https://bugs.openldap.org/show_bug.cgi?id=9740

--- Comment #2 from David Coutadeur <[email protected]> ---
(In reply to Ondřej Kuzník from comment #1)
> On Fri, Nov 05, 2021 at 11:51:51AM +0000, [email protected] wrote:
> > Following: https://bugs.openldap.org/show_bug.cgi?id=9666, we must now use 
> > the
> > olcPPolicyCheckModule directive in the overlay configuration, instead of the
> > pwdCheckModule in the password policy.
> > 
> > I have 3 remarks:
> > 
> > 1/ it's a pity we can't define the chosen module in the corresponding 
> > ppolicy.
> > It prevents having multiple extension to password policies (one for each
> > policy)
> 
> Hi David,
> the problem is you have to load/unload it every time you run a password
> change, that has been causing issues. You can use the same
> implementation and pass policy specific configuration in pwdCheckModuleArg.
> 
> What is your usecase where you'd need different modules in the same
> server?

No particular use case.

It's just that before ppm, LTB project maintained another module named
"check-password", and maybe it can help the transition to announce that
OpenLDAP support multiple modules at one time... But again there is no real use
case.

> 
> > 2/ it does not seem to work. (ie the extended module is not launched). See
> > below for my config and data.
> 
> Just checking you are actually building with --enable-modules?

Yes indeed.

If it can help:

./configure --prefix=${LDAPDIR} --libdir=${LDAPDIR}/${_LIB}
--enable-modules=yes --enable-overlays=mod --enable-backends=mod
--enable-dynamic=yes --with-tls=openssl --enable-debug --with-cyrus-sasl
--enable-spasswd --enable-ppolicy=mod --enable-crypt --enable-slapi
--enable-mdb=mod --enable-ldap=mod --enable-meta=mod --enable-sock=mod
--enable-wrappers --enable-rlookups --enable-argon2=yes --enable-otp=mod
--enable-balancer=mod --enable-sql=no --enable-ndb=no --enable-wt=no
--enable-perl=no


> 
> > 3/ the slapo-ppolicy is quite unclear about the configuration. For example, 
> > I
> > can read:
> > 
> >            (  1.3.6.1.4.1.4754.2.99.1
> >                NAME 'pwdPolicyChecker'
> >                AUXILIARY
> >                SUP top
> >                MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule 
> > ) )
> > 
> > Does pwdCheckModule and pwdUseCheckModule still have sense?
> 
> pwdCheckModule is preserved for backwards compatibility and using it
> provokes a warning in the logs to let the admin know it is actually
> ignored.

Thanks for the clarification.
Actually, I meant the documentation of slapo-ppolicy (man page)
it could be nice to explain:
- what is deprecated
- what is each attribute made for

> 
> pwdUseCheckModule is new and allows the policy admin decide whether the
> module is to be used in this particular policy or not.




> 
> Regards,

-- 
You are receiving this mail because:
You are on the CC list for the issue.

Reply via email to