openldap-software August 2007

openldap-software@openldap.org

77 participants
93 discussions

access permissions
by Adam Williams 16 Aug '07

16 Aug '07

I'm reading through Chapter 6 of the Openldap Software 2.3 Admninistrator's Guide, but I'm a little confused on access permissions. I think my access permissions are wrong. I have 2 users loaded in openldap, adam and testuser. in slapd.conf I have: access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write by * none access to * by self write by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write by * read but adam can change testuser's password, and I want it so that a user can only change their password and not someone else's: [root@gomer ~]# su -l adam [adam@gomer ~]$ ldapmodify -D "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x -v -f changepasswd.ldif ldap_initialize( <DEFAULT> ) replace userPassword: {CRYPT}xxxxxxxxxxxx modifying entry "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" modify complete [root@gomer ~]# cat ~adam/changepasswd.ldif dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us changetype: modify userPassword: {CRYPT}xxxxxxxxxxx And adam and testuser are different users: [root@gomer ~]# ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x # extended LDIF # # LDAPv3 # base <uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> with scope subtree # filter: (objectclass=*) # requesting: ALL # # testuser, People, gomer.mdah.state.ms.us dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us uid: testuser cn: test user telephoneNumber: xxxxxxx roomNumber: IS homePhone: xxxxxxxx givenName: test sn: user mail: testuser@dc=mdah,dc=state,dc=ms,dc=us objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 13705 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 501 gidNumber: 101 homeDirectory: /home/testuser gecos: test user,IS,xxxxxxx,xxxxxxxxx userPassword:: xxxxxxxxxxxxx # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 [root@gomer ~]# ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b "uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxx -x # extended LDIF # # LDAPv3 # base <uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> with scope subtree # filter: (objectclass=*) # requesting: ALL # # adam, People, gomer.mdah.state.ms.us dn: uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us uid: adam cn: adam williams telephoneNumber: xxxxxxxxxxxxx roomNumber: IS homePhone: xxxxxxxxxxx givenName: adam sn: williams objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: xxxxxxxxxxxxxxxxx shadowLastChange: 13705 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 100 homeDirectory: /home/adam gecos: adam williams,IS,xxxxxxx,xxxxxxx mail: awilliam(a)mdah.state.ms.us # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1

2 3

ldap_bind: Invalid credentials (49)
by Villem Alari 16 Aug '07

16 Aug '07

Hi! Now I get this error when I try to ldapadd -x -D "cn=admin,dc=test,dc=ekool,dc=ee" -W -f init.ldif. Regards, Villem Alari

2 2

Maximum size of the database.
by Sumith Narayanan 16 Aug '07

16 Aug '07

Hi Group, We have a coorporate openldap database in production which has more than 4 million entries. The slapd process serves three different physical dabases of sizes 4 GB , 12 GB and 24 GB respecievely. Earlier it was runnning in ldab backend and was crashing once in 3 -4 days. We upgraded to OpenLDAP 2.3.27 and BDB backend 4.4.20. Mac OS Tiger with 4GB RAM in the master and 8 GB ram in the slave. Now it crashes often may be couple of times in a day or sometimes once in 2 days. There is nothing much written in the log files but at times it shows out of memory exception. However , the search performance is still good. - What is the maximum size of the database that OpenLDAP can support ? - What is the maxmum number of dns it can hold ? - Is there any solution for the above problem ? Any help will be greatly appreciated. Thanks, Sumith.

4 5

dap_bind: Invalid DN syntax (34)
by Villem Alari 16 Aug '07

16 Aug '07

Hi! When I try to do this ldapadd -x -D "cn=admin,dc=<test>,dc=<ekool>,dc=<ee>" -W -f init.ldif I get this error: ldap_bind: Invalid DN syntax (34) additional info: invalid DN What's wrong? What have I done wrong? Regards, Villem Alari

3 2

information regarding rfc
by Arunachalam Parthasarathy 16 Aug '07

16 Aug '07

Hello all, Is openldap 2.3 , complying to RFC 4511. Please reply regarding the above.. Thanks in advance, Arunachalam. **************************************************************************** **************************** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!

