[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 --- Comment #10 from Ondřej Kuzník --- On Thu, Apr 09, 2020 at 02:41:54PM +, openldap-...@openldap.org wrote: > The problem was that I was using old lastbind overlay, which in some way was > in > conflict with current lastbind. > If I understand correctly, the current lastbind is now completely included > into > OpenLDAP 2.5? No, features you might want to configure lastbind with do not (yet) have an equivalent in the core implementation, so I haven't removed it from 2.5 yet. > It is very important to me, because as a maintainer of OpenLDAP-LTB, we would > have to warn people that the configuration parameters have changed (overlay > lastbind -> lastbind on) and that the overlay won't be provided any more. > > >> - pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code >> returned, >> and if I read correctly the draft >> (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), >> an "accountLocked" extended error code should be triggered. > > I was simply missing the ppolicy_use_lockout parameter. > One remark though: the reason of locking is not very explicit. > I understand that many companies/organizations will consider it is a good > thing > to hide this information for security reasons. For the others, maybe could we > have some sort of level? > Configuration example: > lockout_message_description [none|minimal|verbose] The message is output by the client, the only information provided is the ppolicy response control: https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-6.2 (or rather https://git.openldap.org/openldap/openldap/-/blob/master/doc/drafts/draft-behera-ldap-password-policy-xx.xml#L1112) Providing any more information would need to be integrated into the draft as well. > In the specification the extended error code could simply stay as it is: > "(1)Account locked", but we could add a more precise description in case the > verbose mode is enabled: "(1)Account locked (account unused for a too long > time)" -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 --- Comment #9 from David Coutadeur --- Hello, Thanks Ondřej for your answer to my test results. Here are some updates! > - pwdLastSuccess, pwdMaxIdle: KO: the user is able to authenticate after the > pwdMaxIdle delay. Also, the pwdLastSuccess is never written (see > https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-5.3.11). > For information, I have enabled lastbind. The slapo-ppolicy man page does not > mention pwdLastSuccess by the way. I finally succeeded in making it work. Thanks for pointing test022-ppolicy, it was helpfull. The problem was that I was using old lastbind overlay, which in some way was in conflict with current lastbind. If I understand correctly, the current lastbind is now completely included into OpenLDAP 2.5? It is very important to me, because as a maintainer of OpenLDAP-LTB, we would have to warn people that the configuration parameters have changed (overlay lastbind -> lastbind on) and that the overlay won't be provided any more. > - pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code returned, > and if I read correctly the draft > (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), > an "accountLocked" extended error code should be triggered. I was simply missing the ppolicy_use_lockout parameter. One remark though: the reason of locking is not very explicit. I understand that many companies/organizations will consider it is a good thing to hide this information for security reasons. For the others, maybe could we have some sort of level? Configuration example: lockout_message_description [none|minimal|verbose] In the specification the extended error code could simply stay as it is: "(1)Account locked", but we could add a more precise description in case the verbose mode is enabled: "(1)Account locked (account unused for a too long time)" Regards, David -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 --- Comment #8 from Quanah Gibson-Mount --- (In reply to Ondřej Kuzník from comment #5) > > Hi David, > could you show a configuration when this happens? I cannot reproduce > either issue on master. > > I will update the manpage to mention pwdLastSuccess is used. > > > - pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code > > returned, > > and if I read correctly the draft > > (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), > > an "accountLocked" extended error code should be triggered. > > Again, can't seem to be able to reproduce that and test022-ppolicy > passes for me. Hi David, Can you provide the requested info? Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 Quanah Gibson-Mount changed: What|Removed |Added CC||qua...@openldap.org --- Comment #7 from Quanah Gibson-Mount --- *** Bug 8935 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 Ondřej Kuzník changed: What|Removed |Added CC||guillomovi...