pwdCheckQuality
by Andy Loughran
Hi,
I'm trying to setup pwdCheckQuality in ppolicy and have noticed that it needs an extra script to run. The only quality check I want to happen is that it checks that the password is alphanumeric. Does anyone have an example tip on where to put the module script and possibly even an example of their pwdCheckQuality script if they use one?
Regards,
--------
Andy Loughran
www.zrmt.com
m: 07921076319
14 years, 10 months
Net-LDAPapi 3.0.0 released
by Quanah Gibson-Mount
Net-LDAPapi 3.0.0 has been released, and is available from CPAN at
<http://search.cpan.org/~mishikal/Net-LDAPapi-3.0.0/> or from SourceForge
at <http://sourceforge.net/projects/net-ldapapi>.
Future releases will be announced on the net-ldapapi-announce list hosted
by sourceforge, so please subscribe to that if this perl module interests
you. In addition, there is now a developers list and a general software
list hosted at sourceforge. Subscribe if interested. ;)
Changes for Net-LDAPapi 3.0.0:
This release now supports the LDAP v3 API as found in OpenLDAP. It has
been geared towards continuing to support the Mozilla SDK, but no major
testing of this support has occurred. Feel free to provide feedback and/or
contribute as desired.
LDAP v3 support means that Net-LDAPapi now supports the use of controls,
startTLS, etc.
In addition, Net-LDAPapi has support for being and OpenLDAP delta-syncrepl
client, which then allows one to write programs that can act on changes
that occur on the master.
Many, many thanks to Dmitri Priimak at Stanford University for his hard
work in updating Net-LDAPapi to use the LDAP v3 API, as I was rather busy
integrating into my new job. ;)
Regards,
Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
14 years, 10 months
using openldap as a translation layer.
by S James S Stapleton
Can I use open-ldap as a translation layer for queries with a ldap client
with minimal configuration potential?
Right now the client (which cannot be trivially modified), can use LDAP
authentication, sort-of. What it does, is it takes your user name, and
assignes it to the 'uid' attribute, and then tacks on whatever string is in
the config to form a distinguished name. For example, if I used 'stapleton'
as my username and the config had 'ou=People,dc=domain,dc=tld', it would
query for 'uid=stapleton,ou=People,dc=dmain,dc=tld'. Unfortunately, people
usernames are everything before the '@' sign in their email, and this is not
their uid. The uid is a number, that is used nowhere else. The standard
process that we use is to take their user name and perform an ldap query to
get the uid from the email, and then use the uid to verify if the user is
correct.
Example:
ldap://server:389/uid=441068,ou=People,dc=mydomain,dc=tld
pulls up my information
Now, if I want to get my uid, I'd do this:
ldap://server:389/ou=People,dc=mydomain,dc=tld?uid?sub?(mail=stapleton@mydomain.tld)
The client, as described cannot do that, if a user attempts to use what they
expect their user name to be, it will send:
uid=stapleton,ou=People,dc=mydomain,dc=tld
or
uid=stapleton(a)mydomain.tld,ou=People,dc=mydomain,dc=tld
Neither of which will authenticate. Is there a way to make OpenLDAP provide
a middle layer to handle this?
Thank you,
-Jim Stapleton
14 years, 10 months
OpenLDAP Client testing - reg.
by Aviator LDap
Hi Friends,
I was going through the test scripts available in the scripts directory and
found that most of the scripts are relevant with testing the OpenLDAP
server. I would like to test the OpenLDAP clients such as libldap and
liblber as i have rewritten some modules in that. Could anybody suggest me
how to proceed with my requirement.
regards,
dinesh V
14 years, 10 months
ldapadd.c - reg.
by Aviator LDap
Hi Friends,
The client/tools of OpenLDAP 2.3.33 contains tools for ldapsearch, modify,
delete, etc., I need the same kind of tool for ldapadd. Do i need to write
the code from the scratch? or is it available as any framework?