3 3

/etc/ldap/ldap.conf file is ignored if i use SSL
by Stefan Riha 16 Aug '07

16 Aug '07

Hello I have installed a Debian etch server with OpenLDAP as ldap server. # slapd -VV @(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 06:10:06) $ buildd@excelsior:/build/buildd/openldap2.3-2.3.30/debian/build/servers/slapd # ldapsearch -VV ldapsearch: @(#) $OpenLDAP: ldapsearch 2.3.30 (Mar 9 2007 06:09:26) $ buildd@excelsior:/build/buildd/openldap2.3-2.3.30/debian/build/clients/tools (LDAP library: OpenLDAP 20330) I have config my ldap server and client as followed. # ls -all /etc/default/slapd -rw-r--r-- 1 root root 162 2007-08-16 10:27 /etc/default/slapd # cat /etc/default/slapd SLAPD_CONF= SLAPD_USER="openldap" SLAPD_GROUP="openldap" SLAPD_PIDFILE= SLURPD_START=auto SLAPD_SERVICES="ldap://0.0.0.0:389/" SLAPD_OPTIONS="" SLURPD_OPTIONS="" # ls -all /etc/ldap/slapd.conf -rw------- 1 root root 1202 2007-08-16 10:41 /etc/ldap/slapd.conf # cat /etc/ldap/slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 256 modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database bdb suffix "dc=riha,dc=home" rootdn "cn=Manager,dc=riha,dc=home" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=riha,dc=home" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=Manager,dc=riha,dc=home" write by * read access to attrs=userPassword,sambaNTPassword,sambaLMPassword by self write by anonymous auth by * none rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # ls -all ldap.conf -rw-r--r-- 1 root root 65 2007-08-16 11:00 ldap.conf # cat ldap.conf BASE dc=riha,dc=home URI ldap://0.0.0.0:389/ HOST 192.168.1.100 Everything work fine. # ldapsearch -x "(&(objectClass=posixAccount)(uid=stefan))" # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (&(objectClass=posixAccount)(uid=stefan)) # requesting: ALL # # stefan, Users, riha.home dn: uid=stefan,ou=Users,dc=riha,dc=home objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: stefan sn: stefan givenName: stefan uid: stefan uidNumber: 1001 gidNumber: 513 homeDirectory: /home/stefan loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: System User sambaSID: S-1-5-21-1222799212-533558969-2148455424-3002 sambaPrimaryGroupSID: S-1-5-21-1222799212-533558969-2148455424-513 sambaLogonScript: logon.bat sambaProfilePath: \\samba\profiles\stefan sambaHomePath: \\samba\stefan sambaHomeDrive: H: sambaLMPassword: 618728E26F93449D613E9293942509F0 sambaAcctFlags: [U] sambaNTPassword: 48503E58AB7D0FC63BB5256C90D4C94C sambaPwdLastSet: 1186529591 sambaPwdMustChange: 1190417591 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Aug 16 11:16:44 pluto slapd[18138]: conn=0 fd=10 ACCEPT from IP=192.168.1.100:60615 (IP=0.0.0.0:389) Aug 16 11:16:44 pluto slapd[18138]: conn=0 op=0 BIND dn="" method=128 Aug 16 11:16:44 pluto slapd[18138]: conn=0 op=0 RESULT tag=97 err=0 text= Aug 16 11:16:44 pluto slapd[18138]: conn=0 op=1 SRCH base="dc=riha,dc=home" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=stefan))" Aug 16 11:16:44 pluto slapd[18138]: <= bdb_equality_candidates: (uid) index_param failed (18) Aug 16 11:16:45 pluto slapd[18138]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 16 11:16:45 pluto slapd[18138]: conn=0 op=2 UNBIND Aug 16 11:16:45 pluto slapd[18138]: conn=0 fd=10 closed But now i want to use SSL to secure the connection. First i create a ssl cert. #openssl req -newkey rsa:2048 -x509 -nodes -out ldap-server.pem -keyout ldap-server.pem -days 730 # ls -all /etc/ldap/ldap-server.pem -rw-r----- 1 root openldap 3025 2007-08-11 21:59 /etc/ldap/ldap-server.pem I have modified the config for my ldap server and client as followed. # cat /etc/default/slapd SLAPD_CONF= SLAPD_USER="openldap" SLAPD_GROUP="openldap" SLAPD_PIDFILE= SLURPD_START=auto SLAPD_SERVICES="ldaps://0.0.0.0:636/" SLAPD_OPTIONS="" SLURPD_OPTIONS="" # cat /etc/ldap/slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 256 modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database bdb suffix "dc=riha,dc=home" rootdn "cn=Manager,dc=riha,dc=home" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on TLSCertificateFile /etc/ldap/ldap-server.pem TLSCertificateKeyFile /etc/ldap/ldap-server.pem TLSCACertificateFile /etc/ldap/ldap-server.pem TLSVerifyClient allow access