Re: Re: password policy on FDS 1.0.2 - doesn't seem to work?

pkime at Shopzilla.com (Philip Kime) · Sun, 12 Nov 2006 11:51:29 -0800

> The server enforces the policy internally, and (at least in theory)
all the code paths
> that modify passwords should be calling the same policy checking
function. So
> ldappasswd, ldapmodify and the GUI should see exactly the same policy.
If you turn up
> the logging level you might see more interesting output (in the errors
log, not the
> access log, which is always quite terse).

I put "heavy logging on" but I can't see anything to do with password
policies (below is the trace from one ldappaswd update operation which
should have failed due to password policy). I also looked at the funtion
traces and there are calls to get the DNs of the policy object but no
errors or anything to say they were applied.

[12/Nov/2006:11:45:03 -0800] - do_extended: oid
(1.3.6.1.4.1.1466.20037-startTLS)
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - do_extended: oid
(1.3.6.1.4.1.4203.1.11.1-passwd_modify_extop)
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] -    replace: userpassword
[12/Nov/2006:11:45:03 -0800] - removing entire attribute userpassword
[12/Nov/2006:11:45:03 -0800] -    userpassword:
{SSHA}W4FdKGuc/MmN3w8f98UgmtyMaWH0Hn1GMM/LhA==
[12/Nov/2006:11:45:03 -0800] -    -
[12/Nov/2006:11:45:03 -0800] -    replace: modifiersname
[12/Nov/2006:11:45:03 -0800] - removing entire attribute modifiersname
[12/Nov/2006:11:45:03 -0800] -    modifiersname:
cn=server,cn=plugins,cn=config
[12/Nov/2006:11:45:03 -0800] -    -
[12/Nov/2006:11:45:03 -0800] -    replace: modifytimestamp
[12/Nov/2006:11:45:03 -0800] - removing entire attribute modifytimestamp
[12/Nov/2006:11:45:03 -0800] -    modifytimestamp: 20061112194503Z
[12/Nov/2006:11:45:03 -0800] -    -
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] -    replace: passwordgraceusertime
[12/Nov/2006:11:45:03 -0800] - removing entire attribute
passwordgraceusertime
[12/Nov/2006:11:45:03 -0800] -    passwordgraceusertime: 0
[12/Nov/2006:11:45:03 -0800] -    -
[12/Nov/2006:11:45:03 -0800] -    replace: modifiersname
[12/Nov/2006:11:45:03 -0800] - removing entire attribute modifiersname
[12/Nov/2006:11:45:03 -0800] -    modifiersname:
cn=server,cn=plugins,cn=config
[12/Nov/2006:11:45:03 -0800] -    -
[12/Nov/2006:11:45:03 -0800] -    replace: modifytimestamp
[12/Nov/2006:11:45:03 -0800] - removing entire attribute modifytimestamp
[12/Nov/2006:11:45:03 -0800] -    modifytimestamp: 20061112194503Z
[12/Nov/2006:11:45:03 -0800] -    -
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - SRCH base="" scope=0 deref=0 sizelimit=0
timelimit=600 attrsonly=0 filter="(objectClass=*)"
attrs="supportedControl supportedExtension"
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - SRCH base="" scope=0 deref=0 sizelimit=0
timelimit=600 attrsonly=0 filter="(objectClass=*)"
attrs="supportedControl supportedExtension"
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - do_extended: oid
(2.16.840.1.113730.3.5.3-Netscape Replication Start Session)
[12/Nov/2006:11:45:04 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - do_extended: oid
(2.16.840.1.113730.3.5.5-Netscape Replication End Session)
[12/Nov/2006:11:45:04 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:04 -0800] -    indextype: "eq" indexmask: 0x2
[12/Nov/2006:11:45:04 -0800] -    nsds50ruv: {replicageneration}
44a5cc86000000010000
[12/Nov/2006:11:45:04 -0800] -    nsds50ruv: {replica 1
ldap://hqldap01.blah.com:389} 44a5ce65000000010000 45577d66000100010000
[12/Nov/2006:11:45:04 -0800] -    nsds50ruv: {replica 2
ldap://ldap001.bo1.blah.hou:389} 44a5f47e000000020000
4553f30e000000020000
[12/Nov/2006:11:45:04 -0800] -    replace: nsds50ruv
[12/Nov/2006:11:45:04 -0800] -    -
[12/Nov/2006:11:45:04 -0800] -    nsruvReplicaLastModified: {replica 1
ldap://hqldap01.blah.com:389} 455779bf
[12/Nov/2006:11:45:04 -0800] -    nsruvReplicaLastModified: {replica 2
ldap://ldap001.bo1.blah.hou:389} 4553ef67
[12/Nov/2006:11:45:04 -0800] -    replace: nsruvReplicaLastModified
[12/Nov/2006:11:45:04 -0800] -    -
[12/Nov/2006:11:45:11 -0800] - do_modify: dn (cn=config)
[12/Nov/2006:11:45:11 -0800] - modifications:
[12/Nov/2006:11:45:11 -0800] - 	replace: nsslapd-errorlog-level
[12/Nov/2006:11:45:11 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:11 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:11 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:11 -0800] -    nsslapd-errorlog-level: 0
[12/Nov/2006:11:45:11 -0800] -    replace: nsslapd-errorlog-level
[12/Nov/2006:11:45:11 -0800] -    -
[12/Nov/2006:11:45:11 -0800] -    modifiersname: cn=directory manager
[12/Nov/2006:11:45:11 -0800] -    replace: modifiersname
[12/Nov/2006:11:45:11 -0800] -    -
[12/Nov/2006:11:45:11 -0800] -    modifytimestamp: 20061112194511Z
[12/Nov/2006:11:45:11 -0800] -    replace: modifytimestamp
[12/Nov/2006:11:45:11 -0800] -    -