Hi,
On Donnerstag 16 Juni 2011 14:09:43 Simo Sorce wrote:
On Thu, 2011-06-16 at 11:32 +0200, Sumit Bose wrote:
> Hi,
>
> by chance I realized that an OpenLDAP server does not list all
> controls it can handle in the rootDSE attribute supportedControl.
>
> Especially LDAP_CONTROL_PASSWORDPOLICY is not listed. According to
> the OpenLDAP developers this is because the related spec
> (
http://tools.ietf.org/html/draft-behera-ldap-password-policy-10) is
> still a draft and not finalized
> (
http://www.openldap.org/lists/openldap-software/200606/msg00220.htm
> l). Since sssd only uses controls which are in the supportedControl
> list we will not be able to give the user expiration warnings or
> information about grace logins for OpenLDAP servers with the
> password policy overlay enabled.
>
> I'm not sure if we need to do anything about it but at least I think
> it is good to be aware of.
Maybe we can have an override option where we list the OIDs we know
are supported even though they are not listed in rootDSE. IT may be
useful for testing and other purposes too.
Even though a list of OIDs might work, I
find it somewhat inconvient to
use. I'd prefer a separate config keyword for every control one wants to
enable/disable. If I grep'ed the sources correctly sssd currently
supports three different LDAP controls (deref, paged results and password
policy) so adding config keywords for each those does seem to be too much
of a problem.
BTW, there is another problem with using the information from the
rootDSE. If the server (like OpenLDAP and AFAIK 389DS as well) supports
multiple backend databases, the supported controls might differ between
the configured database. The rootDSE does not give any information about
which database support which controls (and extensions). Additionally,
even if a specific control is returned in the rootDSE there might be good
reason not to use it. (e.g. I don't see a good reason for using paged
results with OpenLDAP by default).
regards,
Ralf