to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=riha,dc=home" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=Manager,dc=riha,dc=home" write by * read access to attrs=userPassword,sambaNTPassword,sambaLMPassword by self write by anonymous auth by * none rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # cat /etc/ldap/ldap.conf BASE dc=riha,dc=home URI ldaps://0.0.0.0:636/ HOST 192.168.1.100 TLS_CACERT /etc/ldap/ldap-server.pem TLS_CERT /etc/ldap/ldap-server.pem TLS_KEY /etc/ldap/ldap-server.pem TLS_REQCERT allow But now i have the following ploblem # ldapsearch -x "(&(objectClass=posixAccount)(uid=stefan))" -H ldaps://192.168.1.100:636/ ldap_bind: Can't contact LDAP server (-1) additional info: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure Aug 16 13:43:45 pluto slapd[18235]: conn=0 fd=10 ACCEPT from IP=192.168.1.100:49149 (IP=0.0.0.0:636) Aug 16 13:43:45 pluto slapd[18235]: conn=0 fd=10 closed (TLS negotiation failure) The cert seems to be ok # openssl s_client -connect 192.168.1.100:636 -CAfile /etc/ldap/ldap-server.pem -cert /etc/ldap/ldap-server.pem -key /etc/ldap/ldap-server.pem -state CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 /C=AT/ST=Austria/O=Home/CN=192.168.1.100 verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=AT/ST=Austria/O=Home/CN=192.168.1.100 i:/C=AT/ST=Austria/O=Home/CN=192.168.1.100 --- Server certificate -----BEGIN CERTIFICATE----- .............................................................. -----END CERTIFICATE----- subject=/C=AT/ST=Austria/O=Home/CN=192.168.1.100 issuer=/C=AT/ST=Austria/O=Home/CN=192.168.1.100 --- Acceptable client certificate CA names /C=AT/ST=Austria/O=Home/CN=192.168.1.100 --- SSL handshake has read 1202 bytes and written 1682 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 947C2BE5F94D1DFDF734C037404209BAB417252D2633A73A9F016A38A2DC09D8 Session-ID-ctx: Master-Key: DDD638xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Key-Arg : None Start Time: 1187257722 Timeout : 300 (sec) Verify return code: 0 (ok) --- Aug 16 11:48:42 pluto slapd[18177]: conn=0 fd=10 ACCEPT from IP=192.168.1.100:39847 (IP=0.0.0.0:636) Aug 16 11:48:42 pluto slapd[18177]: conn=0 fd=10 TLS established tls_ssf=256 ssf=256 Aug 16 11:49:00 pluto slapd[18177]: conn=0 fd=10 closed (connection lost) My last idea was to copy the ldap client config file to the user ldap client config file. # cp /etc/ldap/ldap.conf ~/.ldaprc # ls -all ~/.ldaprc -rw-r--r-- 1 root root 192 2007-08-16 11:51 /root/.ldaprc # ldapsearch -x "(&(objectClass=posixAccount)(uid=stefan))" -H ldaps://192.168.1.100:636/ # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (&(objectClass=posixAccount)(uid=stefan)) # requesting: ALL # # stefan, Users, riha.home dn: uid=stefan,ou=Users,dc=riha,dc=home objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: stefan sn: stefan givenName: stefan uid: stefan uidNumber: 1001 gidNumber: 513 homeDirectory: /home/stefan loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: System User sambaSID: S-1-5-21-1222799212-533558969-2148455424-3002 sambaPrimaryGroupSID: S-1-5-21-1222799212-533558969-2148455424-513 sambaLogonScript: logon.bat sambaProfilePath: \\samba\profiles\stefan sambaHomePath: \\samba\stefan sambaHomeDrive: H: sambaLMPassword: 618728E26F93449D613E9293942509F0 sambaAcctFlags: [U] sambaNTPassword: 48503E58AB7D0FC63BB5256C90D4C94C sambaPwdLastSet: 1186529591 sambaPwdMustChange: 1190417591 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Aug 16 13:44:34 pluto slapd[18247]: conn=0 fd=10 ACCEPT from IP=192.168.1.100:49162 (IP=0.0.0.0:636) Aug 16 13:44:34 pluto slapd[18247]: conn=0 fd=10 TLS established tls_ssf=256 ssf=256 Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=0 BIND dn="" method=128 Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=0 RESULT tag=97 err=0 text= Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=1 SRCH base="dc=riha,dc=home" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=stefan))" Aug 16 13:44:34 pluto slapd[18247]: <= bdb_equality_candidates: (uid) index_param failed (18) Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=2 UNBIND Aug 16 13:44:34 pluto slapd[18247]: conn=0 fd=10 closed Now it works but i have two questions: 1) Why is my ldap.conf ignored when i use SSL? 2) Why must i use the option "-H ldaps://192.168.1.100:636/" when using SSL? Stefan Riha

