2.4.47:
Fixed slapo-ppolicy with multi-provider replication (ITS#8927)
2.4.48:
Fixed slapo-ppolicy behavior when pwdInHistory is changed (ITS#8349)
2.4.49:
Fixed slapo-ppolicy when used with slapauth (ITS#8629)
Fixed slapo-ppolicy to add a missed normalised copy of pwdChangedTime
(ITS#9126)
2.4.50:
Fixed slapo-ppolicy callback (ITS#9171)
2.4.51:
Added slapo-ppolicy implement Netscape password policy controls (ITS#9279)
Fixed slapo-ppolicy to expose the ppolicy control (ITS#9285)
Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302)
Fixed slapo-ppolicy so it can only exist once per DB (ITS#9309)
2.4.53:
Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334)
I'd note again, Symas provides free drop-in replacement builds for CentOS/RHEL
7 that are current:
<https://repo.symas.com/sofl/rhel7/>
You will want to reload the database to account for the 2.4.49 fix for ITS#9126 (it requires a reload of the db via
slapcat/slapadd to fix the internal normalization of pwdChangedTime).
So, I've cloned two of the produciton machines, slapcat'ed the DB, updated to Symas' 2.4.57 and slapadd'ed the DB.
Queries work, replication does work,…
The problem persists. If I try to restrict one of the pwd* attributes using
access to attrs=<pwdAttribute>
by * none
then slaptest will fail with
601ef16b /etc/openldap/acl.conf: line 93: unknown attr "<pwdAttribute>" in to clause
601ef16b <access clause> ::= access to <what> [ by <who> [ <access> ] [
<control> ] ]+
[…]
slaptest: bad configuration file!
#### password / ppolicy relevant parts in the configuration file ####
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/acl.conf
modulepath /usr/lib64/openldap
moduleload ppolicy.la
moduleload smbk5pwd.la
password-hash {CRYPT}
password-crypt-salt-format "$6$%.16s"
overlay smbk5pwd
smbk5pwd-enable samba
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
######################################################################
### policy related entries ###
1199 ou=Policies,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Policies
1200 cn=default,ou=Policies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
cn: default
pwdAttribute: userPassword
pwdMinAge: 0
pwdMaxAge: 0
pwdInHistory: 3
pwdCheckQuality: 2
pwdMinLength: 8
pwdExpireWarning: 1814400
pwdGraceAuthNLimit: 3
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdMaxFailure: 5
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
pwdCheckModule: /usr/lib64/openldap/check_password.so
################################################
Regards,
Uwe
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
