On 10/07/2014 11:56, Howard Chu wrote:
Achilleas Mantzios wrote:
> Hello list,
> I have managed successfully to setup a fully functional openldap server on FreeBSD.
> So far, I had success with : ppolicy, ACLs, legacy SQL exposed as LDAP, SASL
authentication.
> My only problem thus far is combining SASL with ppolicy. When binding with classic
simple
> authentication using -D dn, then ppolicy overlay has the expected effect.
> However when using SASL (SASL/SCRAM-SHA-1) with -U, while it works correctly
converting uid to DN
> with authz-regexp, it does not seem to look for ppolicy (default or derived from
pwdPolicySubentry).
> Moreover, enforced violations of ppolicy (e.g. failed attempted authentications >=
pwdMaxFailure)
> when done via SASL seem to have no effect on ppolicy attributes, e.g.
pwdAccountLockedTime,
> while they work fine when binding with simple authentication.
>
> Is there any way to overcome this? Or is ppolicy honored only via simple DN binds?
ppolicy is only honored by Simple Binds. There was some discussion, a long time ago,
about how to make SASL use/recognize LDAP password policy, but it never went anywhere.
Thank you, I am sure there are reasons for this, if you don't bother, you might give
some pointers to this discussion?
Also, is there any non-programmatic workaround for this?
--
Achilleas Mantzios
Head of IT DEV
IT DEPT
Dynacom Tankers Mgmt