Re: Permission management with LDAP

[Dieter Klünter]

Am Tue, 1 Sep 2015 06:21:34 +
schrieb "Fischer, Johannes" :

> Hi again,
> 
> I did not get what I want to get.
> With the memberof overlay I get a structure like expected:
> User
>   -memberOfGroup
> groupOfPermission
>   - member
>   - permission
> Permission
>   -memberOfGroup
> 
> With every update of groupOfPermission the links to the User and
> Permission class are generated. So far so good
> 
> If I want to check if a user have some Permission, I still have to
> collect the memberOfGroup attributes from the Permission class. Then
> I am able to search for the corresponding link between user and
> permission: like
> (&(uid=$1)(memberOf=(Permission.getAll(memberOfGroup This work
> BUT it require two interactions with the server. This is a all-time
> problem, Is there a better solution with some magic LDAP overlay.
> 
> PS. We want a mapping of permission to User, this way a fine granular
> mapping of permissions to Groups to User is possible. At every time.

you may test sets
http://www.openldap.org/faq/data/cache/1133.html

If you do have some spare time in November, you may attend LDAP
Conference 2015 at Edinburgh
http://ldapcon.org/2015/
Shawn McKinney's paper on Security Access Control Engine is quite
promising, and Michael Stroeder's paper on a users management system
may give you some insights to your tasks.

-Dieter

> 
> -Ursprüngliche Nachricht-
> Von: openldap-technical
> [mailto:openldap-technical-boun...@openldap.org] Im Auftrag von
> Fischer, Johannes Gesendet: Freitag, 28. August 2015 14:17 An: Dieter
> Klünter Cc: openldap-technical@openldap.org
> Betreff: AW: Permission management with LDAP
> 
> Hi,
> 
> I've tried your  idea. It worked well with groupOfNames.
> Then I've tried to implement the memberof overlay for a user specific
> objectClass: Dn: olcOverlay={1}
> objectClass: olcConfig
> objectClass: olcOverlayConfig
> objectClass: olcMemberOf
> olcOverlay: memberof
> olcMemberOfDangling: ignore
> olcMemberOfRefInt: TRUE
> olcMemberOfGroupOC: GroupOfPermissions
> olcMemberOfMemberAD: permissionMember
> olcMemberOfMemberOfAD: member
> 
> While adding the ldif, a "unable to find group objectClass="
> GroupOfPermissions "" The objectClass is available on the server and
> is a self created objectclass. Do I have to include some paths to
> announce the objectClass?
> 
> Greetings John
> 
> 
> -Ursprüngliche Nachricht-
> Von: Dieter Klünter [mailto:die...@dkluenter.de]
> Gesendet: Freitag, 28. August 2015 09:36
> An: Fischer, Johannes
> Cc: openldap-technical@openldap.org
> Betreff: Re: Permission management with LDAP
> 
> Am Fri, 28 Aug 2015 06:06:06 +
> schrieb "Fischer, Johannes" :
> 
> > Hi again,
> > 
> > I didn’t want to do a thread high jacking so here a second mail
> > with a complete other question
> > 
> > If I’have a structure like:
> > User
> > 
> > -  Role
> > Role
> > 
> > -  User
> > 
> > -  Permission
> > Permission
> > 
> > -  Role
> > 
> > Now I want to get the authorization for some permission, So I have
> > the information which user and which Permission. Now I need to
> > match the list. The way it already work: Get all Roles for a
> > Permission Search in the user for the Role If found Authorization 
> > Else no Therefore I need at least two requests to the LDAP server
> 
> For this sort of tasks I use slapo-memberof(5) and a proper filter. 
> Something like (&(uid=$1)(memberOf=myGroup))
> 
> -Dieter
> 
> --
> Dieter Klünter | Systemberatung
> http://sys4.de
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E



-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

AW: Permission management with LDAP

[Fischer, Johannes]

Hi again,

I did not get what I want to get.
With the memberof overlay I get a structure like expected:
User
-memberOfGroup
groupOfPermission
- member
- permission
Permission
-memberOfGroup

With every update of groupOfPermission the links to the User and Permission 
class are generated. So far so good

If I want to check if a user have some Permission, I still have to collect the 
memberOfGroup attributes from the Permission class. Then I am able to search 
for the corresponding link between user and permission:
like (&(uid=$1)(memberOf=(Permission.getAll(memberOfGroup
This work BUT it require two interactions with the server. This is a all-time 
problem, Is there a better solution with some magic LDAP overlay.

