Error when creating entry if default password policy is not directly in ou=ppolicies,dc=domain,dc=tld

Description

I work with an LDAP Directory where the default password policy is inside a department : cn=default,ou=ppolicies,o=worteks,dc=wsweet,dc=cloud

When creating an entry, FD search the default ppolicy in cn=default,ou=ppolicies,dc=wsweet,dc=cloud, but the entry does not exist, and the creation fails with this message:

Ppolicy "cn=default,ou=ppolicies,dc=wsweet,dc=cloud" could not be found in the LDAP! 

The result is the same if I manually set the correct policy trough the policy tab. Even with this, FD tries first to search the default password policy, I don't understand why.

Distribution Name and Version

Ubuntu 19.04

FusionDirectory Version

1.4-2~jenkinsbuild537

Plugin with the defect

fusiondirectory-plugin-ppolicy

Steps to Reproduce

1. Create default policy inside a department
2. Create a user

Expected behavior:

Entry created

Actual behavior:

Creation fails

Reproduces how often:

Always

Additional Information

OpenLDAP logs:

5ea70da0 conn=1050 op=0 BIND dn="cn=admin,dc=wsweet,dc=cloud" method=128
5ea70da0 conn=1050 op=0 BIND dn="cn=admin,dc=wsweet,dc=cloud" mech=SIMPLE ssf=0
5ea70da0 conn=1050 op=0 RESULT tag=97 err=0 text=
5ea70da0 conn=1050 op=1 SRCH base="dc=wsweet,dc=cloud" scope=2 deref=0 filter="(&(uid=ab)(|(objectClass=inetOrgPerson))(objectClass=inetOrgPerson))"
5ea70da0 conn=1050 op=1 SRCH attr=uid
5ea70da0 conn=1050 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
5ea70da0 conn=1050 op=2 do_search: invalid dn: "new"
5ea70da0 conn=1050 op=2 SEARCH RESULT tag=101 err=34 nentries=0 text=invalid DN
5ea70da0 conn=1050 op=3 SRCH base="cn=default,ou=ppolicies,dc=wsweet,dc=cloud" scope=0 deref=0 filter="(objectClass=*)"
5ea70da0 conn=1050 op=3 SRCH attr=pwdAllowUserChange pwdMinLength pwdMinAge pwdSafeModify pwdExpireWarning pwdMaxAge
5ea70da0 conn=1050 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=
5ea70da0 conn=1050 op=4 UNBIND
5ea70da0 conn=1050 fd=11 closed

added plugin-ppolicy label

assigned to @bmortier

assigned to @MCMic and unassigned @bmortier

changed milestone to %FusionDirectory 1.4

changed due date to May 05, 2020

@coudot Yeah, currently the default ppolicy is expected at the root, you can only specify the cn in fdPpolicyDefaultCn in the configuration.

We may change this to fdPpolicyDefaultDn instead?

This information is stored in olcPPolicyDefault in the overlay configuration in cn=config but FD cannot access this usually (because of LDAP acls). It seems ppolicy overlay does not make the information available elsewhere like root DSE or whatever.

added 30m of time spent at 2020-05-06

There is no need to autodetect the value from cn=config, but indeed ony to be able to put a DN for the default ppolicy in FD configuration

mentioned in commit b5ab9e92

added 1h 30m of time spent at 2020-05-06

added PJ1802-0188 label

mentioned in commit 333d61e8

Should be good, and FusionDirectory configuration will take care of the migration automatically (well, you will need to adapt the dn, but users which store the default ppolicy at ldap root won’t).

added To Be Tested label

assigned to @coudot and unassigned @MCMic