ppolicy issues - openldap-technical

8 Aug 2017


      Hello !
I have two issues regarding ppolicy. I use debian jessie backports
(slapd 2.4.44).
1) I use "olcPPolicyHashCleartext: TRUE" so the clients send cleartext
passwords and slapd hashes it before writing in database for security
reasons (and slapd can perform password quality checks). But I need
exceptions for that. Indeed for some reason I have to use EAP-MD5 and
EAP-MD5 makes it mandatory to store cleartext passwords in LDAP. So I
would like to find a way to use "olcPPolicyHashCleartext: TRUE" on some
OUs, but not on others. Any way to do that ?
Maybe setting up a second mdb database with a different ppolicy overlay
configuration ("olcPPolicyHashCleartext: FALSE") and the same olcSuffix
than the existing database ? A search on the base DN would then need to
cover the two databases.
2) syncrepl of (for example) pwdChangedTime. This attribute is not
synced to my consumers, even though the schema is imported on the
consumer, the module is configured and the overlay is also configured.
Syncrepl for attributes non related to ppolicy works fine. Somehow
ppolicy is working on the consumers though, since after a failed bindind
on the consumer I can see pwdFailureTime on this consumer. Any idea ? (I
tried slapd -d -1 but didn't find something relevant, I can paste the
resuslts here if needed)
Regards,
********* provider
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 fb6dde8c
dn: olcOverlay={1}ppolicy
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=ppolicies,dc=acme,dc=fr
olcPPolicyHashCleartext: TRUE
structuralObjectClass: olcPPolicyConfig
entryUUID: 3528350a-0f9a-1037-89da-e5a4ba1189f6
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20170807085738Z
entryCSN: 20170807085738.529346Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170807085738Z
********* provider
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 295fad94
dn: cn=module{2}
objectClass: olcModuleList
cn: module{2}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}ppolicy.la
structuralObjectClass: olcModuleList
entryUUID: 6e4da4de-0a3e-1037-9174-b1e488f02d8a
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20170731131804Z
entryCSN: 20170731131804.891811Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170731131804Z
********* consumer
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 4758a296
dn: olcOverlay={0}ppolicy
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=ppolicies,dc=acme,dc=fr
olcPPolicyHashCleartext: TRUE
structuralObjectClass: olcPPolicyConfig
entryUUID: e5a3785a-0d8c-1037-908e-d903a2095e18
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20170804181719Z
entryCSN: 20170804181719.336420Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170804181719Z
********* consumer
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 d0060305
dn: cn=module{1}
objectClass: olcModuleList
cn: module{1}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}ppolicy.la
structuralObjectClass: olcModuleList
entryUUID: e560e800-0d8c-1037-908d-d903a2095e18
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20170804181718Z
entryCSN: 20170804181718.900179Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170804181718Z
********* consumer
olcSyncrepl: {0}rid=2 provider=ldap://ldap-provider-dev.acme
starttls=critical 
tls_reqcert=demand bindmethod=simple
binddn="cn=replication,ou=Applications
,dc=acme,dc=fr" credentials=xxx searchbase="dc=acme,dc=fr" schemache
cking=off type=refreshAndPersist filter="(objectClass=*)" attrs="*"
scope=s
ub retry="60 +"