Greetings John

PS. We want a mapping of permission to User, this way a fine granular mapping 
of permissions to Groups to User is possible. At every time.


-Ursprüngliche Nachricht-
Von: openldap-technical [mailto:openldap-technical-boun...@openldap.org] Im 
Auftrag von Fischer, Johannes
Gesendet: Freitag, 28. August 2015 14:17
An: Dieter Klünter
Cc: openldap-technical@openldap.org
Betreff: AW: Permission management with LDAP

Hi,

I've tried your  idea. It worked well with groupOfNames.
Then I've tried to implement the memberof overlay for a user specific 
objectClass:
Dn: olcOverlay={1}
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: GroupOfPermissions
olcMemberOfMemberAD: permissionMember
olcMemberOfMemberOfAD: member

While adding the ldif, a "unable to find group objectClass=" GroupOfPermissions 
""
The objectClass is available on the server and is a self created objectclass.
Do I have to include some paths to announce the objectClass?

Greetings John


-Ursprüngliche Nachricht-
Von: Dieter Klünter [mailto:die...@dkluenter.de]
Gesendet: Freitag, 28. August 2015 09:36
An: Fischer, Johannes
Cc: openldap-technical@openldap.org
Betreff: Re: Permission management with LDAP

Am Fri, 28 Aug 2015 06:06:06 +
schrieb "Fischer, Johannes" :

> Hi again,
> 
> I didn’t want to do a thread high jacking so here a second mail with a 
> complete other question
> 
> If I’have a structure like:
> User
> 
> -  Role
> Role
> 
> -  User
> 
> -  Permission
> Permission
> 
> -  Role
> 
> Now I want to get the authorization for some permission, So I have the 
> information which user and which Permission. Now I need to match the 
> list. The way it already work: Get all Roles for a Permission
> Search in the user for the Role If found Authorization 
> Else no Therefore I need at least two requests to the LDAP server

For this sort of tasks I use slapo-memberof(5) and a proper filter. 
Something like (&(uid=$1)(memberOf=myGroup))

-Dieter

--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

AW: Permission management with LDAP

[Fischer, Johannes]

Hi Dieter,

It was a great idea to actual search for the objectClass on the server...
The objectClass 'groupOfPermisssions' was already in my Doku but not on the 
server...

Shame on me

Thanks a lot.

JOhn
-Ursprüngliche Nachricht-
Von: openldap-technical [mailto:openldap-technical-boun...@openldap.org] Im 
Auftrag von Dieter Klünter
Gesendet: Freitag, 28. August 2015 15:24
An: openldap-technical@openldap.org
Betreff: Re: Permission management with LDAP

Am Fri, 28 Aug 2015 12:16:48 +
schrieb "Fischer, Johannes" :

> Hi,
> 
> I've tried your  idea. It worked well with groupOfNames.
> Then I've tried to implement the memberof overlay for a user specific
> objectClass: Dn: olcOverlay={1}
> objectClass: olcConfig
> objectClass: olcOverlayConfig
> objectClass: olcMemberOf
> olcOverlay: memberof
> olcMemberOfDangling: ignore
> olcMemberOfRefInt: TRUE
> olcMemberOfGroupOC: GroupOfPermissions
> olcMemberOfMemberAD: permissionMember
> olcMemberOfMemberOfAD: member
> 
> While adding the ldif, a "unable to find group objectClass="
> GroupOfPermissions "" The objectClass is available on the server and 
> is a self created objectclass. Do I have to include some paths to 
> announce the objectClass?

[...]

Check whether groupOfPermissions is loaded at all:
ldapsearch -x -H ldap://localhost -b cn=subschema -s base + \  | grep -A2 
'groupOfPermisssions'

and what is the syntax of permissionmember and member?

-Dieter 

--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

AW: Send Success with first found entry

[Fischer, Johannes]

Hi Dieter,

I've tried it with a quite accurate filter request:
(&
(cn=aaa)
(objectClass=vfkUser)
)
Scope: singleLevel
Sizelimit: 1
Baseobject : cn=user, ...


