Using different clients to change password result in different stored password's form
by kadafax
Hi list,
as I don't know if this behavior comes from my slapd itself, I'm not
giving too much details on it. Here is what's happening:
in slapd.conf I have: 'password-hash {SSHA}' so I'm expecting that each
password attribute change results in a new SSHA hashed password.
Our users can change their password on several ways which all result in
different stored password'hashes (cleartext (!), SHA, but not SSHA).
Does the hashing type is specified on the client's side and not enforced
by the directory? Can someone give me some pointers for doc explaining
how password's change mechanism works in openldap?
kfx
13 years, 10 months
is_entry_objectclass("",*) no objectClass attribute
by Michael Ströder
HI!
What does these messages (OpenLDAP 2.3.30) during startup mean?
These OIDs are object classes subentry, alias and referral.
Dec 7 10:46:07 nb2 slapd[5158]: is_entry_objectclass("", "2.5.17.0") no
objectClass attribute
Dec 7 10:46:07 nb2 slapd[5158]: is_entry_objectclass("", "2.5.6.1") no
objectClass attribute
Dec 7 10:46:07 nb2 slapd[5158]: is_entry_objectclass("",
"2.16.840.1.113730.3.2.6") no objectClass attribute
Ciao, Michael.
--
Michael Ströder
E-Mail: michael(a)stroeder.com
http://www.stroeder.com
13 years, 10 months
Using rewrite and map (slapo-rwm) to unify subordinate OpenLDAP with Active Directory
by Andrew Kay
Hi,
(Apologies if anybody has already received this, I sent the message
before subscribing to the list and later discovered that it may not be
relayed if I wasn't a subscriber.)
I am trying to configure OpenLDAP such that it acts as a subordinate
to an Active Directory server to allow applications to seamlessly
authenticate users against both directories via the OpenLDAP server
(some users will be in OpenLDAP, some in AD). The directory suffixes
are set up as follows, for example:
Active Directory dc=xyz, dc=com
OpenLDAP ou=Extranet, dc=xyz, dc=com (subordinate)
I have successfully configured OpenLDAP such that a query with a base
"dc=xyz, dc=com" will return results from both directories.
I now want to add a rewrite rule to entries from the AD directory such
that Microsoft object classes (user and group) are transformed into
inetOrgPerson and groupOfNames respectively. Also, I'd like the
SAMAccountName attribute to be mapped to an attribute named uid. I
followed the example of using the rwm overlay here:
http://www.openldap.org/lists/openldap-software/200510/msg00256.html
I was then able to perform a query on the uid attribute against the AD
directory, the entry was returned rewritten as an inetOrgPerson as I
had expected.
However, I am no longer able to perform a query on the uid attribute
against the subordinate OpenLDAP directory (base "ou=Extranet, dc=xyz,
dc=com") as, AFAIK, the rewrite rule is removing it from the query,
results or both.
Is it possible to only apply such rewrite rules to entries within the
AD directory, and leave entries stored in the OpenLDAP subordinate
directory untouched, or is there a better way to approach this
problem?
Andrew
13 years, 10 months
Re: Using rewrite and map (slapo-rwm) to unify subordinate OpenLDAP with Active Directory
by Gavin Henry
<quote who="Andrew Kay">
> Gavin,
>
> Thanks for your reply. Apologies for the delay in replying, I've been
> away from a computer for the past two days.
Did you see Howards reply?
"You need to configure the rwm overlay so that it only applies to the
main DB. You do this by explicitly configuring the position of the glue
overlay, putting it above the rwm overlay:
database ldap
suffix dc=xyz,dc=com
...
overlay rwm
...
overlay glue
"
>
> The database portion of my configuration file is currently:
>
> database bdb
> suffix "ou=Extranet, ou=XYZ, dc=xyz, dc=com"
> subordinate
> rootdn "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz, dc=com"
> rootpw secret
> directory /usr/local/var/openldap-data
> index objectClass eq
>
> database ldap
> suffix "ou=XYZ, dc=xyz, dc=com"
> uri "ldap://dc1"
>
> acl-bind
> bindmethod=simple
> binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
> credentials="secret"
>
> idassert-bind
> bindmethod=simple
> binddn="cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
> credentials="secret"
> mode=none
> authzId="dn:cn=Andrew Kay, ou=Users, ou=XYZ, dc=xyz, dc=com"
>
> idassert-authzFrom "dn.children:ou=XYZ, dc=xyz, dc=com"
>
> overlay rwm
> rwm-map objectclass inetOrgPerson user
> rwm-map objectclass groupOfNames group
> rwm-map attribute uid sAMAccountname
> rwm-map attribute cn name
> rwm-map attribute sn sn
> rwm-map attribute mail mail
> rwm-map attribute member member
> rwm-map attribute *
>
> If I run a query against a user from the AD portion of the directory:
>
> extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz,
> dc=com" -W -b "ou=Users, ou=XYZ, dc=xyz, dc=com" "(cn=Andrew Kay)"
> ...
>
> # Andrew Kay, Users, XYZ, xyz.com
> dn: cn=Andrew Kay,ou=Users,ou=XYZ,dc=xyz,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> sn: Kay
> cn: Andrew Kay
> uid: Andrew
> mail: andrew.kay(a)xyz.com
>
> ...
