1:12 a.m.
Hello list,
I have managed successfully to setup a fully functional openldap server on FreeBSD.
So far, I had success with : ppolicy, ACLs, legacy SQL exposed as LDAP, SASL
authentication.
My only problem thus far is combining SASL with ppolicy. When binding with classic simple
authentication using -D dn, then ppolicy overlay has the expected effect.
However when using SASL (SASL/SCRAM-SHA-1) with -U, while it works correctly converting
uid to DN
with authz-regexp, it does not seem to look for ppolicy (default or derived from
pwdPolicySubentry).
Moreover, enforced violations of ppolicy (e.g. failed attempted authentications >=
pwdMaxFailure)
when done via SASL seem to have no effect on ppolicy attributes, e.g.
pwdAccountLockedTime,
while they work fine when binding with simple authentication.
Is there any way to overcome this? Or is ppolicy honored only via simple DN binds?
--
Achilleas Mantzios
Head of IT DEV
IT DEPT
Dynacom Tankers Mgmt
1:56 a.m.
Achilleas Mantzios wrote:
Hello list,
I have managed successfully to setup a fully functional openldap server on FreeBSD.
So far, I had success with : ppolicy, ACLs, legacy SQL exposed as LDAP, SASL
authentication.
My only problem thus far is combining SASL with ppolicy. When binding with classic
simple
authentication using -D dn, then ppolicy overlay has the expected effect.
However when using SASL (SASL/SCRAM-SHA-1) with -U, while it works correctly converting
uid to DN
with authz-regexp, it does not seem to look for ppolicy (default or derived from
pwdPolicySubentry).
Moreover, enforced violations of ppolicy (e.g. failed attempted authentications >=
pwdMaxFailure)
when done via SASL seem to have no effect on ppolicy attributes, e.g.
pwdAccountLockedTime,
while they work fine when binding with simple authentication.
Is there any way to overcome this? Or is ppolicy honored only via simple DN binds?
ppolicy is only honored by Simple Binds. There was some discussion, a long
time ago, about how to make SASL use/recognize LDAP password policy, but it
never went anywhere.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
2:57 a.m.
On 10/07/2014 11:56, Howard Chu wrote:
Achilleas Mantzios wrote:
> Hello list,
> I have managed successfully to setup a fully functional openldap server on FreeBSD.
> So far, I had success with : ppolicy, ACLs, legacy SQL exposed as LDAP, SASL
authentication.
> My only problem thus far is combining SASL with ppolicy. When binding with classic
simple
> authentication using -D dn, then ppolicy overlay has the expected effect.
> However when using SASL (SASL/SCRAM-SHA-1) with -U, while it works correctly
converting uid to DN
> with authz-regexp, it does not seem to look for ppolicy (default or derived from
pwdPolicySubentry).
> Moreover, enforced violations of ppolicy (e.g. failed attempted authentications >=
pwdMaxFailure)
> when done via SASL seem to have no effect on ppolicy attributes, e.g.
pwdAccountLockedTime,
> while they work fine when binding with simple authentication.
>
> Is there any way to overcome this? Or is ppolicy honored only via simple DN binds?
ppolicy is only honored by Simple Binds. There was some discussion, a long time ago,
about how to make SASL use/recognize LDAP password policy, but it never went anywhere.
Thank you, I am sure there are reasons for this, if you don't bother, you might give
some pointers to this discussion?
Also, is there any non-programmatic workaround for this?
--
Achilleas Mantzios
Head of IT DEV
IT DEPT
Dynacom Tankers Mgmt
3:25 a.m.
Achilleas Mantzios wrote:
On 10/07/2014 11:56, Howard Chu wrote:
> Achilleas Mantzios wrote:
>> Hello list,
>> I have managed successfully to setup a fully functional openldap server on
FreeBSD.
>> So far, I had success with : ppolicy, ACLs, legacy SQL exposed as LDAP, SASL
authentication.
>> My only problem thus far is combining SASL with ppolicy. When binding with
classic simple
>> authentication using -D dn, then ppolicy overlay has the expected effect.
>> However when using SASL (SASL/SCRAM-SHA-1) with -U, while it works correctly
converting uid to DN
>> with authz-regexp, it does not seem to look for ppolicy (default or derived from
pwdPolicySubentry).
>> Moreover, enforced violations of ppolicy (e.g. failed attempted authentications
>= pwdMaxFailure)
>> when done via SASL seem to have no effect on ppolicy attributes, e.g.
pwdAccountLockedTime,
>> while they work fine when binding with simple authentication.
>>
>> Is there any way to overcome this? Or is ppolicy honored only via simple DN
binds?
>
> ppolicy is only honored by Simple Binds. There was some discussion, a long time ago,
about how to make SASL use/recognize LDAP password policy, but it never went anywhere.
>
Thank you, I am sure there are reasons for this, if you don't bother, you might give
some pointers to this discussion?
https://www.google.ie/?gws_rd=ssl#q=site:www.openldap.org+sasl+ppolicy
http://www.openldap.org/lists/openldap-software/200704/msg00298.html
http://www.openldap.org/lists/ietf-ldapext/200512/msg00001.html
Also, is there any non-programmatic workaround for this?
Don't know, but I haven't looked either.
It can be done if someone writes the code and gets it approved by both the
SASL and LDAP spec folks. Patches welcome.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3440
days inactive
3440
days old
openldap-technical@openldap.org
3 comments
2 participants
participants (2)
-
Achilleas Mantzios -
Howard Chu