The only result have been transferred from the server after 2ms, but the 
success packet still need 2-3s.

Do I have to edit something on the server side?

Greetings John

PS. the cn's in the entry 'cn=user' are unique...


-Ursprüngliche Nachricht-
Von: openldap-technical [mailto:openldap-technical-boun...@openldap.org] Im 
Auftrag von Dieter Klünter
Gesendet: Freitag, 28. August 2015 09:46
An: openldap-technical@openldap.org
Betreff: Re: Send Success with first found entry

Am Fri, 28 Aug 2015 05:42:37 +
schrieb "Fischer, Johannes" :

> Hi again,
> 
> more and more I get a feeling how all this work together. But often 
> you don't know what you actually need to look up...
> 
> I've looked on the LDAP server of the Institute to get a feeling how 
> the real IT-guys managed their server... (It was a disaster from a 
> data protection perspective...) Some things were quit nice, for 
> example that the server send a "success" with the first found entry in 
> a subtree.
> 
> On my openLDAP instance I receive a entry of a subtree after 20-30ms 
> but the success packet need 200ms. For me this behavior is not clear 
> due to the fact, that the entries in the directory need to be unique.
> 
> The Example:
> I'm using the Spring security framework and trigger with 
> "ldapTemplate.lookup("cn=" + _name + ",dc=users");" a lookup. On 
> wireshark I see a search request with the scope "baseObject" and The 
> Filter "objectClass=*". After 33ms I receive a searchResEntry packet, 
> so the Server found something and could also stop. But I think in the 
> background all the other entries in the Subtree "dc=users", are looked 
> through also. After 230ms the success packet arrive at my computer. 
> (see also Attachment)
> 
> My Question, is there a possibility to emit a success together with 
> the first found entry?

In fact, this depends on your filter design. The rate of hits decreases with 
the degree of accuracy.

-Dieter



--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Send Success with first found entry

[Dieter Klünter]

Am Tue, 1 Sep 2015 06:44:08 +
schrieb "Fischer, Johannes" :

> Hi Dieter,
> 
> I've tried it with a quite accurate filter request:
> (&
> (cn=aaa)
> (objectClass=vfkUser)
> )
> Scope: singleLevel
> Sizelimit: 1
> Baseobject : cn=user, ...
> 
> 
> The only result have been transferred from the server after 2ms, but
> the success packet still need 2-3s.
> 
> Do I have to edit something on the server side?
> 
> Greetings John
> 
> PS. the cn's in the entry 'cn=user' are unique...

This is rather strange, could you run slapd in debugging mode (-d-1) in
order to watch the internal process?

-Dieter


> 
> 
> -Ursprüngliche Nachricht-
> Von: openldap-technical
> [mailto:openldap-technical-boun...@openldap.org] Im Auftrag von
> Dieter Klünter Gesendet: Freitag, 28. August 2015 09:46 An:
> openldap-technical@openldap.org Betreff: Re: Send Success with first
> found entry
> 
> Am Fri, 28 Aug 2015 05:42:37 +
> schrieb "Fischer, Johannes"
> http://ldapcon.org/2015/:
> 
> > Hi again,
> > 
> > more and more I get a feeling how all this work together. But often 
> > you don't know what you actually need to look up...
> > 
> > I've looked on the LDAP server of the Institute to get a feeling
> > how the real IT-guys managed their server... (It was a disaster
> > from a data protection perspective...) Some things were quit nice,
> > for example that the server send a "success" with the first found
> > entry in a subtree.
> > 
> > On my openLDAP instance I receive a entry of a subtree after
> > 20-30ms but the success packet need 200ms. For me this behavior is
> > not clear due to the fact, that the entries in the directory need
> > to be unique.
> > 
> > The Example:
> > I'm using the Spring security framework and trigger with 
> > "ldapTemplate.lookup("cn=" + _name + ",dc=users");" a lookup. On 
> > wireshark I see a search request with the scope "baseObject" and
> > The Filter "objectClass=*". After 33ms I receive a searchResEntry
> > packet, so the Server found something and could also stop. But I
> > think in the background all the other entries in the Subtree
> > "dc=users", are looked through also. After 230ms the success packet
> > arrive at my computer. (see also Attachment)
> > 
> > My Question, is there a possibility to emit a success together with 
> > the first found entry?
> 
> In fact, this depends on your filter design. The rate of hits
> decreases with the degree of accuracy.
> 
> -Dieter
> 
> 
> 
> --
> Dieter Klünter | Systemberatung
> http://sys4.de
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E
> 



-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

"olcSizeLimit: size.prtotal=disabled" ignored?

