2.4.47: Fixed slapo-ppolicy with multi-provider replication (ITS#8927)
2.4.48: Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349)
2.4.49: Fixed slapo-ppolicy when used with slapauth (ITS#8629) Fixed slapo-ppolicy to add a missed normalised copy of pwdChangedTime (ITS#9126)
2.4.50: Fixed slapo-ppolicy callback (ITS#9171)
2.4.51: Added slapo-ppolicy implement Netscape password policy controls (ITS#9279) Fixed slapo-ppolicy to expose the ppolicy control (ITS#9285) Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302) Fixed slapo-ppolicy so it can only exist once per DB (ITS#9309)
2.4.53: Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334)
I'd note again, Symas provides free drop-in replacement builds for CentOS/RHEL 7 that are current:
https://repo.symas.com/sofl/rhel7/
You will want to reload the database to account for the 2.4.49 fix for ITS#9126 (it requires a reload of the db via slapcat/slapadd to fix the internal normalization of pwdChangedTime).
So, I've cloned two of the produciton machines, slapcat'ed the DB, updated to Symas' 2.4.57 and slapadd'ed the DB. Queries work, replication does work,…
The problem persists. If I try to restrict one of the pwd* attributes using
access to attrs=<pwdAttribute> by * none
then slaptest will fail with
601ef16b /etc/openldap/acl.conf: line 93: unknown attr "<pwdAttribute>" in to clause
601ef16b <access clause> ::= access to <what> [ by <who> [ <access> ] [ <control> ] ]+ […]
slaptest: bad configuration file!
#### password / ppolicy relevant parts in the configuration file ####
include /etc/openldap/schema/ppolicy.schema include /etc/openldap/acl.conf
modulepath /usr/lib64/openldap moduleload ppolicy.la moduleload smbk5pwd.la
password-hash {CRYPT}
password-crypt-salt-format "$6$%.16s"
overlay smbk5pwd
smbk5pwd-enable samba
overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=example,dc=com" ppolicy_use_lockout ######################################################################
### policy related entries ### 1199 ou=Policies,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Policies
1200 cn=default,ou=Policies,dc=example,dc=com objectClass: top objectClass: device objectClass: pwdPolicy objectClass: pwdPolicyChecker cn: default pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdInHistory: 3 pwdCheckQuality: 2 pwdMinLength: 8 pwdExpireWarning: 1814400 pwdGraceAuthNLimit: 3 pwdLockout: TRUE pwdLockoutDuration: 600 pwdMaxFailure: 5 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE pwdCheckModule: /usr/lib64/openldap/check_password.so ################################################
Regards,
Uwe
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com