Hi!
I just discovered a problem (reading "man slapo-ppolicy" in old 2.4 OpenLDAP): It seems one can configure a "default policy", but it cannot be queried. At least https://serverfault.com/a/644658/407952 suggests that, and after reading "man slapo-ppolicy" I did not find something different. Why isn't there some "olc" attribute for it?
So far we did not set the default policy, but assigned one to each user. However I wanted to write a utility that would evaluate the changes if a default password policy were added. For obvious reasons I don't want to hard-code the policy name into the utility, and the utility may run on any server, not just LDAP-Servers to query them.
However digging in the configs, I found in dn: olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config the attribute "olcPPolicyDefault", wondering why it isn't documented. So far, so good, but how would an ACL allowing to read that attribute look like? It seems I cannot specify that specific attribute within the olcPPolicyConfig object class within the corresponding cn=config subtree: I can allow access to the attribute name globally, or to all attributes of the object class, and "attrstyle" can only be used for a specific value.
So how should I allow access to that attribute for my special user running the utility?
Kind regards, Ulrich
Windl, Ulrich wrote:
Hi!
I just discovered a problem (reading man slapo-ppolicy in old 2.4 OpenLDAP):
It seems one can configure a default policy, but it cannot be queried.
At least https://serverfault.com/a/644658/407952 suggests that, and after reading man slapo-ppolicy I did not find something different.
Why isnt there some olc attribute for it?
There is, of course.
So far we did not set the default policy, but assigned one to each user.
However I wanted to write a utility that would evaluate the changes if a default password policy were added.
For obvious reasons I dont want to hard-code the policy name into the utility, and the utility may run on any server, not just LDAP-Servers to query them.
However digging in the configs, I found in dn: olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config the attribute olcPPolicyDefault, wondering why it isnt documented.
As with all config schema, it is self-documenting.
olcAttributeTypes: ( OLcfgOvAt:12.1 NAME 'olcPPolicyDefault' DESC 'DN of a pwd Policy object for uncustomized objects' EQUALITY distinguishedNameMatch SYNTA X OMsDN SINGLE-VALUE )
Hi!
Next step: After finding the the attribute name olcPPolicyDefault I tried to set up an ACL, but my first attempt ended in
ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcAccess> handler exited with 1
So I'm unsure: is it possible to define an ACL that grants access to one database (i.e. "config") for an object on another database (e.g. some user)?
What I tried to add was olcAccess: {1}to filter=&(objectClass=olcPPolicyConfig)(olcPPolicyDefault=*) attrs=olcPPolicyDefault by dn.exact="uid=PP-Checker,ou=system,dc=context" read by * break
(it's the first time I tried an LDAP filter in an ACL, because I did not find a better ways to restrict the ACL to the intended entries)
So any advice is welcome!
Kind regards, Ulrich
From: Windl, Ulrich u.windl@ukr.de Sent: Monday, July 1, 2024 10:46 AM To: openldap-technical openldap-technical@openldap.org Subject: [EXT] Querying the default password policy
Hi!
I just discovered a problem (reading "man slapo-ppolicy" in old 2.4 OpenLDAP): It seems one can configure a "default policy", but it cannot be queried. At least https://serverfault.com/a/644658/407952 suggests that, and after reading "man slapo-ppolicy" I did not find something different. Why isn't there some "olc" attribute for it?
So far we did not set the default policy, but assigned one to each user. However I wanted to write a utility that would evaluate the changes if a default password policy were added. For obvious reasons I don't want to hard-code the policy name into the utility, and the utility may run on any server, not just LDAP-Servers to query them.
However digging in the configs, I found in dn: olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config the attribute "olcPPolicyDefault", wondering why it isn't documented. So far, so good, but how would an ACL allowing to read that attribute look like? It seems I cannot specify that specific attribute within the olcPPolicyConfig object class within the corresponding cn=config subtree: I can allow access to the attribute name globally, or to all attributes of the object class, and "attrstyle" can only be used for a specific value.
So how should I allow access to that attribute for my special user running the utility?
Kind regards, Ulrich
What I had forgotten to add:
This is the first ACL that tried to assign right to an object in one database to an object in another database for me. So:
* Is it possible at all? * If it's possible, do I have to place the ACL in the database where the subject (WHO> is, or where the object (WHAT) is?
From: Windl, Ulrich Sent: Thursday, July 4, 2024 8:46 AM To: 'Windl, Ulrich' u.windl@ukr.de; openldap-technical openldap-technical@openldap.org Subject: RE: Querying the default password policy
Hi!
Next step: After finding the the attribute name olcPPolicyDefault I tried to set up an ACL, but my first attempt ended in
ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcAccess> handler exited with 1
So I'm unsure: is it possible to define an ACL that grants access to one database (i.e. "config") for an object on another database (e.g. some user)?
What I tried to add was olcAccess: {1}to filter=&(objectClass=olcPPolicyConfig)(olcPPolicyDefault=*) attrs=olcPPolicyDefault by dn.exact="uid=PP-Checker,ou=system,dc=context" read by * break
(it's the first time I tried an LDAP filter in an ACL, because I did not find a better ways to restrict the ACL to the intended entries)
So any advice is welcome!
Kind regards, Ulrich
From: Windl, Ulrich u.windl@ukr.de Sent: Monday, July 1, 2024 10:46 AM To: openldap-technical openldap-technical@openldap.org Subject: [EXT] Querying the default password policy
Hi!
I just discovered a problem (reading "man slapo-ppolicy" in old 2.4 OpenLDAP): It seems one can configure a "default policy", but it cannot be queried. At least https://serverfault.com/a/644658/407952 suggests that, and after reading "man slapo-ppolicy" I did not find something different. Why isn't there some "olc" attribute for it?
So far we did not set the default policy, but assigned one to each user. However I wanted to write a utility that would evaluate the changes if a default password policy were added. For obvious reasons I don't want to hard-code the policy name into the utility, and the utility may run on any server, not just LDAP-Servers to query them.
However digging in the configs, I found in dn: olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config the attribute "olcPPolicyDefault", wondering why it isn't documented. So far, so good, but how would an ACL allowing to read that attribute look like? It seems I cannot specify that specific attribute within the olcPPolicyConfig object class within the corresponding cn=config subtree: I can allow access to the attribute name globally, or to all attributes of the object class, and "attrstyle" can only be used for a specific value.
So how should I allow access to that attribute for my special user running the utility?
Kind regards, Ulrich
--On Thursday, July 4, 2024 7:46 AM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
olcAccess: {1}to filter=&(objectClass=olcPPolicyConfig)(olcPPolicyDefault=*) attrs=olcPPolicyDefault by dn.exact="uid=PP-Checker,ou=system,dc=context" read by * break
"&(objectClass=olcPPolicyConfig)(olcPPolicyDefault=*)" is not a valid filter.
--Quanah
-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Thursday, July 4, 2024 9:41 PM To: Windl, Ulrich u.windl@ukr.de; openldap-technical <openldap- technical@openldap.org> Subject: [EXT] RE: Querying the default password policy
--On Thursday, July 4, 2024 7:46 AM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
olcAccess: {1}to filter=&(objectClass=olcPPolicyConfig)(olcPPolicyDefault=*) attrs=olcPPolicyDefault by dn.exact="uid=PP-
Checker,ou=system,dc=context"
read by * break
"&(objectClass=olcPPolicyConfig)(olcPPolicyDefault=*)" is not a valid filter.
[Windl, Ulrich] So it needs an extra pair of parentheses around? Is that really the only problem? Maybe the problem is that the Perl API accepts such, but maybe it adds an extra pair of parentheses around. Finally: Couldn't "Other (e.g., implementation specific) error (80)" be improved to say "bad filter syntax" or similar?
OK, the surrounding pair of parentheses made slapd accept the ACL.
--Quanah
openldap-technical@openldap.org
-
Howard Chu -
Quanah Gibson-Mount -
Windl, Ulrich