Hello,
I have ppolicy overlay correctly set up, but the ppolicy control 1.3.6.1.4.1.42.2.27.8.5.1 is not returned in supportedControl by openldap when querying the root DSE.
Is this a bug or a feature?
Is there something to do configuration wise to fix this?
It is causing problems for PHP automated extension tests, the php-ldap module skips tests depending on whether associated controls are listed by the server or not, but ppolicy is never returned so the ppolicy test cannot run.
Côme
On 7/7/20 2:38 PM, Côme Chilliet wrote:
I have ppolicy overlay correctly set up, but the ppolicy control 1.3.6.1.4.1.42.2.27.8.5.1 is not returned in supportedControl by openldap when querying the root DSE.
My OpenLDAP server returns it.
Do you actually see any value of attribute 'supportedControl'?
If not, did you explicitly request the attribute 'supportedControl' when reading rootDSE or used '+' in the attribute list?
It is causing problems for PHP automated extension tests, the php-ldap module skips tests depending on whether associated controls are listed by the server or not, but ppolicy is never returned so the ppolicy test cannot run.
Hmm, this approach can fail because not every control or extension listed in the rootDSE is really handled.
In case of slapo-ppolicy the overlay is available in mainstream Linux distros anyway. On which platforms are you testing FusionDirectory?
Another approach is to try configuring an overlay via cn=config and skip the test if setting up the overlay failed. Of course your code for tweaking cn=config has to be 100% correct then.
Ciao, Michael.
Le Tue, 7 Jul 2020 14:52:30 +0200, Michael Ströder michael@stroeder.com a écrit :
Do you actually see any value of attribute 'supportedControl'?
If not, did you explicitly request the attribute 'supportedControl' when reading rootDSE or used '+' in the attribute list?
I use '+', and it does return supportedControl.
It is causing problems for PHP automated extension tests, the php-ldap module skips tests depending on whether associated controls are listed by the server or not, but ppolicy is never returned so the ppolicy test cannot run.
Hmm, this approach can fail because not every control or extension listed in the rootDSE is really handled.
In case of slapo-ppolicy the overlay is available in mainstream Linux distros anyway. On which platforms are you testing FusionDirectory?
Debian. Here is the setup for the automated test ldap server: https://github.com/php/php-src/pull/5794/files#diff-49f45f40446e443fc480bb7d...
The author has the same problem as I do: https://github.com/php/php-src/pull/5794#issuecomment-652933484
So, maybe a problem specific to the debian package or the openldap version in there?
Côme
On 7/7/20 3:11 PM, Côme Chilliet wrote:
Le Tue, 7 Jul 2020 14:52:30 +0200, Michael Ströder michael@stroeder.com a écrit :
Do you actually see any value of attribute 'supportedControl'?
If not, did you explicitly request the attribute 'supportedControl' when reading rootDSE or used '+' in the attribute list?
I use '+', and it does return supportedControl.
On which platforms are you testing FusionDirectory?
Debian. Here is the setup for the automated test ldap server: https://github.com/php/php-src/pull/5794/files#diff-49f45f40446e443fc480bb7d...
The author has the same problem as I do: https://github.com/php/php-src/pull/5794#issuecomment-652933484
Sorry, I won't wade through all this.
As said: Debian has slapo-ppolicy.
But you should simply check whether ldapsearch returns the attribute 'supportedControl' or whether possibly ACLs deny access. E.g. try first ldapsearch option -D <root-DN> to authenticate as rootdn for which no ACLs are applied.
Ciao, Michael.
--On Tuesday, July 7, 2020 3:38 PM +0200 Côme Chilliet come.chilliet@fusiondirectory.org wrote:
Hello,
I have ppolicy overlay correctly set up, but the ppolicy control 1.3.6.1.4.1.42.2.27.8.5.1 is not returned in supportedControl by openldap when querying the root DSE.
Is this a bug or a feature?
This is due to a long standing policy of not advertising controls when the RFC or other standard has not been finalized. See https://bugs.openldap.org/show_bug.cgi?id=9285. This will be changed for the 2.5 release series, and is currently under discussion to change for future 2.4.x releases.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Côme Chilliet -
Michael Ströder -
Quanah Gibson-Mount