0

I have configuration problem with new openldap server . I successfully set the password policy on the server and I setted up the overlay settings also , It work well , my only problem is the Password Controls not work . When I try with external applicaiton I only get Invalid Credentials (49) , when somebody lock him self or his password was expired . I setted up the olcPPolicyUseLockout: TRUE in ppolicy config but everythings is same . I got the same error message .

Any idea how can I get more details ?

System Details:

OS: RedHat 7

LDAP packages: openldap-2.4.40-13.el7.x86_64 openldap-servers-2.4.40-13.el7.x86_64 openldap-clients-2.4.40-13.el7.x86_64 compat-openldap-2.3.43-5.el7.x86_64 openldap-devel-2.4.40-13.el7.x86_64

Loaded Modules

dn: cn=schema,cn=config

dn: cn={0}core,cn=schema,cn=config

dn: cn={1}cosine,cn=schema,cn=config

dn: cn={2}nis,cn=schema,cn=config

dn: cn={3}inetorgperson,cn=schema,cn=config

dn: cn={4}aviva,cn=schema,cn=config

dn: cn={5}ppolicy,cn=schema,cn=config

dn: olcOverlay={0}ppolicy,olcDatabase={2}hdb,cn=config objectClass: olcPPolicyConfig olcOverlay: {0}ppolicy olcPPolicyDefault: cn=ppolicy,ou=Policies,dc=test,dc=co,dc=com olcPPolicyUseLockout: TRUE olcPPolicyForwardUpdates: FALSE 

Supported controls:
1.2.826.0.1.3344810.2.3 - Matched Values - Control - RFC3876
1.2.840.113556.1.4.319 - LDAP Simple Paged Results - Control - RFC2696
1.3.6.1.1.12 - Assertion - Control - RFC4528
1.3.6.1.1.13.1 - LDAP Pre-read - Control - RFC4527
1.3.6.1.1.13.2 - LDAP Post-read - Control - RFC4527
1.3.6.1.4.1.4203.1.10.1 - Subentries - Control - RFC3672
2.16.840.1.113730.3.4.18 - Proxy Authorization Control - Control - RFC6171
2.16.840.1.113730.3.4.2 - ManageDsaIT - Control - RFC3296

Supported extensions:
1.3.6.1.1.8 - Cancel Operation - Extension - RFC3909
1.3.6.1.4.1.1466.20037 - StartTLS - Extension - RFC4511-RFC4513
1.3.6.1.4.1.4203.1.11.1 - Modify Password - Extension - RFC3062
1.3.6.1.4.1.4203.1.11.3 - Who am I - Extension - RFC4532

Supported features:
1.3.6.1.1.14 - Modify-Increment - Feature - RFC4525
1.3.6.1.4.1.4203.1.5.1 - All Op Attrs - Feature - RFC3673
1.3.6.1.4.1.4203.1.5.2 - OC AD Lists - Feature - RFC4529
1.3.6.1.4.1.4203.1.5.3 - True/False filters - Feature - RFC4526
1.3.6.1.4.1.4203.1.5.4 - Language Tag Options - Feature - RFC3866
1.3.6.1.4.1.4203.1.5.5 - language Range Options - Feature - RFC3866

The password policy control is missing from the control list. 1.3.6.1.4.1.42.2.27.8.5.1 - Password policy - Control - IETF DRAFT behera-ldap-password-policy

Is it possible to add this control ?

CsharpJoe
  • 101
  • I'm not too sure about that, but it seems to me that because the ppolicy is still a draft the control is not advertised by the directory. Can you try a bind with the control to see if it still works ? – Esteban May 19 '17 at 13:09

1 Answers1

0

It looks like maybe you haven't actually loaded the policy module. Try running this LDIF via ldapmodify:

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la
Stephen
  • 315
  • 1
  • 5
  • I have already add the ppolicy modul . modifying entry "cn=module{0},cn=config" ldap_modify: Type or value exists (20) additional info: modify/add: olcModuleLoad: value #0 already exists Any idea ? – CsharpJoe May 22 '17 at 15:21