Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
--On Thursday, July 25, 2013 3:17 PM +1000 Brian May br...@microcomaustralia.com.au wrote: The original bug reporter said The newer version included several added attributes (PWDCHANGEDTIME, PWDHISTORY, PWDFAILURETIME, PWDGRACEUSETIME) which are needed e.g. by GoSA. However if I look for these, they are commented out. I would advise you take the time to read the ppolicy.c source file, which defines these attributes. This means any time the ppolicy module is loaded, they are present. If you don't find them in your server schema, then you've failed to correctly load the ppolicy module. } pwd_OpSchema[] = { { ( 1.3.6.1.4.1.42.2.27.8.1.16 NAME ( 'pwdChangedTime' ) DESC 'The time the password was last changed' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ), ad_pwdChangedTime }, { ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME ( 'pwdAccountLockedTime' ) DESC 'The time an user account was locked' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE #if 0 /* Not until Relax control is released */ NO-USER-MODIFICATION #endif USAGE directoryOperation ), ad_pwdAccountLockedTime }, { ( 1.3.6.1.4.1.42.2.27.8.1.19 NAME ( 'pwdFailureTime' ) DESC 'The timestamps of the last consecutive authentication failures' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 NO-USER-MODIFICATION USAGE directoryOperation ), ad_pwdFailureTime }, { ( 1.3.6.1.4.1.42.2.27.8.1.20 NAME ( 'pwdHistory' ) DESC 'The history of users passwords' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 NO-USER-MODIFICATION USAGE directoryOperation ), ad_pwdHistory }, { ( 1.3.6.1.4.1.42.2.27.8.1.21 NAME ( 'pwdGraceUseTime' ) DESC 'The timestamps of the grace login once the password has expired' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 NO-USER-MODIFICATION USAGE directoryOperation ), ad_pwdGraceUseTime }, { ( 1.3.6.1.4.1.42.2.27.8.1.22 NAME ( 'pwdReset' ) DESC 'The indication that the password has been reset' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE USAGE directoryOperation ), ad_pwdReset }, NAME ( 'pwdPolicySubentry' ) DESC 'The pwdPolicy subentry in effect for this object' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE #if 0 /* Not until Relax control is released */ NO-USER-MODIFICATION #endif USAGE directoryOperation ), ad_pwdPolicySubentry }, { NULL, NULL } --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
On 25 July 2013 16:25, Quanah Gibson-Mount qua...@zimbra.com wrote: --On Thursday, July 25, 2013 3:17 PM +1000 Brian May br...@microcomaustralia.com.**au br...@microcomaustralia.com.au wrote: The original bug reporter said The newer version included several added attributes (PWDCHANGEDTIME, PWDHISTORY, PWDFAILURETIME, PWDGRACEUSETIME) which are needed e.g. by GoSA. However if I look for these, they are commented out. I would advise you take the time to read the ppolicy.c source file, which defines these attributes. This means any time the ppolicy module is loaded, they are present. If you don't find them in your server schema, then you've failed to correctly load the ppolicy module. That isn't what Steve Langasek said in the bug report. Was he mistaken? http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;att=0;bug=680049 So just to confirm, does this mean I don't need to manually load the ppolicy.ldif schema? i.e. all I need to do is load the ppolicy module, and the schema automatically appear, before I add any ppolicy configuration? Not sure it is that simple, but I haven't tested it, so I can't say for certainty. Will run a test tomorrow. Anyway, I realized I wasn't CCing the original bug submitter. So I am CCing Andreas Heinlein aheinl...@gmx.com here. -- Brian May br...@microcomaustralia.com.au
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
--On Thursday, July 25, 2013 7:28 PM +1000 Brian May br...@microcomaustralia.com.au wrote: That isn't what Steve Langasek said in the bug report. Was he mistaken? http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;att=0;bug=680049 So just to confirm, does this mean I don't need to manually load the ppolicy.ldif schema? i.e. all I need to do is load the ppolicy module, and the schema automatically appear, before I add any ppolicy configuration? Not sure it is that simple, but I haven't tested it, so I can't say for certainty. Will run a test tomorrow. Anyway, I realized I wasn't CCing the original bug submitter. So I am CCing Andreas Heinlein aheinl...@gmx.com here.-- Brian May br...@microcomaustralia.com.au For a stock openldap install, any attribute that is hard coded in ppolicy.c is available once the module is loaded. Whether or not one also requires the ppolicy.[schema|ldif] file depends entirely on whether or not they also need access to those attributes defined within them. If all you need are the hard-coded attributes, then you can skip loading the additional schema file. --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
On 26 July 2013 00:12, Quanah Gibson-Mount qua...@zimbra.com wrote: For a stock openldap install, any attribute that is hard coded in ppolicy.c is available once the module is loaded. Whether or not one also requires the ppolicy.[schema|ldif] file depends entirely on whether or not they also need access to those attributes defined within them. If all you need are the hard-coded attributes, then you can skip loading the additional schema file. Ok, so it looks like the ppolicy module only adds certain attributes. ppolicy.ldif is still required to load the objectClass required for ppolicy. I assume that there must be a good reason for splitting the ppolicy schema up between the schema file and the module like this. Anyway, I may not be the bug submitter, however I think this bug can be closed. The attributes are there, just in the module not the schema file. -- Brian May br...@microcomaustralia.com.au
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
--On Wednesday, July 24, 2013 11:20 AM +1000 Brian May br...@microcomaustralia.com.au wrote: The file: servers/slapd/schema/ppolicy.ldif from the upstream sources also appears to be out-of-date too. I'm not sure what you mean by this. I just checked the source respository for OpenLDAP, and ppolicy.ldif and ppolicy.schema have the same definitions. --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
On 25 July 2013 01:51, Quanah Gibson-Mount qua...@zimbra.com wrote: I'm not sure what you mean by this. I just checked the source respository for OpenLDAP, and ppolicy.ldif and ppolicy.schema have the same definitions. I checked the latest stable release of OpenLDAP I could find. Oh wait, the supplied ppolicy.schema does have these new definitions, but they are commented out. My bad.
