Are Password Expired and Password Expiry warning (2.16.840.1.113730.3.4.5) controls supported in OpenLDAP
hello:
I am currently evaluating the OpenLDAP version 2.4.58. I was told by someone that it does support the password expired control but I don't see that it is working. As per the RFC, the server should send this control as a part of response but it doesn't. I do see that the server returns the password policy state control that has expired and warning information. However, I am interested in the password expired control since I am looking to support an existing implementation that leverages that control. Can someone tell me how to configure openldap to return that control?
--On Tuesday, June 29, 2021 6:34 PM -0500 cst labs labscst@gmail.com wrote:
hello:
I am currently evaluating the OpenLDAP version 2.4.58. I was told by someone that it does support the password expired control but I don't see that it is working. As per the RFC, the server should send this control as a part of response but it doesn't. I do see that the server returns the password policy state control that has expired and warning information. However, I am interested in the password expired control since I am looking to support an existing implementation that leverages that control. Can someone tell me how to configure openldap to return that control?
I suggest reading the slapo-ppolicy(5) man page, which clearly documents how to enable that control.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hello,
Just some points you have to do to start working with password expiration : - load ppolicy overlay and configure it to your database - define a policy that enable password expiration (by setting its pwdMaxAge attribute) - make sure to apply it policy to your test user (must be the default one of our database or applied using user's pwdPolicySubentry attribute) - change your test user password to set its initial pwdChangedTime attribute
After this initial configuration, you will able to retreive user's password status on login if : - you use a LDAP v3 connection - you send a PasswordPolicyRequest control on user bind - you handle PasswordPolicyResponse control return by the server
You could use the following python script that handle connection against LDAP server with ppolicy enabled and that display bind result with PasswordPolicyResponse controls details if available :
https://gitlab.easter-eggs.com/-/snippets/23
Note: make sure to use python 3 and python-ldap >= 3.3.0 for full details. On Debian testing, you can easily pin python3-ldap package from experimental (https://packages.debian.org/experimental/amd64/python3-ldap/download). On Debian stable, you could use this package: http://apt.easter-eggs.com/debian/pool/main/p/python-ldap/python3-ldap_3.3.1...).
Regards,
Le 06/07/2021 à 17:14, Quanah Gibson-Mount a écrit :
--On Tuesday, June 29, 2021 6:34 PM -0500 cst labs labscst@gmail.com wrote:
hello:
I am currently evaluating the OpenLDAP version 2.4.58. I was told by someone that it does support the password expired control but I don't see that it is working. As per the RFC, the server should send this control as a part of response but it doesn't. I do see that the server returns the password policy state control that has expired and warning information. However, I am interested in the password expired control since I am looking to support an existing implementation that leverages that control. Can someone tell me how to configure openldap to return that control?
I suggest reading the slapo-ppolicy(5) man page, which clearly documents how to enable that control.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Benjamin Renard -
cst labs -
Quanah Gibson-Mount