.freenode.net #openldap
I just stumbled upon a (maybe not) surprising technical issue with my OpenLDAP setup: ppolicy seems unable to update pwdAccountLockedTime on my users.
Setup:
OpenLDAP 2.4.40(+dfsg-1+deb8u2) on Debian jessie
Password policy and ACLs:
---8<--- dn: cn=default,ou=policies,dc=company,dc=com objectClass: top objectClass: person objectClass: pwdPolicy cn: passwordDefault cn: default pwdAttribute: userPassword sn: passwordDefault pwdAllowUserChange: TRUE pwdCheckQuality: 0 pwdExpireWarning: 0 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 3 pwdLockout: TRUE pwdLockoutDuration: 300 pwdMaxAge: 0 pwdMaxFailure: 3 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: FALSE ---8<---
---8<--- access to attrs=userPassword,shadowLastChange by dn="uid=mcerda,ou=people,dc=company,dc=com" write by self write by anonymous auth by * none
access to dn.base="" by * read
access to * by dn="uid=mcerda,ou=people,dc=company,dc=com" write by users read by * none ---8<---
- pwdFailureTime gets updated on each failed login attempt on users
until pwdMaxFailure is reached (3)
- Testing for account locking is done both by observing we appearance in
user object and using '-e ppolicy' on ldapsearch (ppolicy_use_lockout is enabled)
Everytime an user reaches pwdMaxFailure count, the debug log (level 65535) gives:
---8<--- 585947a5 => mdb_entry_get: found entry: "cn=default,ou=policies,dc=company,dc=com" 585947a5 mdb_entry_get: rc=0 585947a5 mdb_modify: uid=fbar,ou=people,dc=company,dc=com 585947a5 slap_queue_csn: queueing 0x65696ef4bce0 20161220150053.705334Z#000000#000#000000 585947a5 mdb_dn2entry("uid=fbar,ou=people,dc=company,dc=com") 585947a5 => mdb_dn2id("uid=fbar,ou=people,dc=company,dc=com") 585947a5 <= mdb_dn2id: got id=0x9 585947a5 => mdb_entry_decode: 585947a5 <= mdb_entry_decode 585947a5 mdb_modify_internal: 0x00000009: uid=fbar,ou=people,dc=company,dc=com 585947a5 => access_allowed: result not in cache (pwdAccountLockedTime) 585947a5 => access_allowed: delete access to "uid=fbar,ou=people,dc=company,dc=com" "pwdAccountLockedTime" requested 585947a5 => dn: [2] 585947a5 => acl_get: [3] attr pwdAccountLockedTime 585947a5 => acl_mask: access to entry "uid=fbar,ou=people,dc=company,dc=com", attr "pwdAccountLockedTime" requested 585947a5 => acl_mask: to all values by "", (=0) 585947a5 <= check a_dn_pat: uid=mcerda,ou=people,dc=company,dc=com 585947a5 <= check a_dn_pat: users 585947a5 <= check a_dn_pat: anonymous 585947a5 <= acl_mask: [3] applying read(=rscxd) (stop) 585947a5 <= acl_mask: [3] mask: read(=rscxd) 585947a5 => slap_access_allowed: delete access denied by read(=rscxd) 585947a5 => access_allowed: no more rules 585947a5 mdb_modify: modify failed (50) 585947a5 send_ldap_result: conn=1000 op=0 p=3 585947a5 send_ldap_result: err=50 matched="" text="" 585947a5 slap_graduate_commit_csn: removing 0x6569601047f0 20161220150053.705334Z#000000#000#000000 585947a5 send_ldap_response: msgid=1 tag=97 err=49 ---8<---
I can't see a reason why the update gets denied. Setting the global ACL to:
---8<--- access to * by dn="uid=mcerda,ou=people,dc=company,dc=com" write by * write ---8<---
fixes the issue (but I obviously not want an open bar slapd).
The documentation (http://www.openldap.org/doc/admin24/overlays.html) advises nothing about ACLs.
Is this and issue or a misconfiguration ?
Thanks in advance,
Matthieu Cerda