openldap-software April 2007

openldap-software@openldap.org

90 participants
96 discussions

ppolicy pwdreset problem
by aleem bagwan 27 Apr '07

27 Apr '07

Hi, I m using openldap-2.3.4 version with ppolicy enabled. I have a problem with the reset feature. If i set pwdReset and pwdMustChange attribute for a user, say testuser, I can see that it works as expected using ldapsearch command ie it never allows u to login & asks u to modify the password. Now for the problem: At the client side(say PHP), If i bind to the server using testuser and resetted password, i m allowed to log in..How is that possible...it should not work that way..right..It should emulate ldapsearch..am i right? So the basic question is: Does ldap check the password restrictions(especially pwdreset,as my other restrictions like account locked etc....r getting checked) at bind time? If yes..then why the above problem... thanks. --------------------------------- Ahhh...imagining that irresistible "new car" smell? Check outnew cars at Yahoo! Autos.

2 1

LDAP authenticaton against PAM how-to
by manu＠netbsd.org 27 Apr '07

27 Apr '07

Hi I banged my head on OpenLDAP -> SASL -> PAM for two days. The status of the documentation is really horrible. Until someone eventually fix that, here is for future reference what I had to do (the NetBSD system parts are out of topic, but I added them for the sake of completeness) Configuration: NetBSD-3.1 OpenLDAP-2.3.27 from NetBSD's pkgsrc Cyrus-SASL-2.1.22 from NetBSD's pkgsrc 1) Install the software 1.1 Fix pkgsrc a bug In /usr/pkgsrc/databases/openlda-server/options.mk, change --with-spasswd into --enable-spasswd 1.2 Install the following packages: Set build options for pkgsrc: in /etc/mk.conf: PKG_RCD_SCRIPTS=YES PKG_OPTIONS.openldap-client+=sasl PKG_OPTIONS.openldap-server+=sasl PKG_OPTIONS.cyrus-saslauthd+=pam 1.3 Install the following packages: database/openldap security/cyrus-sasl security/saslauthd security/cy2-plain 1.4 Fix another pkgsrc bug: cd /usr/pkgsrc/database/openldap-server/ cd work/openldap-2.3.27/libraries/libldap_r make && make install 2) Configure PAM Create /etc/pam.ldap and populate it with your PAM configuration 3) Configure SASL 3.1 Enable saslauthd, by adding this to /etc/rc.conf: saslauthd=YES saslauthd_flags="-a pam 3.2 Then start it: /etc/rc.d/saslauthd start 3.3 Configure the SASL library for slapd, by creating /usr/pkg/lib/sasl2/slapd.conf, with the following content: pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux 3.4 Check SASL functionnality testsaslauthd -s ldap -u login -p password Make sure a wrong password really fails... 4) Configure OpenLDAP (the nasty part) 4.1 Enable PLAIN mechanism (disabled by default) in /usr/pkg/etc/openldap/slapd.conf, by adding: sasl-secprops none You don't need sasl-regex or authz-regex. 4.2 Enable TLS: Generate TLS certificate, and add certificate, key and CA to /usr/pkg/etc/openldap/slapd.conf: TLSCertificateFile /etc/openssl/certs/botin.crt TLSCertificateKeyFile /etc/openssl/private/botin.key TLSCACertificateFile /etc/openssl/certs/ca.crt 4.3 Populate the directory, make sure that user cn=jdoe,dc=example,dc=net has this: userPassword: {SASL}jdoe 4.4 Enable slapd, by adding to /etc/rc.conf: slapd=YES 4.5 Start slapd: /etc/rc.d/slapd start 4.6 Check that slapd will accept PLAIN SASL authentication: ldapsearch -x -b "" -s base supportedSASLMechanisms You should get: supportedSASLMechanisms: PLAIN 4.7 Configure the LDAP client, in /usr/pkg/etc/openldap/ldap.conf: BASE dc=example,dc=net TLS_CACERT /etc/openssl/certs/ca.crt SASL_MECH PLAIN SASL_SECPROPS none 4.8 Check that the whole thing works: ldapsearch -x -WZD cn=jdoe,dc=example,dc=net Don't forget to make sure a wrong password fails... NB1: saslauthd logs in /var/log/authlog, the error messages are useful NB2: slapd logs in /var/log/slapd.conf, the error messages are usually meaningless, especially for ACL and SASL troubles. NB3: Make sure your DN is right. I spent a lot of time running tests with an invalid DN (ie: dc=jdoe instead of cn=jdoe) -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu(a)netbsd.org

13 30

re: cn=config howto?
by Wai Phang 27 Apr '07

27 Apr '07

Hi Dieter, I am using the sample config from the Configuring Slapd section. Here's what's inside. # BDB definition for example.net dn: olcDatabase=bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: bdb olcSuffix: "dc=example,dc=net" olcDbDirectory: /usr/local/var/openldap-data-net olcRootDN: "cn=Manager,dc=example,dc=com" olcDbIndex: objectClass eq olcAccess: to * by users read Thank you. -- Est Solaris Oth Mithas