Thanks in advance,
regards,
dinesh V
14 years, 10 months
Can only ldapsearch localhost but NOT the actual server name
by Kelly Choo
Hi
I'm running openldap-2.3.35 on HPUX 11.11
and I can ldapsearch localhost
ldapsearch -H ldap://localhost/ -b dc=math,dc=uvic,dc=ca -x
# extended LDIF
#
# LDAPv3
# base <dc=math,dc=uvic,dc=ca> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# math.uvic.ca
dn: dc=math,dc=uvic,dc=ca
dc: math
objectClass: dcObject
objectClass: organizationalUnit
ou: Mathematics and Statistics
but not when I use the actual server name chief.math.uvic.ca
ldapsearch -H ldap://chief.math.uvic.ca/ -b dc=math,dc=uvic,dc=ca -x
I get
ldap_result: Can't contact LDAP server (-1)
The same happens if I use the IP address instead of chief.math.uvic.ca
Here is the debug output:
ldapsearch -H ldap://chief.math.uvic.ca/ -b dc=math,dc=uvic,dc=ca -x -d -1
ldap_create
ldap_url_parse_ext(ldap://chief.math.uvic.ca/)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP chief.math.uvic.ca:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 142.104.7.18:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x40022460 ptr=0x40022460 end=0x4002246e len=14
0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........
ber_scanf fmt ({i) ber:
ber_dump: buf=0x40022460 ptr=0x40022465 end=0x4002246e len=9
0000: 60 07 02 01 03 04 00 80 00 `........
ber_flush: 14 bytes to sd 3
0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 60 07 02 01 03 04 00 80 00 0....`........
ldap_result ld 40022270 msgid 1
ldap_chkResponseList ld 40022270 msgid 1 all 1
ldap_chkResponseList returns ld 40022270 NULL
wait4msg ld 40022270 msgid 1 (infinite timeout)
wait4msg continue ld 40022270 msgid 1 all 1
** ld 40022270 Connections:
* host: chief.math.uvic.ca port: 389 (default)
refcnt: 2 status: Connected
last used: Wed Jul 11 15:35:19 2007
** ld 40022270 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 40022270 Response Queue:
Empty
ldap_chkResponseList ld 40022270 msgid 1 all 1
ldap_chkResponseList returns ld 40022270 NULL
ldap_int_select
read1msg: ld 40022270 msgid 1 all 1
ber_get_next
ldap_read: want=8 error=Connection reset by peer
ber_get_next failed.
ldap_perror
ldap_result: Can't contact LDAP server (-1)
I'm not sure what it means and I tried this with the firewall disabled as
well. Any help would be much appreciated.
Thanks in advance
Mr. Kelly Choo,
System Administrator - Department of Mathematics and Statistics
University of Victoria
PO Box 3045 STN CSC PHONE: (250) 472-4927
Victoria BC V8W 3P4 FAX: (250) 721-8962 http://www.math.uvic.ca
14 years, 10 months
ldap_result takes time to indicate that there are no more result.
by Dmitri Priimak
Hi All.
I have a question about ldap_result. I use openldap-2.3.32. It is my
understanding that this function (ldap_result) is
used in a loop until no more results are coming from the servers. Am I
right about it? The problem I have is that the
last time it is calle it hangs there for a while and finally returns
null LDAPMessage and -1 return value. I am talking
here about 10-15 seconds. Is it normal that it takes that long? I would
expect it to be pretty much instantaneous.
--
Dmitri Priimak
14 years, 10 months
multiple password policies
by Dieter Kluenter
Hi,
I am using ppolicy overlay control password policy. Now I would like
to define 3 different policies as policyDN.
In slapd.conf one can only define a defaultDN, how can a policyDN
declared in an entry? Or is editing the operational attribute
pwdPolicySubentray with relax control the only way?
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
14 years, 10 months
ldap_simple_bind_s error codes
by Anoob Backer
Hi All,
Is there any way to find out the exact error message in case of bind failure
using any of the OpenLDAP calls?
What i would like achieve by this is to know exactly why the bind failed?
either due to password expire or account locked or account disabled or user
not found etc.
After googling a bit i found a sol
1. http://forum.java.sun.com/thread.jspa?messageID=4227692 ==> says to use
ldap_get_option() to get the error string and then parse and extract the
error codes. To my understanding this is an extended error message
Is it reliable to depend on the error messages?
Thanks in advance
becks
14 years, 10 months
ACL I just don't get it...
by Christoph Lipp
Hi all,
I've got the following problem:
We've defined a location objectClass with a multi-value attribute
"itAdmin". Underneath the locations we have all our users. On the user
object we have an attribute called "distinctMail". Now all itAdmins, defined
on the location above the user, should have write access to this user
attribute. But I don't know how to set the correct acl settings in
slapd.conf... any hints?
I'm using openLDAP 2.2.6 on a SuSE 9.1 box.
Thanks in advance!
Christoph
14 years, 10 months