Andreas Hasenack wrote:
> On Friday 11 August 2006 00:34, Prakash Velayutham wrote:
>
>> dn:
>> supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
>> supportedControl: 2.16.840.1.113730.3.4.18
>> supportedControl: 2.16.840.1.113730.3.4.2
>> supportedControl: 1.3.6.1.4.1.4203.1.10.1
>> supportedControl: 1.2.840.113556.1.4.319
>> supportedControl: 1.2.826.0.1.334810.2.3
>> supportedControl: 1.3.6.1.1.13.2
>> supportedControl: 1.3.6.1.1.13.1
>> supportedControl: 1.3.6.1.1.12
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> But the control for Password Policy is 1.3.6.1.4.1.42.2.27.8.2.1, but
>>
>
> I don't know these numbers by memory, so I'll trust you on that :)
>
>> that is not listed in my server's RootDSE for some reason. I am positive
>> that I compiled with --enable-ppolicy flag. For some reason, it does not
>> show up in the search.
>>
>
> You have to load the overlay:
> overlay ppolicy
>
> And possible load the module if your openldap server has this built as a
> dynamic object:
> modulepath /usr/lib/openldap (you may need to change this)
> moduleload ppolicy.la
I had all of that in my slapd.conf except modulepath. No luck. What
should my modulepath be? I do not see ppolicy.la file anywhere in my
install tree. What I am wondering is that how would I see the
"ppolicy_bind: Setting warning for password expiry for cn=Prakash
Velayutham,ou=PI-users,dc=cchrf,dc=org = 85816 seconds" warning if my
ppolicy overlay is not working, right? So that part is working (please
correct me if I am wrong). Only thing is that the client side is not
getting the warning message even though the server is sending it. Do you
have this working in your LDAP setting with pam_ldap and SSH?
Inside pam_ldap.c code, I see a bunch of code (lines 2041 - 2052 in
pam_ldap-182) like this:
##########################################################################
if (!strcmp ((*ctlp)->ldctl_oid, LDAP_CONTROL_PWEXPIRING))
{
char seconds[32];
snprintf (seconds, sizeof seconds, "%.*s",
(int) (*ctlp)->ldctl_value.bv_len,
(*ctlp)->ldctl_value.bv_val);
session->info->password_expiration_time = atol (seconds);
}
else if (!strcmp ((*ctlp)->ldctl_oid, LDAP_CONTROL_PWEXPIRED))
{
if (session->info->policy_error == POLICY_ERROR_SUCCESS)
session->info->policy_error = POLICY_ERROR_PASSWORD_EXPIRED;
##########################################################################
But both the LDAP_CONTROL_PWEXPIRING and LDAP_CONTROL_PWEXPIRED are not
defined in openldap's ldap.h file. So how exactly would this be
recognized by pam_ldap?
Also could you give me your set of configure flags while building
openldap? I will try to replicate that in my setting to see if that
clears some things. When I give a configure flag like
--enable-modules=yes --enable-overlays=yes --enable-ppolicy, where
should I expect the system to put the ppolicy.la module?
Thanks,
Prakash
