21.12.2016, 23:34, "Matthieu Cerda" <[email protected]>: > Hello folks,
Hello, The "deleted access denied by read" error has been fixed to OpenLDAP next version, I remember. I think it was from that slapo-ppolicy and has been fix in the 2.4.11 version. http://www.openldap.org/devel/cvsweb.cgi/Attic/CHANGES Regards, -- Ozgur Karatas m: [email protected] w: http://www.openldap.org f: https://www.facebook.com/openldap t: https://www.twitter.com/openldaporg i: irc.freenode.net #openldap > I just stumbled upon a (maybe not) surprising technical issue with my > OpenLDAP setup: ppolicy seems unable to update pwdAccountLockedTime on > my users. > > Setup: > > * OpenLDAP 2.4.40(+dfsg-1+deb8u2) on Debian jessie > > * Password policy and ACLs: > > ---8<--- > dn: cn=default,ou=policies,dc=company,dc=com > objectClass: top > objectClass: person > objectClass: pwdPolicy > cn: passwordDefault > cn: default > pwdAttribute: userPassword > sn: passwordDefault > pwdAllowUserChange: TRUE > pwdCheckQuality: 0 > pwdExpireWarning: 0 > pwdFailureCountInterval: 0 > pwdGraceAuthNLimit: 0 > pwdInHistory: 3 > pwdLockout: TRUE > pwdLockoutDuration: 300 > pwdMaxAge: 0 > pwdMaxFailure: 3 > pwdMinAge: 0 > pwdMinLength: 8 > pwdMustChange: FALSE > pwdSafeModify: FALSE > ---8<--- > > ---8<--- > access to attrs=userPassword,shadowLastChange > by dn="uid=mcerda,ou=people,dc=company,dc=com" write > by self write > by anonymous auth > by * none > > access to dn.base="" by * read > > access to * > by dn="uid=mcerda,ou=people,dc=company,dc=com" write > by users read > by * none > ---8<--- > > * pwdFailureTime gets updated on each failed login attempt on users > until pwdMaxFailure is reached (3) > > * Testing for account locking is done both by observing we appearance in > user object and using '-e ppolicy' on ldapsearch (ppolicy_use_lockout is > enabled) > > Everytime an user reaches pwdMaxFailure count, the debug log (level > 65535) gives: > > ---8<--- > 585947a5 => mdb_entry_get: found entry: > "cn=default,ou=policies,dc=company,dc=com" > 585947a5 mdb_entry_get: rc=0 > 585947a5 mdb_modify: uid=fbar,ou=people,dc=company,dc=com > 585947a5 slap_queue_csn: queueing 0x65696ef4bce0 > 20161220150053.705334Z#000000#000#000000 > 585947a5 mdb_dn2entry("uid=fbar,ou=people,dc=company,dc=com") > 585947a5 => mdb_dn2id("uid=fbar,ou=people,dc=company,dc=com") > 585947a5 <= mdb_dn2id: got id=0x9 > 585947a5 => mdb_entry_decode: > 585947a5 <= mdb_entry_decode > 585947a5 mdb_modify_internal: 0x00000009: > uid=fbar,ou=people,dc=company,dc=com > 585947a5 => access_allowed: result not in cache (pwdAccountLockedTime) > 585947a5 => access_allowed: delete access to > "uid=fbar,ou=people,dc=company,dc=com" "pwdAccountLockedTime" requested > 585947a5 => dn: [2] > 585947a5 => acl_get: [3] attr pwdAccountLockedTime > 585947a5 => acl_mask: access to entry > "uid=fbar,ou=people,dc=company,dc=com", attr "pwdAccountLockedTime" > requested > 585947a5 => acl_mask: to all values by "", (=0) > 585947a5 <= check a_dn_pat: uid=mcerda,ou=people,dc=company,dc=com > 585947a5 <= check a_dn_pat: users > 585947a5 <= check a_dn_pat: anonymous > 585947a5 <= acl_mask: [3] applying read(=rscxd) (stop) > 585947a5 <= acl_mask: [3] mask: read(=rscxd) > 585947a5 => slap_access_allowed: delete access denied by read(=rscxd) > 585947a5 => access_allowed: no more rules > 585947a5 mdb_modify: modify failed (50) > 585947a5 send_ldap_result: conn=1000 op=0 p=3 > 585947a5 send_ldap_result: err=50 matched="" text="" > 585947a5 slap_graduate_commit_csn: removing 0x6569601047f0 > 20161220150053.705334Z#000000#000#000000 > 585947a5 send_ldap_response: msgid=1 tag=97 err=49 > ---8<--- > > I can't see a reason why the update gets denied. Setting the global ACL > to: > > ---8<--- > access to * > by dn="uid=mcerda,ou=people,dc=company,dc=com" write > by * write > ---8<--- > > fixes the issue (but I obviously not want an open bar slapd). > > The documentation (http://www.openldap.org/doc/admin24/overlays.html) > advises nothing about ACLs. > > Is this and issue or a misconfiguration ? > > Thanks in advance, > -- > Matthieu Cerda
