Hi All
Using : Ubuntu 22.04 slapd 2.5.14+dfsg-0ubuntu0.22.04.1 amd64
policy: # module{0}, config dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}memberof olcModuleLoad: {2}refint olcModuleLoad: {3}ppolicy
# {2}ppolicy, {1}mdb, config dn: olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {2}ppolicy olcPPolicyDefault: cn=default_policies,ou=policies,dc=contatogs,dc=com,dc=br olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE
# contatogs-ppolicy, Policies, contatogs.com.br dn: cn=contatogs-ppolicy,ou=Policies,dc=contatogs,dc=com,dc=br objectClass: top objectClass: person objectClass: pwdPolicy cn: contatogs-ppolicy sn: policies pwdAttribute: userPassword pwdMinAge: 0 pwdInHistory: 6 pwdCheckQuality: 2 pwdMinLength: 8 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 3 pwdFailureCountInterval: 1800 pwdAllowUserChange: TRUE pwdMaxRecordedFailure: 3
Using a simple ldapsearch with correct user and password works fine. xxx is the correct password root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w xxx |wc -l 10725
Using wrong password : (yyy) root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w yyy |wc -l ldap_bind: Invalid credentials (49) 0
So far so good but if I insert : pwdMaxDelay: 40 pwdMinDelay: 4
test with correct password is ok ( xxx) root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w xxx |wc -l 10725
But if I test with a wrong password ( yyy) I got: root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w yyy |wc -l ldap_result: Can't contact LDAP server (-1) 0
my openldap stop working.........Active: inactive (dead)
root@zeus:/usr/lib/python3/dist-packages# systemctl status -l slapd ○ slapd.service - LSB: OpenLDAP standalone server (Lightweight Director> Loaded: loaded (/etc/init.d/slapd; generated) Drop-In: /usr/lib/systemd/system/slapd.service.d └─slapd-remain-after-exit.conf Active: inactive (dead) since Tue 2023-04-04 14:44:49 -03; 20s ago Docs: man:systemd-sysv-generator(8) Process: 986673 ExecStart=/etc/init.d/slapd start (code=exited, sta> Process: 986688 ExecStop=/etc/init.d/slapd stop (code=exited, statu> CPU: 47ms
Apr 04 14:44:46 zeus slapd[986679]: auxpropfunc error invalid parameter> Apr 04 14:44:46 zeus slapd[986679]: _sasl_plugin_load failed on sasl_au> Apr 04 14:44:46 zeus slapd[986679]: ldapdb_canonuser_plug_init() failed> Apr 04 14:44:46 zeus slapd[986679]: _sasl_plugin_load failed on sasl_ca> Apr 04 14:44:46 zeus slapd[986680]: slapd starting Apr 04 14:44:46 zeus slapd[986673]: ...done. Apr 04 14:44:46 zeus systemd[1]: Started LSB: OpenLDAP standalone serve> Apr 04 14:44:49 zeus slapd[986688]: * Stopping OpenLDAP slapd Apr 04 14:44:49 zeus slapd[986688]: ...done. Apr 04 14:44:49 zeus systemd[1]: slapd.service: Deactivated successfull
What am I doing wrong????
Cheers
Same settings, same problem. I got the following error: -------------------- Apr 05 17:26:09 ldap-pp01 slapd[1773]: conn=1000 op=1 BIND dn="cn=karl klammer,ou=users,dc=example,dc=net" method=128 Apr 05 17:26:09 ldap-pp01 slapd[1773]: slap_get_csn: conn=1000 op=1 generated new csn=20230405152609.438542Z#000000#000#000000 manage=1 Apr 05 17:26:09 ldap-pp01 slapd[1773]: slap_queue_csn: queueing 0x7fb95c019210 20230405152609.438542Z#000000#000#000000 Apr 05 17:26:09 ldap-pp01 slapd[1773]: slapd: schema_check.c:89: entry_schema_check: Assertion `a->a_vals[0].bv_val != NULL' failed. Apr 05 17:26:09 ldap-pp01 systemd[1]: symas-openldap-server.service: Main process exited, code=killed, status=6/ABRT Apr 05 17:26:09 ldap-pp01 systemd[1]: symas-openldap-server.service: Failed with result 'signal'.
