hi,
i just added password policy overlay to our openldap servers (2.4.21) it works fine in general. i can change password as user and it gets well replicated between provider and consumer.
but since i added password policy i have a strange behaviour: _i do a ldapsearch on the provider and type in a wrong password for the binding user, then i get: ldap_bind: Invalid credentials (49) - as expected _if i do the same on the consumer (type in wrong password for binding) ldapsearch get me search results without to complain about wrong password. it just adds a pwdFailureTime attribute on the provider and consumer. but i also expect to get a ldap_bind: Invalid credentials (49) error?
thx for any ideas!
/chris
Hi, you have to add in your configuration of ppolicy overlay the directive about the forwarding of operational attirbutes related to ppolicy to the master server. So you have this attributes syncronized in all your servers.
ppolicy_forward_updates available since version 2.4.18.
Regards Marco
On Fri, Jul 2, 2010 at 1:46 PM, Christian Bösch boesch@fhv.at wrote:
hi,
i just added password policy overlay to our openldap servers (2.4.21) it works fine in general. i can change password as user and it gets well replicated between provider and consumer.
but since i added password policy i have a strange behaviour: _i do a ldapsearch on the provider and type in a wrong password for the binding user, then i get: ldap_bind: Invalid credentials (49) - as expected _if i do the same on the consumer (type in wrong password for binding) ldapsearch get me search results without to complain about wrong password. it just adds a pwdFailureTime attribute on the provider and consumer. but i also expect to get a ldap_bind: Invalid credentials (49) error?
thx for any ideas!
/chris
"ppolicy_forward_updates" won't affect the primary issue of: * wrong password --> got ldapsearch results: "...(type in wrong password for binding) ldapsearch get me search results..."
Also, it seems he already has that setup: "it just adds a pwdFailureTimeattribute on the provider and consumer"
I have nothing to add (having chased this issue myself unsuccessfully) except to clarify what the original poster wrote.
This is the third time we've heard of the issue.
Christian: * What OS/ver are you using? * What version of PAM is installed? * What does your slapd.conf look like on your consumer (don't make the noob mistake I did of posting real domain, rootdn and rootpw info)?
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
________________________________ From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: Christian Bösch boesch@fhv.at Cc: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Fri Jul 02 07:18:51 2010 Subject: Re: ldap bind and password policy
Hi, you have to add in your configuration of ppolicy overlay the directive about the forwarding of operational attirbutes related to ppolicy to the master server. So you have this attributes syncronized in all your servers.
ppolicy_forward_updates available since version 2.4.18.
Regards Marco
On Fri, Jul 2, 2010 at 1:46 PM, Christian Bösch <boesch@fhv.atmailto:boesch@fhv.at> wrote: hi,
i just added password policy overlay to our openldap servers (2.4.21) it works fine in general. i can change password as user and it gets well replicated between provider and consumer.
but since i added password policy i have a strange behaviour: _i do a ldapsearch on the provider and type in a wrong password for the binding user, then i get: ldap_bind: Invalid credentials (49) - as expected _if i do the same on the consumer (type in wrong password for binding) ldapsearch get me search results without to complain about wrong password. it just adds a pwdFailureTime attribute on the provider and consumer. but i also expect to get a ldap_bind: Invalid credentials (49) error?
thx for any ideas!
/chris
-- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
You're right, I apologize for reading too fast the original request. It seemed similar to a problem I had months ago and replied consequently. Sorry.
Marco
On Fri, Jul 2, 2010 at 6:00 PM, Chris Jacobs Chris.Jacobs@apollogrp.eduwrote:
"ppolicy_forward_updates" won't affect the primary issue of:
- wrong password --> got ldapsearch results:
"...(type in wrong password for binding) ldapsearch get me search results..."
Also, it seems he already has that setup: "it just adds a pwdFailureTimeattribute on the provider and consumer"
I have nothing to add (having chased this issue myself unsuccessfully) except to clarify what the original poster wrote.
This is the third time we've heard of the issue.
Christian:
- What OS/ver are you using?