[Igor Shmukler]

Hello,

I am running OpenLDAP 2.4.31.
Tried to disable simple paged results - rfc 2696 with:
dn: cn=config
changetype: modify
replace: olcSizeLimit
olcSizeLimit: size.prtotal=disabled

The ldapmodify(1) does not complain, yet the change does not affect my server.

My goal is to have clients receive something like "Unavailable
Critical Extension" as a response.
Is what I am attempting to do expected to disable simple paged results
for all clients [and DITs]? Is it even possible? Am I going right
about disabling paging control?

Thank you,

Igor Shmukler

Re: "olcSizeLimit: size.prtotal=disabled" ignored?

[Dieter Klünter]

Am Tue, 1 Sep 2015 13:21:51 +0300
schrieb Igor Shmukler :

> Hello,
> 
> I am running OpenLDAP 2.4.31.
> Tried to disable simple paged results - rfc 2696 with:
> dn: cn=config
> changetype: modify
> replace: olcSizeLimit
> olcSizeLimit: size.prtotal=disabled
> 
> The ldapmodify(1) does not complain, yet the change does not affect
> my server.
> 
> My goal is to have clients receive something like "Unavailable
> Critical Extension" as a response.
> Is what I am attempting to do expected to disable simple paged results
> for all clients [and DITs]? Is it even possible? Am I going right
> about disabling paging control?

slapd silently ignores the control request, but sizelimit still comes
into effect.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

SASL/EXTERNAL not available

[Frank Crow]

Hi,

I'm trying to configure OpenLDAP 2.4.23 (running on RHEL6.5) to use
client-side certificates via the SASL/EXTERNAL mechanism.   I have
successfully configured server-side certs with TLS and was wanting to
expand my configuration on the client-side.

If set the TLSClientVerify to "allow" or "try" and attempt to use "-Y
EXTERNAL", I get the following message:

SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
  additional info: SASL (-4): no mechaism available:


If I do a search on the DSE, I get the following available methods:

dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: PLAIN


I know that other people are using this but nobody (here at work) knows why
my particular configuration is getting this error.   Can anyone help me
figure this out?


Thanks,

-- 
Frank Crow

LMDB: Robust mutexes

[Kristian Amlie]

Hey,

there was some discussion about robust mutexes in LMDB about a year ago,
and I was told there was a patchset being worked on. I'm just wondering
what's the state of this project now. Is it likely to be included in
upcoming releases?

I don't see it in the latest release 0.9.16, and the "robust" branch
hasn't moved for a while.

-- 
Kristian

Re: "olcSizeLimit: size.prtotal=disabled" ignored?

[Igor Shmukler]

Hello Dieter,

Thank you for replying.

> slapd silently ignores the control request, but sizelimit still comes into 
> effect.

Given that, as well as the other relevant information...

Is "olcSizieLimit: size.prtotal=disabled" not affecting the response,
a bug in OpenLDAP 2.4.x, or did I incorrectly understand the
documentation? If it is a bug, should it be filed?
How would one go about disabling simple paged results [having the
OpenLDAP server respond with critical extension unavailable or
similar]? Is restricting access to the control with an ACL is the way
to go?

Thank you,

Igor Shmukler

Unable to build LMDB on SUSE Linux: undefined reference to pthread_mutexattr_setrobust / pthread_mutex_consistent

[Pallav Gupta]

