Attribute mappings for account status and password policy attributes

[Nikunj Verma]

Hello,

We are migrating frm NetIQ directory to an openLDAP directory. There are 2 issues we are facing :

• We would like to use the password policies defined in LDAP and not replicate them in PWM. It appears that the attributes defined in our LDAP password policy are not the same as those of NetIQ directory and hence PWM is not able to understand the password policy defined in LDAP. Is it possible to change the default mappings of the attributes which are read from LDAP password policy to enforce the password policy restrictions?
• There is a similar issue while reading the user attributes (especially the account/password status attributes). For example: in NetIQ the attribute defined for account is loginDisabled while in our new directory, this is not the case and the account status(enabled/disabled) is defined  using some operational attributes. As a result, PWM shows incorrect account and password status in the helpdesk module. Is there a way to define the attribute mappings for these attributes as well?

Thanks in advance for your help.

[Jason Rivard]

The LDAP vendor type is auto-detected and account/pw status attributes are mapped accordingly by the LDAPChai library.  There have been updates in the last few years of PWM/LDAPChai for improved OpenLDAP support.  Are you using a modern version of PWM?  Also, do you have the setting 'Default Settings ⇨ LDAP Vendor Default Settings' set to OpenLDAP?

Additionally, I would recommend not using your old PwmConfiguration.xml file, and starting a new config.  Open the old file in a text editor and reconfigure (or copy/paste ) individual settings while evaluating if they are still appropriate for your new environment.

[Nikunj Verma]

Thanks for your answer Jason.

I have tried below options:

• Currently, I am using  version v2.0.3 b.
• In this version, I tried using the current configuration
• I tried removing the current PWMConfiguration.XML and doing a completely fresh configuration
• I tried changing the LDAP vendor to OpenLDAP and Other
• I downloaded the latest version  v2.0.6 baaefbe7 and tried all the above

With neither of the above options, PWM is able to correctly read the attributes and status mentioned in my initial post. Is there aything else I can test or manually configure?

Thanks in advance.

[jason.e...@gmail.com]

OpenLDAP doesn't have a standard nor default login status for enable/disable. It would be easier to just create a new virtual attribute or rename your current one to loginDisabled. It would be a bit much to try and guess all the different t names people use for that in openldap

What attributes are for password policy? You can see the attribute names pwm expects below,

https://github.com/ldapchai/ldapchai/blob/master/src/main/java/com/novell/ldapchai/ChaiConstant.java

[Jason Rivard]

Thanks Jason,

I've been looking into this as well and I was mistaken about the recent updates that were for FreeIPA, not OpenLDAP, so the OpenLDAP implementation is still missing an OpenLDAP-specific account/password status checks.   I'll be doing some work with OpenLDAP and PWM soon myself so hopefully I'll be able to improve this or find a way to make it configurable in a practical way.   There is a password modify LDAP extended request handler for OpenLDAP, and a password policy reader, but the policy reader seems to expect a local file, so I think it only works if its running on the same machine as OpenLDAP, so I doubt its very practical.  As a workaround you can just have PWM use local policy only and define the policy in PWM.  

For reference the OpenLDAP user handler is here:

https://github.com/ldapchai/ldapchai/blob/master/src/main/java/com/novell/ldapchai/impl/openldap/entry/OpenLDAPUser.java

[Nikunj Verma]

Hello,

Thanks a lot for your answers. I understand that the current version is not capable to handle these requests correctly as it was doing with NetIQ. 

I am looking into the code and trying some quick modifications.

Thanks