Control: tags -1 + patch Hi Ryan,
On Fri, 2021-06-04 at 11:19 -0700, Ryan Tandy wrote: > Hi. The attached patch updates the test slapd config to support > OpenLDAP 2.5 in addition to 2.4. Thanks for the patch. I've applied it in the upstream repo and I plan to make a new release soon. > However the test_pamcmds script fails with the new version. The login > with the correct password fails, the issue seems to be (from > nslcd.log): > > nslcd: [a88611] <authc="vsefcovic"> DEBUG: got > LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed) > nslcd: [a88611] <authc="vsefcovic"> DEBUG: myldap_search(base="cn=Veronica > Sefcovic+uid=vsefcovic,ou=lotsofpeople,dc=test,dc=tld", > filter="(objectClass=*)") > nslcd: [a88611] <authc="vsefcovic"> ldap_result() failed: Insufficient > access: Operations are restricted to bind/unbind/abandon/StartTLS/modify > password > > Still looking into it, not sure why the new ppolicy wants the > password changed after it was just reset earlier. Do you know at which step this failed in the test_pamcmds test? In general I found ppolicy controls during authentication to be somewhat confusing, especially when a password was about to expire or needed to be changed. This heavily depends on the LDAP server implementation but it could be that the bind operation succeeds (with ppolicy control messages) but the search that is done afterwards fails (e.g. because the connection can only be used to change the password). By default nslcd does a search operation to check whether the bind operation was actually successful (there are LDAP servers that, for some bind operations, do not return a proper error but do not have a working session afterwards). This can be configured with the pam_authc_search option. Kind regards, -- -- arthur - art...@arthurdejong.org - https://arthurdejong.org/ --
signature.asc
Description: This is a digitally signed message part