Hello,
I am trying to build LMDB libraries from source on SUSE Linux using gcc 4.7.2 
to try for an experimental project at work. I am getting some build errors. I 
see pthread.h and libpthread.{a/so} installed in /usr/include and /usr/lib64, 
respectively. But I do not see these functions in the header file or in the 
library. Maybe the pthread library version is old. I am not sure. I tried 
searching on the web, but I was not able to understand how to install a 
different version of the pthread library (it seems to come packaged with the 
OS?). I do not have admin rights so I would try installing in my local area.
Can someone please advise on things I can try to resolve this issue? Thank you 
for your time and help.
(P.S. I had built LMDB successfully on a Mac OS X machine (home computer) 
without any issues)
$ makegcc -pthread -O2 -g -W -Wall -Wno-unused-parameter -Wbad-function-cast 
-Wuninitialized   -c mdb.cmdb.c: In function ‘mdb_mutex_failed’:mdb.c:9827:4: 
warning: implicit declaration of function ‘pthread_mutex_consistent’ 
[-Wimplicit-function-declaration]gcc -pthread -O2 -g -W -Wall 
-Wno-unused-parameter -Wbad-function-cast -Wuninitialized   -c midl.car rs 
liblmdb.a mdb.o midl.oar: creating liblmdb.agcc -pthread -O2 -g -W -Wall 
-Wno-unused-parameter -Wbad-function-cast -Wuninitialized  -fPIC  -c mdb.c -o 
mdb.lomdb.c: In function ‘mdb_mutex_failed’:mdb.c:9827:4: warning: implicit 
declaration of function ‘pthread_mutex_consistent’ 
[-Wimplicit-function-declaration]gcc -pthread -O2 -g -W -Wall 
-Wno-unused-parameter -Wbad-function-cast -Wuninitialized  -fPIC  -c midl.c -o 
midl.logcc  -pthread -shared -o liblmdb.so mdb.lo midl.lo gcc -pthread -O2 -g 
-W -Wall -Wno-unused-parameter -Wbad-function-cast -Wuninitialized   -c 
mdb_stat.cgcc -pthread -O2 -g -W -Wall -Wno-unused-parameter 
-Wbad-function-cast -Wuninitialized   mdb_stat.o liblmdb.a  -o 
mdb_statliblmdb.a(mdb.o): In function 
`mdb_env_setup_locks':/nfs/pdx/proj/dt/tctg03/pgupta6/lmdb-mdb.master/libraries/liblmdb/mdb.c:4642:
 undefined reference to `pthread_mutexattr_setrobust'liblmdb.a(mdb.o): In 
function 
`mdb_mutex_failed':/nfs/pdx/proj/dt/tctg03/pgupta6/lmdb-mdb.master/libraries/liblmdb/mdb.c:9827:
 undefined reference to `pthread_mutex_consistent'collect2: error: ld returned 
1 exit statusmake: *** [mdb_stat] Error 1
My environment is as follows:
$ more /etc/SuSE-release SUSE Linux Enterprise Server 11 (x86_64)VERSION = 
11PATCHLEVEL = 2
$ uname -aLinux 3.0.101-0.7.29.1.8482.4.PTF-default #1 SMP Tue May 5 16:00:34 
UTC 2015 () x86_64 x86_64 x86_64 GNU/Linux

  

Problem with binary data inserted in octetstring attribute.

[Armando Martins]

Hi,

I'm trying to sync a active directory with a openldap and for update the
entries i use the objectsid binary attribute of the active directory as the
link attribute between the two directories.

I'm having an issue with the binary data inserted in a octetstring
attribute. There is no problem to insert the data in the attribute. but
when i request the attribute there is no entries returned. Howerver, when i
do the same request in active directory it returns me the right answer.

Here is my attribute specification in openldap :

attributetype ( 1.3.6.1.4.1.31631.1.1.2.1.1
NAME 'binarysid'
DESC 'binary object'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
 )

and here is the data inserted in this attribute :

binarysid:: AQUAAAUV77+9OzJ577+9Ve+/vVEdA2pm77+977+9AAA=

if i request my openldap with this filter :

filter="(&(objectClass=inetOrgPerson)(binarysid=\01\05\00\00\00\00\00\05\15\00\00\00\CE;2y\C5U\C2Q\1D\03jf\ED\FB\00\00))"

No answer is returned, but when i request the active directory with this
filter :

filter="(&(objectClass=user)(objectsid=\01\05\00\00\00\00\00\05\15\00\00\00\CE;2y\C5U\C2Q\1D\03jf\ED\FB\00\00))"

He returns me the right answer...

Do i have a problem with my attribute in openldap?

if someone could help me, I will really appreciate.

