Cannot add a user because error Invalid syntax (pwdAttribute: value #0 invalid per syntax

[mamiapatrick]

Hello,
i install docker fusion directory 1.3 with openldap-fusiondirectory v-2.4.49 but when i try to add a user i got a message about there's no default password policy and i try to create the default password policy but there's an error of pwdAttribute: value #0 invalid per syntax.

Do someone already have this issue?

[mjmucha]

I get a similar error with the current version (2.5.0) and a new container:

LDAP operation failed!

Object: cn=default,ou=ppolicies,dc=example,dc=com
Error: Invalid syntax - objectClass: pwdPolicy (objectClass: value #1 invalid per syntax, while operating on 'cn=default,ou=ppolicies,dc=example,dc=com' using LDAP server 'ldap://ldap:389') 

Please fix this! Currently i/we can not use FusionDirectory!

[tiredofit]

I can't recreate this on my end, and have just deployed 3 installs in the past 2 weeks with 2.5.0
Can you tell me if you have the Ppolicy overlay loaded?

This is related to the OpenLDAP container not the Fusiondirectory front end container. You can check by heading into the ldap container and typing slapcat -n0 and looking for the Ppolicy overlay.

[mjmucha]

I get the following output:

bash-5.0# slapcat -n0 | grep "Ppolicy"
olcAttributeTypes: {0}( 1.3.6.1.4.1.38414.45.1.1 NAME 'fdPpolicyRDN' DESC 'F
olcAttributeTypes: {1}( 1.3.6.1.4.1.38414.45.1.2 NAME 'fdPpolicyDefaultCn' D
olcObjectClasses: {0}( 1.3.6.1.4.1.38414.45.2.1 NAME 'fdPpolicyPluginConf' D
  cn ) MAY ( fdPpolicyRDN $ fdPpolicyDefaultCn) )

This is the setup of the OpenLDAP container:

  ldap:
    hostname: ldap.example.com
    #domainname: ldap.example.com
    image: tiredofit/openldap-fusiondirectory:latest
    container_name: ldap
    security_opt:
      - no-new-privileges:true
      - label:disable
    volumes:
      - backup:/data/backup:rw,z
      - data:/var/lib/openldap:rw,z
      - config:/etc/openldap/slapd.d:rw,z
      - /etc/nginx/certs/ldap.example.com:/assets/slapd/certs:z
    secrets:
      - LDAP_ADMIN_PASSWORD
      - LDAP_CONFIG_PASSWORD
      - LDAP_READONLY_PASSWORD
      - FUSION_ADMIN_PASSWORD
    environment:
      TIMEZONE: "Europe/Berlin"

      HOSTNAME: ldap.example.com
      BACKEND: mdb
      LOG_LEVEL: 256
      DOMAIN: example.com
      ADMIN_PASS_FILE: /run/secrets/LDAP_ADMIN_PASSWORD
      CONFIG_PASS_FILE: /run/secrets/LDAP_CONFIG_PASSWORD

      FUSIONDIRECTORY_ADMIN_USER: admin
      FUSIONDIRECTORY_ADMIN_PASS_FILE: /run/secrets/FUSION_ADMIN_PASSWORD
      ORGANIZATION: "Example Corp"

      BASE_DN: "dc=example,dc=com"
      ENABLE_READONLY_USER: "TRUE"
      READONLY_USER_USER: readonly
      READONLY_USER_PASS_FILE: /run/secrets/LDAP_READONLY_PASSWORD

      ENABLE_TLS: "TRUE"
      TLS_CRT_FILENAME: "cert.pem"
      TLS_KEY_FILENAME: "key.pem"
      TLS_CA_CRT_FILENAME: "fullchain.pem"
      TLS_ENFORCE: "FALSE"
      TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
      TLS_VERIFY_CLIENT: try
      SSL_HELPER_PREFIX: ldap

      ENABLE_REPLICATION: "FALSE"
      REMOVE_CONFIG_AFTER_SETUP: "FALSE"

      ENABLE_ZABBIX: "FALSE"

      PLUGIN_ALIAS: "TRUE"
      PLUGIN_ARGONAUT: "FALSE"
      PLUGIN_AUDIT: "TRUE"
      PLUGIN_DSA: "TRUE"
      PLUGIN_LDAPDUMP: "TRUE"
      PLUGIN_LDAPMANAGER: "TRUE"
      PLUGIN_MAIL: "TRUE"
      PLUGIN_PERSONAL: "TRUE"
      PLUGIN_PPOLICY: "TRUE"
      PLUGIN_SSH: "TRUE"
      PLUGIN_SUDO: "FALSE"
      PLUGIN_SOGO: "FALSE"
      PLUGIN_SYSTEMS: "FALSE"
      PLUGIN_WEBSERVICE: FALSE"
      #PLUGIN_GPG: "TRUE"
      PLUGIN_NEXTCLOUD: "TRUE"

