Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
--On Thursday, July 25, 2013 3:17 PM +1000 Brian May
br...@microcomaustralia.com.au wrote:
The original bug reporter said The newer version included several added
attributes (PWDCHANGEDTIME, PWDHISTORY, PWDFAILURETIME, PWDGRACEUSETIME)
which are needed e.g. by GoSA.
However if I look for these, they are commented out.
I would advise you take the time to read the ppolicy.c source file, which
defines these attributes. This means any time the ppolicy module is
loaded, they are present. If you don't find them in your server schema,
then you've failed to correctly load the ppolicy module.
} pwd_OpSchema[] = {
{ ( 1.3.6.1.4.1.42.2.27.8.1.16
NAME ( 'pwdChangedTime' )
DESC 'The time the password was last changed'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation
),
ad_pwdChangedTime },
{ ( 1.3.6.1.4.1.42.2.27.8.1.17
NAME ( 'pwdAccountLockedTime' )
DESC 'The time an user account was locked'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
#if 0
/* Not until Relax control is released */
NO-USER-MODIFICATION
#endif
USAGE directoryOperation ),
ad_pwdAccountLockedTime },
{ ( 1.3.6.1.4.1.42.2.27.8.1.19
NAME ( 'pwdFailureTime' )
DESC 'The timestamps of the last consecutive
authentication failures'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
NO-USER-MODIFICATION USAGE directoryOperation ),
ad_pwdFailureTime },
{ ( 1.3.6.1.4.1.42.2.27.8.1.20
NAME ( 'pwdHistory' )
DESC 'The history of users passwords'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
NO-USER-MODIFICATION USAGE directoryOperation ),
ad_pwdHistory },
{ ( 1.3.6.1.4.1.42.2.27.8.1.21
NAME ( 'pwdGraceUseTime' )
DESC 'The timestamps of the grace login once the password
has expired'
EQUALITY generalizedTimeMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
NO-USER-MODIFICATION USAGE directoryOperation ),
ad_pwdGraceUseTime },
{ ( 1.3.6.1.4.1.42.2.27.8.1.22
NAME ( 'pwdReset' )
DESC 'The indication that the password has been reset'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE USAGE directoryOperation ),
ad_pwdReset },
NAME ( 'pwdPolicySubentry' )
DESC 'The pwdPolicy subentry in effect for this object'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
#if 0
/* Not until Relax control is released */
NO-USER-MODIFICATION
#endif
USAGE directoryOperation ),
ad_pwdPolicySubentry },
{ NULL, NULL }
--Quanah
--
Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
On 25 July 2013 16:25, Quanah Gibson-Mount qua...@zimbra.com wrote: --On Thursday, July 25, 2013 3:17 PM +1000 Brian May br...@microcomaustralia.com.**au br...@microcomaustralia.com.au wrote: The original bug reporter said The newer version included several added attributes (PWDCHANGEDTIME, PWDHISTORY, PWDFAILURETIME, PWDGRACEUSETIME) which are needed e.g. by GoSA. However if I look for these, they are commented out. I would advise you take the time to read the ppolicy.c source file, which defines these attributes. This means any time the ppolicy module is loaded, they are present. If you don't find them in your server schema, then you've failed to correctly load the ppolicy module. That isn't what Steve Langasek said in the bug report. Was he mistaken? http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;att=0;bug=680049 So just to confirm, does this mean I don't need to manually load the ppolicy.ldif schema? i.e. all I need to do is load the ppolicy module, and the schema automatically appear, before I add any ppolicy configuration? Not sure it is that simple, but I haven't tested it, so I can't say for certainty. Will run a test tomorrow. Anyway, I realized I wasn't CCing the original bug submitter. So I am CCing Andreas Heinlein aheinl...@gmx.com here. -- Brian May br...@microcomaustralia.com.au
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
--On Thursday, July 25, 2013 7:28 PM +1000 Brian May br...@microcomaustralia.com.au wrote: That isn't what Steve Langasek said in the bug report. Was he mistaken? http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;att=0;bug=680049 So just to confirm, does this mean I don't need to manually load the ppolicy.ldif schema? i.e. all I need to do is load the ppolicy module, and the schema automatically appear, before I add any ppolicy configuration? Not sure it is that simple, but I haven't tested it, so I can't say for certainty. Will run a test tomorrow. Anyway, I realized I wasn't CCing the original bug submitter. So I am CCing Andreas Heinlein aheinl...@gmx.com here.-- Brian May br...@microcomaustralia.com.au For a stock openldap install, any attribute that is hard coded in ppolicy.c is available once the module is loaded. Whether or not one also requires the ppolicy.[schema|ldif] file depends entirely on whether or not they also need access to those attributes defined within them. If all you need are the hard-coded attributes, then you can skip loading the additional schema file. --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
On 26 July 2013 00:12, Quanah Gibson-Mount qua...@zimbra.com wrote: For a stock openldap install, any attribute that is hard coded in ppolicy.c is available once the module is loaded. Whether or not one also requires the ppolicy.[schema|ldif] file depends entirely on whether or not they also need access to those attributes defined within them. If all you need are the hard-coded attributes, then you can skip loading the additional schema file. Ok, so it looks like the ppolicy module only adds certain attributes. ppolicy.ldif is still required to load the objectClass required for ppolicy. I assume that there must be a good reason for splitting the ppolicy schema up between the schema file and the module like this. Anyway, I may not be the bug submitter, however I think this bug can be closed. The attributes are there, just in the module not the schema file. -- Brian May br...@microcomaustralia.com.au
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
--On Wednesday, July 24, 2013 11:20 AM +1000 Brian May br...@microcomaustralia.com.au wrote: The file: servers/slapd/schema/ppolicy.ldif from the upstream sources also appears to be out-of-date too. I'm not sure what you mean by this. I just checked the source respository for OpenLDAP, and ppolicy.ldif and ppolicy.schema have the same definitions. --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
On 25 July 2013 01:51, Quanah Gibson-Mount qua...@zimbra.com wrote: I'm not sure what you mean by this. I just checked the source respository for OpenLDAP, and ppolicy.ldif and ppolicy.schema have the same definitions. I checked the latest stable release of OpenLDAP I could find. Oh wait, the supplied ppolicy.schema does have these new definitions, but they are commented out. My bad.