@gmail.com --- Comment #6 from Ondřej Kuzník --- *** Bug 6084 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 Ondřej Kuzník changed: What|Removed |Added See Also||https://bugs.openldap.org/s ||how_bug.cgi?id=8935 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 --- Comment #5 from Ondřej Kuzník --- On Fri, Mar 27, 2020 at 05:02:02PM +, openldap-...@openldap.org wrote: > Hello, > > Here are the things I have basically tested: > > - pwdLastSuccess, pwdMaxIdle: KO: the user is able to authenticate after the > pwdMaxIdle delay. Also, the pwdLastSuccess is never written (see > https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-5.3.11). > For information, I have enabled lastbind. The slapo-ppolicy man page does not > mention pwdLastSuccess by the way. Hi David, could you show a configuration when this happens? I cannot reproduce either issue on master. I will update the manpage to mention pwdLastSuccess is used. > - pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code returned, > and if I read correctly the draft > (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), > an "accountLocked" extended error code should be triggered. Again, can't seem to be able to reproduce that and test022-ppolicy passes for me. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 --- Comment #4 from Ryan Tandy --- (In reply to David Coutadeur from comment #3) > For information, I had to fix a typo before it compiles: the manpage of > pbkdf2 overlay was not correctly written: > in contrib/slapd-modules/passwd/pbkdf2/Makefile: > ``` > MANPAGES = slapd-pw-pbkdf2.5 > ``` > should be: > ``` > MANPAGES = slapo-pw-pbkdf2.5 That's https://bugs.openldap.org/show_bug.cgi?id=8837 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 --- Comment #3 from David Coutadeur --- Hello, I have made some new tests on OpenLDAP master branch. For information, I had to fix a typo before it compiles: the manpage of pbkdf2 overlay was not correctly written: in contrib/slapd-modules/passwd/pbkdf2/Makefile: ``` MANPAGES = slapd-pw-pbkdf2.5 ``` should be: ``` MANPAGES = slapo-pw-pbkdf2.5 ``` Here are the things I have basically tested: - pwdMaxLength: OK - pwdLastSuccess, pwdMaxIdle: KO: the user is able to authenticate after the pwdMaxIdle delay. Also, the pwdLastSuccess is never written (see https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-5.3.11). For information, I have enabled lastbind. The slapo-ppolicy man page does not mention pwdLastSuccess by the way. - pwdStartTime, pwdEndTime: OK, but there is no special ppolicy code returned, and if I read correctly the draft (https://tools.ietf.org/html/draft-behera-ldap-password-policy-10#section-7.1), an "accountLocked" extended error code should be triggered. - basic integration with ppm, and in particular the pwdCheckModuleArg (https://github.com/ltb-project/ppm): OK (but will need some adaptation of the check_password signature: https://github.com/ltb-project/ppm/issues/20) Regards, David -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 --- Comment #2 from David Coutadeur --- Hello, Just for tracability, I have made some tests about this feature some time ago, when it was available only at https://github.com/mistotebe/openldap/tree/ppolicy10 I have basically tested these at 2020-01-20: - pwdMaxLength - pwdLastSuccess, pwdMaxIdle - pwdStartTime, pwdEndTime - basic integration with ppm (https://github.com/ltb-project/ppm) I am planning do test again on RE25 branch of OpenLDAP soon. David -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 Ondřej Kuzník changed: What|Removed |Added See Also||https://bugs.openldap.org/s ||how_bug.cgi?id=7697 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 Ondřej Kuzník changed: What|Removed |Added Resolution|--- |TEST Status|UNCONFIRMED |RESOLVED --- Comment #1 from Ondřej Kuzník --- Already in master. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 Ondřej Kuzník changed: What|Removed |Added See Also||https://bugs.openldap.org/s ||how_bug.cgi?id=7055 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 Quanah Gibson-Mount changed: What|Removed |Added See Also||https://bugs.openldap.org/s ||how_bug.cgi?id=7832 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 Quanah Gibson-Mount changed: What|Removed |Added See Also||https://bugs.openldap.org/s ||how_bug.cgi?id=7084 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 Quanah Gibson-Mount changed: What|Removed |Added Target Milestone|--- |2.5.0 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 Quanah Gibson-Mount changed: What|Removed |Added See Also||https://bugs.openldap.org/s ||how_bug.cgi?id=6830 -- You are receiving this mail because: You are on the CC list for the bug.
[Bug 9156] latest ppolicy draft support
https://bugs.openldap.org/show_bug.cgi?id=9156 Quanah Gibson-Mount changed: What|Removed |Added Component|slapd |overlays CC||openldap-bugs@openldap.org -- You are receiving this mail because: You are watching someone on the CC list of the bug.