- What version of PAM is installed?
- What does your slapd.conf look like on your consumer (don't make the noob
mistake I did of posting real domain, rootdn and rootpw info)?
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
*From*: openldap-technical-bounces@OpenLDAP.orgopenldap-technical-bounces@OpenLDAP.org
*To*: Christian Bösch boesch@fhv.at *Cc*: openldap-technical@openldap.org openldap-technical@openldap.org *Sent*: Fri Jul 02 07:18:51 2010 *Subject*: Re: ldap bind and password policy
Hi, you have to add in your configuration of ppolicy overlay the directive about the forwarding of operational attirbutes related to ppolicy to the master server. So you have this attributes syncronized in all your servers.
ppolicy_forward_updates available since version 2.4.18.
Regards Marco
On Fri, Jul 2, 2010 at 1:46 PM, Christian Bösch boesch@fhv.at wrote:
hi,
i just added password policy overlay to our openldap servers (2.4.21) it works fine in general. i can change password as user and it gets well replicated between provider and consumer.
but since i added password policy i have a strange behaviour: _i do a ldapsearch on the provider and type in a wrong password for the binding user, then i get: ldap_bind: Invalid credentials (49) - as expected _if i do the same on the consumer (type in wrong password for binding) ldapsearch get me search results without to complain about wrong password. it just adds a pwdFailureTime attribute on the provider and consumer. but i also expect to get a ldap_bind: Invalid credentials (49) error?
thx for any ideas!
/chris
-- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Oh, I'm not bothered. I'm not touchy or impatient. I've done it myself. :)
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
________________________________ From: Marco Pizzoli marco.pizzoli@gmail.com To: Chris Jacobs Cc: boesch@fhv.at boesch@fhv.at; openldap-technical@openldap.org openldap-technical@openldap.org Sent: Fri Jul 02 09:10:35 2010 Subject: Re: ldap bind and password policy
You're right, I apologize for reading too fast the original request. It seemed similar to a problem I had months ago and replied consequently. Sorry.
Marco
On Fri, Jul 2, 2010 at 6:00 PM, Chris Jacobs <Chris.Jacobs@apollogrp.edumailto:Chris.Jacobs@apollogrp.edu> wrote: "ppolicy_forward_updates" won't affect the primary issue of: * wrong password --> got ldapsearch results: "...(type in wrong password for binding) ldapsearch get me search results..."
Also, it seems he already has that setup: "it just adds a pwdFailureTimeattribute on the provider and consumer"
I have nothing to add (having chased this issue myself unsuccessfully) except to clarify what the original poster wrote.
This is the third time we've heard of the issue.
Christian: * What OS/ver are you using? * What version of PAM is installed? * What does your slapd.conf look like on your consumer (don't make the noob mistake I did of posting real domain, rootdn and rootpw info)?
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edumailto:chris.jacobs@apollogrp.edu
________________________________ From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: Christian Bösch <boesch@fhv.atmailto:boesch@fhv.at> Cc: openldap-technical@openldap.orgmailto:openldap-technical@openldap.org <openldap-technical@openldap.orgmailto:openldap-technical@openldap.org> Sent: Fri Jul 02 07:18:51 2010 Subject: Re: ldap bind and password policy
Hi, you have to add in your configuration of ppolicy overlay the directive about the forwarding of operational attirbutes related to ppolicy to the master server. So you have this attributes syncronized in all your servers.
ppolicy_forward_updates available since version 2.4.18.
Regards Marco
On Fri, Jul 2, 2010 at 1:46 PM, Christian Bösch <boesch@fhv.atmailto:boesch@fhv.at> wrote: hi,
i just added password policy overlay to our openldap servers (2.4.21) it works fine in general. i can change password as user and it gets well replicated between provider and consumer.
but since i added password policy i have a strange behaviour: _i do a ldapsearch on the provider and type in a wrong password for the binding user, then i get: ldap_bind: Invalid credentials (49) - as expected _if i do the same on the consumer (type in wrong password for binding) ldapsearch get me search results without to complain about wrong password. it just adds a pwdFailureTime attribute on the provider and consumer. but i also expect to get a ldap_bind: Invalid credentials (49) error?
thx for any ideas!
/chris
-- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
-- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
i tested ppolicy_forward_updates just before i got the 1st reply from marco, and it seemed to solve my problem however? now i'm already out of office and enjoying the weekend, but i will test on monday once again and get back with the results.
/chris
On Jul 2, 2010, at 18:00 , Chris Jacobs wrote:
"ppolicy_forward_updates" won't affect the primary issue of:
- wrong password --> got ldapsearch results:
"...(type in wrong password for binding) ldapsearch get me search results..."
Also, it seems he already has that setup: "it just adds a pwdFailureTimeattribute on the provider and consumer"
I have nothing to add (having chased this issue myself unsuccessfully) except to clarify what the original poster wrote.
This is the third time we've heard of the issue.
Christian:
- What OS/ver are you using?
- What version of PAM is installed?
- What does your slapd.conf look like on your consumer (don't make the noob mistake I did of posting real domain, rootdn and rootpw info)?
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: Christian Bösch boesch@fhv.at Cc: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Fri Jul 02 07:18:51 2010 Subject: Re: ldap bind and password policy
Hi, you have to add in your configuration of ppolicy overlay the directive about the forwarding of operational attirbutes related to ppolicy to the master server. So you have this attributes syncronized in all your servers.
ppolicy_forward_updates available since version 2.4.18.
Regards Marco
On Fri, Jul 2, 2010 at 1:46 PM, Christian Bösch boesch@fhv.at wrote: hi,
i just added password policy overlay to our openldap servers (2.4.21) it works fine in general. i can change password as user and it gets well replicated between provider and consumer.
but since i added password policy i have a strange behaviour: _i do a ldapsearch on the provider and type in a wrong password for the binding user, then i get: ldap_bind: Invalid credentials (49) - as expected _if i do the same on the consumer (type in wrong password for binding) ldapsearch get me search results without to complain about wrong password. it just adds a pwdFailureTime attribute on the provider and consumer. but i also expect to get a ldap_bind: Invalid credentials (49) error?
thx for any ideas!
/chris
-- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
now i have tested this and got the following conclusion:
ppolicy_forward TRUE on the consumer: everything is well synced ldapsearch on the consumer with wrong binding password gets search results. not so on the provider. here i get ldap_bind: Invalid credentials (49)
ppolicy_forward FALSE on the consumer: ldapsearch with wrong password results on both machines in invalid credentials. i'm wondering that pwdHistory is synced well however... pwdFailureTime is only synced from provider to consumer. if failed authentication takes place on the consumer, then pwdFailureTime is added only on the consumer locally which is a problem if i want to use lockout.
any ideas? /chris
On Jul 2, 2010, at 18:00 , Chris Jacobs wrote:
"ppolicy_forward_updates" won't affect the primary issue of:
- wrong password --> got ldapsearch results:
"...(type in wrong password for binding) ldapsearch get me search results..."
Also, it seems he already has that setup: "it just adds a pwdFailureTimeattribute on the provider and consumer"
I have nothing to add (having chased this issue myself unsuccessfully) except to clarify what the original poster wrote.
This is the third time we've heard of the issue.
Christian:
- What OS/ver are you using?
- What version of PAM is installed?
- What does your slapd.conf look like on your consumer (don't make the noob mistake I did of posting real domain, rootdn and rootpw info)?
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: Christian Bösch boesch@fhv.at Cc: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Fri Jul 02 07:18:51 2010 Subject: Re: ldap bind and password policy
Hi, you have to add in your configuration of ppolicy overlay the directive about the forwarding of operational attirbutes related to ppolicy to the master server. So you have this attributes syncronized in all your servers.
ppolicy_forward_updates available since version 2.4.18.