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
--On Thursday, July 25, 2013 9:19 AM +1000 Brian May
br...@microcomaustralia.com.au wrote:
I checked the latest stable release of OpenLDAP I could find.
Not exactly sure what you mean by this either. The source for OpenLDAP is
far from hidden:
http://www.openldap.org/software/download/
Oh wait, the supplied ppolicy.schema does have these new definitions, but
they are commented out. My bad.
No clue what you mean on this either. The definitions are not commented
out in either file, and the definitions of all attributes/objectclass are
identical.
quanah@zre-ldap001:~/src/openldap/openldap-2-4/servers/slapd/schema$ cat
ppolicy.ldif | grep -v ^#
dn: cn=ppolicy,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: ppolicy
olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute'
EQUALITY
objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY
in
tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY
in
tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory'
EQUALITY
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality'
EQUAL
ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength'
EQUALITY
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning'
EQUA
LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit'
EQ
UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout'
EQUALITY b
ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME
'pwdLockoutDuration' E
QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure'
EQUAL
ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME
'pwdFailureCountInter
val' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
)
olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange'
EQUAL
ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME
'pwdAllowUserChange'
EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify'
EQUAL
ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC
'L
oadable module that instantiates check_password() function' EQUALITY
caseExa
ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP
top
AUXILIARY MAY pwdCheckModule )
olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top
AUXI
LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $
pwdCheck
Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $
pwdLockout $
pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange
$ pwdAllowUserChange $ pwdSafeModify ) )
quanah@zre-ldap001:~/src/openldap/openldap-2-4/servers/slapd/schema$
clear;cat ppolicy.schema | grep -v ^#
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
NAME 'pwdAttribute'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
NAME 'pwdMaxAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
NAME 'pwdInHistory'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
NAME 'pwdCheckQuality'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
NAME 'pwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
NAME 'pwdExpireWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
NAME 'pwdGraceAuthNLimit'
EQUALITY integerMatch
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
On 25 July 2013 15:08, Quanah Gibson-Mount qua...@zimbra.com wrote: --On Thursday, July 25, 2013 9:19 AM +1000 Brian May br...@microcomaustralia.com.**au br...@microcomaustralia.com.au wrote: I checked the latest stable release of OpenLDAP I could find. Not exactly sure what you mean by this either. The source for OpenLDAP is far from hidden: http://www.openldap.org/**software/download/http://www.openldap.org/software/download/ You misunderstood. I never said it was hidden. From this page I found: ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.35.tgz This is the latest stable release I could find. I never said I couldn't find any stable releases. Oh wait, the supplied ppolicy.schema does have these new definitions, but they are commented out. My bad. No clue what you mean on this either. The definitions are not commented out in either file, and the definitions of all attributes/objectclass are identical. None of these are the new definitions. As discussed in this bug. The original bug reporter said The newer version included several added attributes (PWDCHANGEDTIME, PWDHISTORY, PWDFAILURETIME, PWDGRACEUSETIME) which are needed e.g. by GoSA. However if I look for these, they are commented out. e.g. in openldap-2.4.35/servers/slapd/schema/ppolicy.schema # ( 1.3.6.1.4.1.42.2.27.8.1.20 # NAME 'pwdHistory' # DESC 'The history of user s passwords' # EQUALITY octetStringMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 # USAGE directoryOperation ) -- Brian May br...@microcomaustralia.com.au
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
tags 680049 confirmed thanks On Tue, Jul 03, 2012 at 09:09:03AM +0200, Andreas Heinlein wrote: The file /etc/ldap/schema/ppolicy.schema included with the package is version 1.2.2.4 2007/01/02, while the version included with the official tarball of openldap-2.4.23 is 1.7.2.5 2010/04/13. Curiously, there is no ppolicy.schema at all in the .orig.tar.gz of the debian package. Yes; this is because the original file, as included upstream, is partly covered by a license that is non-free, so the file has to be removed from the source package and manually re-imported into the debian diff with the copyrighted portions removed. Unfortunately it seems we've overlooked the fact that there've been upstream changes and are now out of sync. The newer version included several added attributes (PWDCHANGEDTIME, PWDHISTORY, PWDFAILURETIME, PWDGRACEUSETIME) which are needed e.g. by GoSA. Ok. :/ Marking this bug confirmed so that we can hopefully get it fixed for wheezy. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