-------------------- As soon as I remove pwdMaxDelay and pwdMinDelay slapd will not chrash when a user tries the wrong password.
The problem seams to be pwdMaxDelay, setting pwdMinDelay alone then everything is ok.
Am 04.04.23 um 19:49 schrieb Paulo Ricardo Bruck:
Hi All
Using : Ubuntu 22.04 slapd 2.5.14+dfsg-0ubuntu0.22.04.1 amd64
policy: # module{0}, config dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_mdb olcModuleLoad: {1}memberof olcModuleLoad: {2}refint olcModuleLoad: {3}ppolicy
# {2}ppolicy, {1}mdb, config dn: olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {2}ppolicy olcPPolicyDefault: cn=default_policies,ou=policies,dc=contatogs,dc=com,dc=br olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE
# contatogs-ppolicy, Policies, contatogs.com.br dn: cn=contatogs-ppolicy,ou=Policies,dc=contatogs,dc=com,dc=br objectClass: top objectClass: person objectClass: pwdPolicy cn: contatogs-ppolicy sn: policies pwdAttribute: userPassword pwdMinAge: 0 pwdInHistory: 6 pwdCheckQuality: 2 pwdMinLength: 8 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMaxFailure: 3 pwdFailureCountInterval: 1800 pwdAllowUserChange: TRUE pwdMaxRecordedFailure: 3
Using a simple ldapsearch with correct user and password works fine. xxx is the correct password root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w xxx |wc -l 10725
Using wrong password : (yyy) root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w yyy |wc -l ldap_bind: Invalid credentials (49) 0
So far so good but if I insert : pwdMaxDelay: 40 pwdMinDelay: 4
test with correct password is ok ( xxx) root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w xxx |wc -l 10725
But if I test with a wrong password ( yyy) I got: root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w yyy |wc -l ldap_result: Can't contact LDAP server (-1) 0
my openldap stop working.........Active: inactive (dead)
root@zeus:/usr/lib/python3/dist-packages# systemctl status -l slapd ○ slapd.service - LSB: OpenLDAP standalone server (Lightweight Director> Loaded: loaded (/etc/init.d/slapd; generated) Drop-In: /usr/lib/systemd/system/slapd.service.d └─slapd-remain-after-exit.conf Active: inactive (dead) since Tue 2023-04-04 14:44:49 -03; 20s ago Docs: man:systemd-sysv-generator(8) Process: 986673 ExecStart=/etc/init.d/slapd start (code=exited, sta> Process: 986688 ExecStop=/etc/init.d/slapd stop (code=exited, statu> CPU: 47ms
Apr 04 14:44:46 zeus slapd[986679]: auxpropfunc error invalid parameter> Apr 04 14:44:46 zeus slapd[986679]: _sasl_plugin_load failed on sasl_au> Apr 04 14:44:46 zeus slapd[986679]: ldapdb_canonuser_plug_init() failed> Apr 04 14:44:46 zeus slapd[986679]: _sasl_plugin_load failed on sasl_ca> Apr 04 14:44:46 zeus slapd[986680]: slapd starting Apr 04 14:44:46 zeus slapd[986673]: ...done. Apr 04 14:44:46 zeus systemd[1]: Started LSB: OpenLDAP standalone serve> Apr 04 14:44:49 zeus slapd[986688]: * Stopping OpenLDAP slapd Apr 04 14:44:49 zeus slapd[986688]: ...done. Apr 04 14:44:49 zeus systemd[1]: slapd.service: Deactivated successfull
What am I doing wrong????
Cheers
On Tue, Apr 04, 2023 at 02:49:01PM -0300, Paulo Ricardo Bruck wrote:
So far so good but if I insert : pwdMaxDelay: 40 pwdMinDelay: 4
But if I test with a wrong password ( yyy) I got: root@zeus:/usr/lib/python3/dist-packages# ldapsearch -xLLLZZD uid=pauloric,ou=users,dc=contatogs,dc=com,dc=br -w yyy |wc -l ldap_result: Can't contact LDAP server (-1) 0
my openldap stop working.........Active: inactive (dead)
What am I doing wrong????
Hi Paulo, you aren't doing anything wrong, this is ITS#10028 which will be fixed in 2.5.15.
Regards,
openldap-technical@openldap.org
-
Ondřej Kuzník -
Paulo Ricardo Bruck -
Stefan Kania