Thanks

-- 
Armando Martins

Re: RHEL7 OpenLDAP server is not enforcing password expirations

[Real, Elizabeth (392K)]

Dan,

I have RHEL5 ldap clients using pam_unix.so and pam_ldap.so directives and 
these do honor the ldap user password expiration, no issues at all.
The /var/log/secure file shows: error: PAM: User account has expired

However, the two RHEL7 ldap clients using the pam_unix.so and pam_sss.so 
directives do not even see/know that the user ldap password has expired. When I 
change the directive from pam_sss.so to pam_ldap.so, the client cannot 
communicate with the ldap server.

RHEL5 /ETC/PAM.D/system-auth file:
authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 500 quiet
authsufficientpam_ldap.so use_first_pass
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore service_err=ignore 
system_err=ignore] pam_ldap.so
account required  pam_permit.so

passwordrequisite pam_cracklib.so try_first_pass retry=3 type=LINUX 
minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
passwordsufficientpam_unix.so md5 shadow nullok try_first_pass 
use_authtok md5 shadow remember=24
passwordsufficientpam_ldap.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_ldap.so


RHEL7 CLIENTS /ETC/PAM.D/:
password-auth file:
auth sufficient pam_sss.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_sss.so
password sufficient pam_sss.so use_authtok
session optional pam_sss.so

system-auth file:
auth sufficient pam_sss.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_sss.so
password sufficient pam_sss.so use_authtok
session optional pam_sss.so

Thank you,
Liz

From: Dan White >
Date: Friday, August 28, 2015 at 7:13 AM
To: Elizabeth Real Chavez 
>
Cc: "openldap-technical@openldap.org" 
>
Subject: Re: RHEL7 OpenLDAP server is not enforcing password expirations

On 08/27/15 22:56 +, Real, Elizabeth (392K) wrote:
I’ve done a lot or research and re-read the OpenLDAP configuration guides
but I cannot get my OpenLDAP 2.39 server to not allow users with expired
passwords to login to ldap enabled clients. What directive in the
/etc/pam.d/ files controls the users password expiration attribute?
pam_unix or pam_ldap?

That depends on your configuration. Consult the pam project's to determine
that:

http://www.linux-pam.org/

pam_ldap is a 3rd party product, so you'll need to consult it's
documentation to see how expiration is handled, if at all. nssov, which is
distributed with OpenLDAP, explicitly supports it.

In the case you are using, or wish to use, pam_unix with an ldap nss
module, expiration might be represented as an attribute underneath the
user's DN. See its documentation for details.

Setup:

Server: RHEL7 OS
Software: OpenLdap 2.4.39 server using slapd service

Client: RHEL7 OS
Software: enabled Ldap via authconfig, using sssd service

--
Dan White

RE: ppolicy and pwdGraceUseTime

[Craig White]

Thanks for the reply. I actually figured out the problem Friday but was tasked 
with getting all of the changes done for PCI compliance and didn't have time to 
mark this as solved.

The problem was that there were 2 ppolicy overlay entries - apparently someone 
created a ppolicy overlay in 2013 when it was setup but didn't load the module 
and I didn't detect the previous ppolicy overlay entry was there until I 
started looking things over with the error. I deleted one and then password 
changes worked - problem solved.

-Original Message-
From: openldap-technical [mailto:openldap-technical-boun...@openldap.org] On 
Behalf Of Abdelhamid Meddeb
Sent: Saturday, August 29, 2015 12:14 AM
To: openldap-technical@openldap.org
Subject: Re: ppolicy and pwdGraceUseTime

Hi,

I think you are confusing between the password expiration and account 
lockout.

If your account is locked after several failed attempts to bind, you 
cannot modify your passwords.

Cheers.

Le 28/08/2015 18:37, Craig White a écrit :
> Openldap 2.4.39
>
> Adding in policy in already running OpenLDAP installation. Mostly
> functional – I was locked out after failed password attempts as expected.
>
> Existing user with password beyond expiration is an issue. It is
> extended grace logins as expected but when I try to change the password,
> I get an error which appears to be  “error 16 – modify/delete:
> pwdGraceUseTime: no such attribute”
>

-- 
*Abdelhamid Meddeb*
http://www.meddeb.net