Hmm, module loaded. I'm not doing a moduleload of anything ppolicy related, simply setting the overlay ppolicy, the ppolicy_default, and ppolicy_use_lockout. What's the module to load as I don't find a ppolicy la file after compiling? Can you point me to a doc that explains the proper way to use this now?
On Mon, Jan 3, 2022, 10:41 AM Quanah Gibson-Mount quanah@symas.com wrote:
--On Monday, January 3, 2022 9:39 AM -0600 kevin martin ktmdms@gmail.com
wrote:
In 2.4 I was still pulling in the schema. In 2.5 ppolicy is compiled as part of the code. Assuming it just works, how does one go about setting pwdAccountLockedTime for a user then? I can't add it as an attribute of the user so I'm not sure how it can be set.
If it has been moduleloaded into the slapd process, the ppolicy schema is known to slapd and available for use. If you are finding the attribute to not be defined it would suggest you've failed to load the module as required. I would note that you want to ensure you're running 2.5.8 or later (See ITS#9671).
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Monday, January 3, 2022 11:45 AM -0600 kevin martin ktmdms@gmail.com wrote:
Hmm, module loaded. I'm not doing a moduleload of anything ppolicy related, simply setting the overlay ppolicy, the ppolicy_default, and ppolicy_use_lockout. What's the module to load as I don't find a ppolicy la file after compiling? Can you point me to a doc that explains the proper way to use this now?
Do the attributes show up in cn=subschema? If not, then the module is not loaded.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 1/3/22 18:45, kevin martin wrote:
Hmm, module loaded. I'm not doing a moduleload of anything ppolicy related, simply setting the overlay ppolicy, the ppolicy_default, and ppolicy_use_lockout.
Does slapd -VVV list ppolicy module as statically linked module?
If yes, the subschema subentry should contain 'pwdAccountLockedTime'.
Ciao, Michael.
# /usr/local/libexec/slapd -VVV @(#) $OpenLDAP: slapd 2.5.7 (Aug 27 2021 21:09:45) $ root@newldap0.mgt.ch3.bmi :/root/openldap-OPENLDAP_REL_ENG_2_5_7/servers/slapd
Included static overlays: accesslog ppolicy seqmod sssvlv syncprov Included static backends: config ldif monitor mdb passwd relay
I'm not sure how exactly to browse the cn=subschema.
---
Regards,
Kevin Martin
On Mon, Jan 3, 2022 at 11:56 AM Michael Ströder michael@stroeder.com wrote:
On 1/3/22 18:45, kevin martin wrote:
Hmm, module loaded. I'm not doing a moduleload of anything ppolicy related, simply setting the overlay ppolicy, the ppolicy_default, and ppolicy_use_lockout.
Does slapd -VVV list ppolicy module as statically linked module?
If yes, the subschema subentry should contain 'pwdAccountLockedTime'.
Ciao, Michael.
--On Monday, January 3, 2022 2:21 PM -0600 kevin martin ktmdms@gmail.com wrote:
# /usr/local/libexec/slapd -VVV @(#) $OpenLDAP: slapd 2.5.7 (Aug 27 2021 21:09:45) $
As I stated previously, ensure you are on 2.5.9.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
so I did this:
ldapsearch -x -LLL -b cn=Subschema -s base '(objectClass=subschema)' +
which returns all kinds of stuff including pwdAccountLockedTime:
attributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime'
So it's there but I'm not sure how to set it for a user.
---
Regards,
Kevin Martin
On Mon, Jan 3, 2022 at 2:21 PM kevin martin ktmdms@gmail.com wrote:
# /usr/local/libexec/slapd -VVV @(#) $OpenLDAP: slapd 2.5.7 (Aug 27 2021 21:09:45) $ root@newldap0.mgt.ch3.bmi :/root/openldap-OPENLDAP_REL_ENG_2_5_7/servers/slapd
Included static overlays: accesslog ppolicy seqmod sssvlv syncprov Included static backends: config ldif monitor mdb passwd relay
I'm not sure how exactly to browse the cn=subschema.
Regards,
Kevin Martin
On Mon, Jan 3, 2022 at 11:56 AM Michael Ströder michael@stroeder.com wrote:
On 1/3/22 18:45, kevin martin wrote:
Hmm, module loaded. I'm not doing a moduleload of anything ppolicy related, simply setting the overlay ppolicy, the ppolicy_default, and ppolicy_use_lockout.
Does slapd -VVV list ppolicy module as statically linked module?
If yes, the subschema subentry should contain 'pwdAccountLockedTime'.
Ciao, Michael.
yes, I'm aware of the 2.5.9 comment. is that why I can't use pwdAccountLockedTime or is it simply to get me to the latest patched version?
---
Regards,
Kevin Martin
On Mon, Jan 3, 2022 at 2:34 PM kevin martin ktmdms@gmail.com wrote:
so I did this:
ldapsearch -x -LLL -b cn=Subschema -s base '(objectClass=subschema)' +
which returns all kinds of stuff including pwdAccountLockedTime:
attributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime'
So it's there but I'm not sure how to set it for a user.
Regards,
Kevin Martin
On Mon, Jan 3, 2022 at 2:21 PM kevin martin ktmdms@gmail.com wrote:
# /usr/local/libexec/slapd -VVV @(#) $OpenLDAP: slapd 2.5.7 (Aug 27 2021 21:09:45) $ root@newldap0.mgt.ch3.bmi :/root/openldap-OPENLDAP_REL_ENG_2_5_7/servers/slapd
Included static overlays: accesslog ppolicy seqmod sssvlv syncprov Included static backends: config ldif monitor mdb passwd relay
I'm not sure how exactly to browse the cn=subschema.
Regards,
Kevin Martin
On Mon, Jan 3, 2022 at 11:56 AM Michael Ströder michael@stroeder.com wrote:
On 1/3/22 18:45, kevin martin wrote:
Hmm, module loaded. I'm not doing a moduleload of anything ppolicy related, simply setting the overlay ppolicy, the ppolicy_default, and ppolicy_use_lockout.
Does slapd -VVV list ppolicy module as statically linked module?
If yes, the subschema subentry should contain 'pwdAccountLockedTime'.
Ciao, Michael.
On 1/3/22 21:39, kevin martin wrote:
yes, I'm aware of the 2.5.9 comment.
So why you're still trying with 2.5.7? It was not just a comment. It was good advice.
is that why I can't use pwdAccountLockedTime or is it simply to get me to the latest patched version?
You should really take *all* advice literally.
Basically Quanah referred to this ITS which is fixed in 2.5.9:
https://bugs.openldap.org/show_bug.cgi?id=9671
Ciao, Michael.
2.5.7 was what i had on hand over the Christmas break to upgrade to, I seldom go to a .0 release so 2.6 was out, and I didn't realize there was a 2.5.9. now that I know I'll download it and get it compiled. Can I assume that going from 7 to 9 won't require any changes to the slapd.conf or in the db?
On Mon, Jan 3, 2022, 2:52 PM Michael Ströder michael@stroeder.com wrote:
On 1/3/22 21:39, kevin martin wrote:
yes, I'm aware of the 2.5.9 comment.
So why you're still trying with 2.5.7? It was not just a comment. It was good advice.
is that why I can't use pwdAccountLockedTime or is it simply to get me to the latest patched version?
You should really take *all* advice literally.
Basically Quanah referred to this ITS which is fixed in 2.5.9:
https://bugs.openldap.org/show_bug.cgi?id=9671
Ciao, Michael.
openldap-technical@openldap.org
-
kevin martin -
Michael Ströder -
Quanah Gibson-Mount