      BACKUP_CONFIG_CRON_PERIOD: 0 4 * * *
      BACKUP_DATA_CRON_PERIOD: 0 4 * * *
      BACKUP_TTL: 15

      LETSENCRYPT_HOST: example.com
      LETSENCRYPT_EMAIL: webmaster@example.com
    networks:
      - nginx-proxy
      - ldap

The Ppolicy is enabled. Why it is missing?

[tiredofit]

OK ppolicy is actually a tricky thing.
There are a few components to it all:

1. The ppolicy overlay on the LDAP server
2. The Fusiondirectory ppolicy Schema
3. The ppolicy frontend on Fusion Directory which due to limitations in the PHP LDAP module finds a way to bypass ppolicy overlay.

It looks as if you have 2 and 3 installed but 1 is missing for some reason.
Try the following from inside the LDAP container to see if you can get the overlay installed.

/usr/bin/schema2ldif /etc/openldap/schema/ppolicy.schema > /etc/openldap/schema/ppolicy.ldif
ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif

[mjmucha]

I tried it but sadly with no success :( Here the console log:

bash-5.0# /usr/bin/schema2ldif /etc/openldap/schema/ppolicy.schema > /etc/openldap/schema/ppolicy.ldif
bash-5.0# ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f /etc/openldap/schema/ppolicy.ldif
adding new entry "cn=ppolicy,cn=schema,cn=config"

bash-5.0# slapcat -n0 | grep "Ppolicy"
olcAttributeTypes: {0}( 1.3.6.1.4.1.38414.45.1.1 NAME 'fdPpolicyRDN' DESC 'F
olcAttributeTypes: {1}( 1.3.6.1.4.1.38414.45.1.2 NAME 'fdPpolicyDefaultCn' D
olcObjectClasses: {0}( 1.3.6.1.4.1.38414.45.2.1 NAME 'fdPpolicyPluginConf' D
  cn ) MAY ( fdPpolicyRDN $ fdPpolicyDefaultCn) )

In Fusion Directory i now get a slightly different error than before:

LDAP operation failed!

Object: cn=default,dc=example,dc=com

Error: Invalid syntax (pwdAttribute: value #0 invalid per syntax, while operating on 'cn=default,dc=example,dc=com' using LDAP server 'ldap://ldap:389') 

This is the same error as in the opening of this issue

[tiredofit]

How bizarre. I'll have to look into detail on this one. The ppolicy stuff hasn't changed in this image for a few years now, but I wonder if something OpenLDAP version related has changed it. I'll see if I can recreate it. Will try tomorrow morning and see what I can find.

[mjmucha]

Thanks for looking into it!

[tiredofit]

Got it - I found a couple other issues in the image so need to work it out before I release a new tag. In the meantime:

• Change to your backend, typically mdb
• Change BASE_DN to your BASE_DN env var ie dc=example,dc=com

cat <<EOF > /tmp/ppolicy-config.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {0}ppolicy

dn: olcOverlay=ppolicy,olcDatabase={1}<BACKEND>,cn=config
changetype: add
objectClass: olcPPolicyConfig
objectClass: olcOverlayConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=ppolicies,<BASE_DN>
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: TRUE
EOF

cat <<EOF > /tmp/ppolicy-default.ldif
dn: cn=default,ou=ppolicies,<BASE_DN>
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdCheckQuality: 0
pwdExpireWarning: 0
pwdFailureCountInterval: 0
pwdInHistory: 0
pwdLockout: FALSE
pwdLockoutDuration: 0
pwdMaxAge: 0
pwdMaxFailure: 0
pwdMinLength: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE
EOF

ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f /tmp/ppolicy-config.ldif 
ldapadd -c -Y EXTERNAL -Q -H ldapi:/// -f /tmp/ppolicy-default.ldif 

[tiredofit]

Fixed with release 7.0.0 of tiredofit/openldap-fusiondirectory.
Since you already have a working installation you can enter inside the ldap container and type fix-ppolicy. This should add the necessary bits for you.

[mjmucha]

For me it is now fixed with the version 7.0.2 :)