Regards Marco
On Fri, Jul 2, 2010 at 1:46 PM, Christian Bösch boesch@fhv.at wrote: hi,
i just added password policy overlay to our openldap servers (2.4.21) it works fine in general. i can change password as user and it gets well replicated between provider and consumer.
but since i added password policy i have a strange behaviour: _i do a ldapsearch on the provider and type in a wrong password for the binding user, then i get: ldap_bind: Invalid credentials (49) - as expected _if i do the same on the consumer (type in wrong password for binding) ldapsearch get me search results without to complain about wrong password. it just adds a pwdFailureTime attribute on the provider and consumer. but i also expect to get a ldap_bind: Invalid credentials (49) error?
thx for any ideas!
/chris
-- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Not I...
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: Christian Bösch boesch@fhv.at To: Chris Jacobs Cc: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Mon Jul 05 00:35:02 2010 Subject: Re: ldap bind and password policy
now i have tested this and got the following conclusion:
ppolicy_forward TRUE on the consumer: everything is well synced ldapsearch on the consumer with wrong binding password gets search results. not so on the provider. here i get ldap_bind: Invalid credentials (49)
ppolicy_forward FALSE on the consumer: ldapsearch with wrong password results on both machines in invalid credentials. i'm wondering that pwdHistory is synced well however... pwdFailureTime is only synced from provider to consumer. if failed authentication takes place on the consumer, then pwdFailureTime is added only on the consumer locally which is a problem if i want to use lockout.
any ideas? /chris
On Jul 2, 2010, at 18:00 , Chris Jacobs wrote:
"ppolicy_forward_updates" won't affect the primary issue of:
- wrong password --> got ldapsearch results:
"...(type in wrong password for binding) ldapsearch get me search results..."
Also, it seems he already has that setup: "it just adds a pwdFailureTimeattribute on the provider and consumer"
I have nothing to add (having chased this issue myself unsuccessfully) except to clarify what the original poster wrote.
This is the third time we've heard of the issue.
Christian:
- What OS/ver are you using?
- What version of PAM is installed?
- What does your slapd.conf look like on your consumer (don't make the noob mistake I did of posting real domain, rootdn and rootpw info)?
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: Christian Bösch boesch@fhv.at Cc: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Fri Jul 02 07:18:51 2010 Subject: Re: ldap bind and password policy
Hi, you have to add in your configuration of ppolicy overlay the directive about the forwarding of operational attirbutes related to ppolicy to the master server. So you have this attributes syncronized in all your servers.
ppolicy_forward_updates available since version 2.4.18.
Regards Marco
On Fri, Jul 2, 2010 at 1:46 PM, Christian Bösch boesch@fhv.at wrote: hi,
i just added password policy overlay to our openldap servers (2.4.21) it works fine in general. i can change password as user and it gets well replicated between provider and consumer.
but since i added password policy i have a strange behaviour: _i do a ldapsearch on the provider and type in a wrong password for the binding user, then i get: ldap_bind: Invalid credentials (49) - as expected _if i do the same on the consumer (type in wrong password for binding) ldapsearch get me search results without to complain about wrong password. it just adds a pwdFailureTime attribute on the provider and consumer. but i also expect to get a ldap_bind: Invalid credentials (49) error?
thx for any ideas!
/chris
-- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
On Monday, 5 July 2010 08:35:02 Christian Bösch wrote:
now i have tested this and got the following conclusion:
ppolicy_forward TRUE on the consumer: everything is well synced ldapsearch on the consumer with wrong binding password gets search results. not so on the provider. here i get ldap_bind: Invalid credentials (49)
So, the new feature does not seem to work correctly. Has someone filed an ITS?
ppolicy_forward FALSE on the consumer: ldapsearch with wrong password results on both machines in invalid credentials. i'm wondering that pwdHistory is synced well however...
pwdHistory can only be updated on the provider, so this is not a concern.
pwdFailureTime is only synced from provider to consumer. if failed authentication takes place on the consumer, then pwdFailureTime is added only on the consumer locally which is a problem if i want to use lockout.
This is the same as the behaviour prior to this feature. There are workarounds.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Chris Jacobs -
Christian Bösch -
Marco Pizzoli