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
--On Thursday, July 25, 2013 9:19 AM +1000 Brian May br...@microcomaustralia.com.au wrote: I checked the latest stable release of OpenLDAP I could find. Not exactly sure what you mean by this either. The source for OpenLDAP is far from hidden: http://www.openldap.org/software/download/ Oh wait, the supplied ppolicy.schema does have these new definitions, but they are commented out. My bad. No clue what you mean on this either. The definitions are not commented out in either file, and the definitions of all attributes/objectclass are identical. quanah@zre-ldap001:~/src/openldap/openldap-2-4/servers/slapd/schema$ cat ppolicy.ldif | grep -v ^# dn: cn=ppolicy,cn=schema,cn=config objectClass: olcSchemaConfig cn: ppolicy olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY in tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY in tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUAL ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUA LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQ UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.42.2.27.8.1.9 NAME 'pwdLockout' EQUALITY b ooleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {9}( 1.3.6.1.4.1.42.2.27.8.1.10 NAME 'pwdLockoutDuration' E QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.42.2.27.8.1.11 NAME 'pwdMaxFailure' EQUAL ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.42.2.27.8.1.12 NAME 'pwdFailureCountInter val' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.42.2.27.8.1.13 NAME 'pwdMustChange' EQUAL ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {13}( 1.3.6.1.4.1.42.2.27.8.1.14 NAME 'pwdAllowUserChange' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {14}( 1.3.6.1.4.1.42.2.27.8.1.15 NAME 'pwdSafeModify' EQUAL ITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {15}( 1.3.6.1.4.1.4754.1.99.1 NAME 'pwdCheckModule' DESC 'L oadable module that instantiates check_password() function' EQUALITY caseExa ctIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.4.1.4754.2.99.1 NAME 'pwdPolicyChecker' SUP top AUXILIARY MAY pwdCheckModule ) olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.8.2.1 NAME 'pwdPolicy' SUP top AUXI LIARY MUST pwdAttribute MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheck Quality $ pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout $ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $ pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) ) quanah@zre-ldap001:~/src/openldap/openldap-2-4/servers/slapd/schema$ clear;cat ppolicy.schema | grep -v ^# attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1 NAME 'pwdAttribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 ) attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2 NAME 'pwdMinAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3 NAME 'pwdMaxAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4 NAME 'pwdInHistory' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5 NAME 'pwdCheckQuality' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6 NAME 'pwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7 NAME 'pwdExpireWarning' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8 NAME 'pwdGraceAuthNLimit' EQUALITY integerMatch
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
On 25 July 2013 15:08, Quanah Gibson-Mount qua...@zimbra.com wrote: --On Thursday, July 25, 2013 9:19 AM +1000 Brian May br...@microcomaustralia.com.**au br...@microcomaustralia.com.au wrote: I checked the latest stable release of OpenLDAP I could find. Not exactly sure what you mean by this either. The source for OpenLDAP is far from hidden: http://www.openldap.org/**software/download/http://www.openldap.org/software/download/ You misunderstood. I never said it was hidden. From this page I found: ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.35.tgz This is the latest stable release I could find. I never said I couldn't find any stable releases. Oh wait, the supplied ppolicy.schema does have these new definitions, but they are commented out. My bad. No clue what you mean on this either. The definitions are not commented out in either file, and the definitions of all attributes/objectclass are identical. None of these are the new definitions. As discussed in this bug. The original bug reporter said The newer version included several added attributes (PWDCHANGEDTIME, PWDHISTORY, PWDFAILURETIME, PWDGRACEUSETIME) which are needed e.g. by GoSA. However if I look for these, they are commented out. e.g. in openldap-2.4.35/servers/slapd/schema/ppolicy.schema # ( 1.3.6.1.4.1.42.2.27.8.1.20 # NAME 'pwdHistory' # DESC 'The history of user s passwords' # EQUALITY octetStringMatch # SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 # USAGE directoryOperation ) -- Brian May br...@microcomaustralia.com.au
Bug#680049: [Pkg-openldap-devel] Bug#680049: Old version of ppolicy.schema included
tags 680049 confirmed thanks On Tue, Jul 03, 2012 at 09:09:03AM +0200, Andreas Heinlein wrote: The file /etc/ldap/schema/ppolicy.schema included with the package is version 1.2.2.4 2007/01/02, while the version included with the official tarball of openldap-2.4.23 is 1.7.2.5 2010/04/13. Curiously, there is no ppolicy.schema at all in the .orig.tar.gz of the debian package. Yes; this is because the original file, as included upstream, is partly covered by a license that is non-free, so the file has to be removed from the source package and manually re-imported into the debian diff with the copyrighted portions removed. Unfortunately it seems we've overlooked the fact that there've been upstream changes and are now out of sync. The newer version included several added attributes (PWDCHANGEDTIME, PWDHISTORY, PWDFAILURETIME, PWDGRACEUSETIME) which are needed e.g. by GoSA. Ok. :/ Marking this bug confirmed so that we can hopefully get it fixed for wheezy. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature