Description of problem:

This is in the context of IPA.

I have an extended operation plugin that implements password policy using the kerberos password policy attributes. I wanted to add a Class of Service template so I could do per-group policy based on memberOf. So I created the CoS templates and verified that a user in the group had the right value.

The CoS looks like this:

dn: cn=Password Policy,cn=accounts,dc=example,dc=com
description: Password Policy based on group membership
objectClass: top
objectClass: ldapsubentry
objectClass: cosSuperDefinition
objectClass: cosClassicDefinition
cosTemplateDn: cn=cosTemplates,cn=accounts,dc=example,dc=com
cosAttribute: krbPwdPolicyReference
cosSpecifier: memberOf

dn: cn="cn=group1,cn=groups,cn=accounts,dc=example,dc=com", cn=cosTemplates,cn=accounts,dc=example,dc=com
objectClass: top
objectClass: cosTemplate
objectClass: extensibleobject
objectClass: krbContainer
krbPwdPolicyReference: cn="cn=group1,cn=groups,cn=accounts,dc=example,dc=com",
 cn=nsPwPolicyContainer,dc=example,dc=com
cosPriority: 1

And to be sure that the attr is there:

% ldapsearch -x -b "dc=example,dc=com" uid=tuser1 krbPwdPolicyReference
dn: uid=tuser1,cn=users,cn=accounts,dc=example,dc=com
krbPwdPolicyReference: cn="cn=group1,cn=groups,cn=accounts,dc=example,dc=com",
 cn=nsPwPolicyContainer,dc=example,dc=com

Ok. So in my extended op plugin I want to pull the right policy so I first look in the entry for the krbPwdPolicyReference attribute.

I'm getting the entry with slapi_search_internal_get_entry() and explicitly including the attribute in the attrlist. I've tried both with the attribute as operational and not.

It appears that CoS isn't getting fired off on internal searches.

Note that I also tried with nsAccountLock but we have a similar CoS template for that. I had the same results, no attribute returned.

Version-Release number of selected component (if applicable):

389-ds-base-1.2.1-1.fc11.i586