https://bugs.openldap.org/show_bug.cgi?id=9740
--- Comment #2 from David Coutadeur <[email protected]> --- (In reply to Ondřej Kuzník from comment #1) > On Fri, Nov 05, 2021 at 11:51:51AM +0000, [email protected] wrote: > > Following: https://bugs.openldap.org/show_bug.cgi?id=9666, we must now use > > the > > olcPPolicyCheckModule directive in the overlay configuration, instead of the > > pwdCheckModule in the password policy. > > > > I have 3 remarks: > > > > 1/ it's a pity we can't define the chosen module in the corresponding > > ppolicy. > > It prevents having multiple extension to password policies (one for each > > policy) > > Hi David, > the problem is you have to load/unload it every time you run a password > change, that has been causing issues. You can use the same > implementation and pass policy specific configuration in pwdCheckModuleArg. > > What is your usecase where you'd need different modules in the same > server? No particular use case. It's just that before ppm, LTB project maintained another module named "check-password", and maybe it can help the transition to announce that OpenLDAP support multiple modules at one time... But again there is no real use case. > > > 2/ it does not seem to work. (ie the extended module is not launched). See > > below for my config and data. > > Just checking you are actually building with --enable-modules? Yes indeed. If it can help: ./configure --prefix=${LDAPDIR} --libdir=${LDAPDIR}/${_LIB} --enable-modules=yes --enable-overlays=mod --enable-backends=mod --enable-dynamic=yes --with-tls=openssl --enable-debug --with-cyrus-sasl --enable-spasswd --enable-ppolicy=mod --enable-crypt --enable-slapi --enable-mdb=mod --enable-ldap=mod --enable-meta=mod --enable-sock=mod --enable-wrappers --enable-rlookups --enable-argon2=yes --enable-otp=mod --enable-balancer=mod --enable-sql=no --enable-ndb=no --enable-wt=no --enable-perl=no > > > 3/ the slapo-ppolicy is quite unclear about the configuration. For example, > > I > > can read: > > > > ( 1.3.6.1.4.1.4754.2.99.1 > > NAME 'pwdPolicyChecker' > > AUXILIARY > > SUP top > > MAY ( pwdCheckModule $ pwdCheckModuleArg $ pwdUseCheckModule > > ) ) > > > > Does pwdCheckModule and pwdUseCheckModule still have sense? > > pwdCheckModule is preserved for backwards compatibility and using it > provokes a warning in the logs to let the admin know it is actually > ignored. Thanks for the clarification. Actually, I meant the documentation of slapo-ppolicy (man page) it could be nice to explain: - what is deprecated - what is each attribute made for > > pwdUseCheckModule is new and allows the policy admin decide whether the > module is to be used in this particular policy or not. > > Regards, -- You are receiving this mail because: You are on the CC list for the issue.