> extranet:~#
>
> The AD user is successfully mapped to an inetOrgPerson, if I run a
> query against a user from the OpenLDAP portion of the directory where
> the user is already an inetOrgPerson:
>
> extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz,
> dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com" "(cn=John Smith)"
> ...
>
> # John Smith, Users, Extranet, XYZ, xyz.com
> dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com
> objectClass: inetOrgPerson
> sn: Smith
>
> ...
> extranet:~#
>
> The result is missing the uid field. If it comment out all rwm
> directives in the configuration and perform the same query (after
> restarting OpenLDAP), I get the following:
>
> extranet:~# ldapsearch -x -D "cn=Manager, ou=Extranet, ou=XYZ, dc=xyz,
> dc=com" -W -b "ou=Extranet, ou=XYZ, dc=xyz, dc=com" "(cn=John Smith)"
> ...
>
> # John Smith, Users, Extranet, XYZ, xyz.com
> dn: cn=John Smith,ou=Users,ou=Extranet,ou=XYZ,dc=xyz,dc=com
> objectClass: inetOrgPerson
> cn: John Smith
> sn: Smith
> uid: john.smith
> userPassword:: am9obi5zbWl0aA==
>
> ...
> extranet:~#
>
> If I query the AD portion of the directory I recieve the unaltered
> user, with AD schema attributes such as SAMAccountName.
>
>
> Andrew
>
13 years, 10 months
identifying weak passwords
by Thierry Lacoste
I'm running OpenLDAP 2.3.24 on a production server.
As I was in a hurry and discovering LDAP when I installed it,
I didn't enforce any password policy.
Now I would like to identify weak passwords to warn their
users. What are my options?
Best regards,
Thierry.
13 years, 10 months
schemacheck in slapd.conf
by Anant S Athavale
Dear List:
In version 2.0.x of openldap, I used to use, schemacheck off in
slapd.conf file. But, in the newer version 2.3.x, this directive is
getting ignored.
I want schemacheck to be disabled, how do I achieve this in the
current version.
Regards,
Anant Athavale,
13 years, 10 months
slapdd running at 100% of the cpu?
by Mike
Slapd was fine this weekend, then yesterday it went to 100% of the CPU
and load average of 1.0+. No filesystems are full and I can find no
mention of an issue in /var/log/*. Where can I look next for what's going
on?
I had this happen a few weeks ago, but I thought it was due to a full
file system at the same time.
Mike
Red Hat Fedora Core 5 with all the latest patches
[mikee@host ~]$ rpm -qa | grep ldap
openldap-devel-2.3.19-4
ldapjdk-4.17-1jpp_3fc.1.1
openldap-clients-2.3.19-4
nss_ldap-249-1
python-ldap-2.0.6-5.2.1
cyrus-sasl-ldap-2.1.21-10
openldap-servers-2.3.19-4
smbldap-tools-0.9.2-3.fc5
openldap-2.3.19-4
mod_authz_ldap-0.26-6.2.1
13 years, 10 months
hi, question about slapd.d configuration changed on the fly
by cosmih
hi,
i use the last version of openldap (2.3.30, compiled by hand) and i try to
implement an "slapd.d" configuration
first i made my slapd.conf file and after that i start ldap server with
"slapd -f slapd.conf -F slapd.d" command
after that in slapd.d directory i have an cn=config.ldif file and a
directory cn=config .... in this directory i have olcDatabase={2}bdb.ldif
for my ldap base
on second start of ldap server i used this command "/path/to/slapd -F
/path/to/slapd.d"
if i modify some access rules on this file i must to restart slapd to view
that this new access rules are used ....
how can i make this access rule to be used on the fly ( from administrator's
guide: The LDAP configuration engine allows all of slapd's configuration
options to be changed on the fly, generally without requiring a server
restart for the changes to take effect)
thanks
13 years, 10 months
Need some help on a specific ACL
by Rob Tanner
Hi,
I have most of this bloody long ACL working right, but I still need an
anonymous access to any entry under the "ou=people,o=linfield.edu" base
DN for the purpose of authentication. I need to be able to search on
the UID in order to retrieve the full DN of the entry. None of my
trials have been successful. Can someone please help?
Thanks,
Rob
access to dn.one="ou=people,o=linfield.edu"
attrs=userpassword
by anonymous auth
access to dn.one="ou=people,o=linfield.edu"
by dn="cn=Postfix,ou=Special Users,o=linfield.edu" read
by group/linfieldGroupOfUniqueNames/uniqueMember="cn=ferpa
administrators,ou=People,o=linfield.edu" read
access to dn.one="ou=people,o=linfield.edu"
filter=(!(ou=student))
by * read
access to dn.one="ou=people,o=linfield.edu"
filter=(&(!(ferpaStatus=Private))(!(entryStatus=Inactive))(ou=student))
by * read
access to dn.one="ou=people,o=linfield.edu"
filter=(&(!(ou=Student))(!(entryStatus=Inactive)))
by * read
access to dn.one="ou=people,o=linfield.edu"
attrs=userPassword,maillocaladdress,useDefaultAlias,spamdisposition,checkForDirtyWords
by self write
--
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville OR
13 years, 10 months