2 1

Replication failure after error fixed
by Dave Horsfall 27 Apr '07

27 Apr '07

OpenLDAP 2.3.32 (our policy is to run STABLE unless there's a bugfix we need). Most of our sites replicate direct to each other (SyncRepl; you need to know that data for a country is mastered in that country), except for one situation: A <-> B <-> C A and C are masters for their data, and B is a pure slave. For political reasons (i.e. it won't get fixed) A and C cannot replicate direct. Because a schema change was not made on B, some updated data on A did not get through. All well and good, we fix the schema on B, and wait for the update (we use refreshAndPersist). Except it never happened. Blowing away the slave on B caused it to update (of course), except it still never reached C, until it in turn was repopulated. Am I looking at a replication bug? It seems to me that once the schema was fixed, the replication should have happened. Or am I not understanding how SyncRepl works? -- Dave Horsfall DTM VK2KFU daveh(a)ci.com.au Ph: +61 2 9552-5509 (d) -5500 (sw) Corinthian Eng'ng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU

3 8

Password policy replication problem
by D.Igbe＠westminster.ac.uk 26 Apr '07

26 Apr '07

Please can someone help--I have setup password policy using ppolicy overlay and account replication using slurpd.All is working except that when an account is locked on the master openldap server, it does not get replicated to the slaves. In other words, a locked account is denied access on the master sever but the user can stll logon on the slaves.Any help would be really appreciated. Thanks Damian

1 0

dirtyread in backhdb
by Johan Jönemo 26 Apr '07

26 Apr '07

I am trying out an application with lots of directory modifcation with a hdb backend. I have put in the directive "dirtyread" in the conf file under the hdb database. I had the impression that this would enable me to read and write to the directory at the same time. This doesn't seem to be the case however. It seems that writes wait for all reads. Is this correct? Is there something else I could do? The occasional error or inconsistency is acceptable. Johan Jönemo

1 0

slapd becoming mysteriously slow
by Johan Jönemo 26 Apr '07

26 Apr '07

I have made a test package to see if people understanding openLDAP better than I do can reproduce and possibly explain the strange behavior I have been plagued by. I run an application that updates a directory more or less continuously and it runs at a reasonable speed. Often this can last for hours. Then everything slows down drastically (by more than a factor 10) in one instant (i e it doesn't slow down gradually). I think that slapd spends long times in some kind of waiting state. I base this on the fact that I can induce the behaviour regardless of which of a large number of methods I have tried on the "client" side, i e the application updating the directory. I have tried calling the ldap client tools from shell scripts and using the API with perl bindings and so on. The WCHAN seem to be the same most of the time that te application is slow. Unfortunately I wasn't able to make any sense of this numerical information (I'm not too familiar with kernels and such). I have got this behaviour with different versions of openLDAP I have tried (the newest being 2.3.32). Different Berkley db packages in the range 4.3-4.5 didn't seem to matter. The instructions for the package can be found at: http://www.hep.lu.se/staff/jonemo/README.txt And the test package itself at: http://www.hep.lu.se/staff/jonemo/cached-dryrun.tar.bz2 It does a none intrusive set-up in order to set some paths but it doesn't copy anything to outside its own directory. It starts an instance of the local slapd on a non-standard port using its own configuration and schema. I would be very interested if anyone would try out this package and see if they can explain the behavior (or reproduce it at all, as the case may be). Thanks in advance Johan Jönemo

3 2

Ppolicy DIGEST-MD5 ignore expired password
by Jiri Netolicky 25 Apr '07

25 Apr '07

Have a nice day. I have to implement password policy in our OpenLdap. During testing futures of ppolicy module I found that they ignore expired password when I authenticate user by SASL DIGEST-MD5. When I try on exprired account: ldapwhoami -xD "cn=Kokos Velky,ou=TestUsers,ou=People,o=Ceske drahy,c=CZ" the answer is: ldap_bind: Invalid credentials (49) and in slapd log: ppolicy_bind: Entry cn=Kokos Velky,ou=TestUsers,ou=People,o=Ceske drahy,c=CZ has an expired password: 0 grace logins But when I try ldapwhoami -Y DIGEST-MD5 -U kokos1 the answer is SASL/DIGEST-MD5 authentication started SASL username: kokos1 SASL SSF: 128 SASL installing layers dn:cn=kokos velky,ou=testusers,ou=people,o=ceske drahy,c=cz Result: Success (0) In slapd.conf I have sasl-regexp uid=(.*),cn=digest-md5,cn=auth "ldap:///o=Ceske drahy,c=CZ??sub?(&(uid=$1)(|(objectClass=inetOrgPerson) (objectClass=applicationProcess)))" What I am doing wrong? Many thanks for advice. Jiri Netolicky

2 3

Sort ldap results
by Martin Hochreiter 25 Apr '07

25 Apr '07

How can I generally sort ldap querys by any attribute? (I don't mean queries via ldapsearch command, I mean force the server to sort a special tree by e.g. gecos) lg Martin

3 2

Re: cn=config howto?
by Wai Phang 25 Apr '07

25 Apr '07

Hi there, I have managed to setup the system with cn=config. However, when I try to add in a new database, i get this error. ldapadd -vx -D "cn=config" -W -f x.ldif ldap_initialize( <DEFAULT> ) Enter LDAP Password: add objectClass: olcDatabaseConfig olcBdbConfig add olcDatabase: bdb add olcSuffix: "dc=example,dc=net" add olcDbDirectory: /usr/local/var/openldap-data-net add olcRootDN: "cn=Manager,dc=example,dc=com" add olcDbIndex: objectClass eq add olcAccess: to * by users read adding new entry "olcDatabase=bdb,cn=config" modify complete ldap_add: Invalid syntax (21) additional info: olcSuffix: value #0 invalid per syntax Anyone know what i did wrongly? Thanks in Advance -- Est Solaris Oth Mithas

2 1

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software April 2007