1 0

preserve value order with referential integrity overlay?
by Zhang Weiwu 16 Aug '07

16 Aug '07

Hello. I deployed an LDAP system and a set of applications around it that is highly sensitive to the order of values, e.g first telephoneNumber must be the main contact method, first value of companyRepresentative must be the DN of the main contact person. The value of the data is almost rely on the order of the values, and I used referential integrity overlay without first checking if it preserve the order of values my discovery: referential integrity overlay always puts the last modified value at the bottom. e.g. companyRepresentative: cn=David Jone,ou=sales,o=example.com companyRepresentative: cn=John Carmack,ou=development,o=example.com Now if David Jone is renamed to "David Jones" because people find his name is misspelled, then after modrdn operation, the result is: companyRepresentative: cn=John Carmack,ou=development,o=example.com companyRepresentative: cn=David Jones,ou=sales,o=example.com So people begin to contact John Carmack for all affairs. What's the best way to solve this problem? I can only think of 1) try to modify source code of slapo-refint to make it maintain order (big problem, never worked on C source code before, or 2) try to use several attributes like "FirstCompanyRepresentative", "SecondCompanyRepresentative", "ThirdCompanyRepresentative" -- 锐业软服（国内业务） http://www.realss.cn Real SoftService http://www.realss.com 销售咨询(Sales Department): 0086 592 20 99987 (Chinese, German, English) 国际业务(International Sales): 0086 10 8460 6011 (German and English) 联系：厦门大学科技园，嘉庚二号楼6楼邮政：厦门大学2312号信箱（邮编361005）

7 16

Re: preserve value order with referential integrity overlay?
by Pierangelo Masarati 14 Aug '07

14 Aug '07

I don't want to make this longer than necessary, but if you have a table favourite_drink person_id, drink containing 'ando' 'coke' 'ando' 'beer' and you "delete from favourite_drink where person_id='ando' and drink='coke';" and "insert into favourite_drink (person_id,drink) values ('ando','wine');" I'm pretty confident 'wine' will not come before 'beer', even if 'wine' is what I really prefer. In this sense, I think LDAP was designed to be almost as dumb as most applications (and application developers) but not dumber. So, values with the very same importance go into sets, and values with special importance go into specific attributes, possibly with SINGLE-VALUE constraint if appropriate, as I explained in my previous message. As a general rule, don't ask software to do what can be better done by yourself, and viceversa :) p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati(a)sys-net.it ---------------------------------------

2 1

Problem changing passwords after import
by Rick Tautin 14 Aug '07

14 Aug '07

I am having a problem changing a password after I import the user into ldap. But once I change the users password with the manager account it works fine. I have pasted the output below and what my slapd.conf file looks like. access to attrs=userPassword by self write by * auth access to * by * read and here is the command that I am entering ldappasswd -x -D "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w rt#12345 -s tt#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" ldap_bind: Invalid credentials (49) when I change the password as manager ldappasswd -x -D "cn=manager,dc=example,dc=com" -W -s js#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" Enter LDAP Password: Result: Success (0) Now I can change it as the user ldappasswd -x -D "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w js#12345 -s tt#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" Result: Success (0) Thanks for the help

4 16

ppolicy *help*
by Scott Phelps 14 Aug '07

14 Aug '07

Environment: =============== * OS: Ubuntu Feisty 7.04 * Slapd Version: slapd 2.3.30 * Apt-Package Compile Options (per launchpadlibrarian.net): --prefix=/usr --libexecdir='${prefix}/lib' --sysconfdir=/etc --localstatedir=/var --mandir='${prefix}/share/man' --enable-debug --enable-dynamic --enable-syslog --enable-proctitle --enable-ipv6 --enable-local --enable-slapd --enable-aci --enable-cleartext --enable-crypt --enable-spasswd --enable-modules --enable-rewrite --enable-rlookups --enable-slp --enable-wrappers --enable-backends=mod --enable-ldbm=no --enable-overlays=mod --enable-slurpd --with-subdir=ldap --with-cyrus-sasl --with-threads --with-tls * slapd.conf (abbridged) ============= # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/sudo.schema include /etc/ldap/schema/autofs.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/authldap.schema include /etc/ldap/schema/solaris.schema include /etc/ldap/schema/solaris-nis.schema include /etc/ldap/schema/solarisdua.schema modulepath /usr/lib/ldap moduleload back_bdb moduleload ppolicy schemacheck on TLSCipherSuite #####SECRET###### TLSCertificateFile #####SECRET###### TLSCertificateKeyFile #####SECRET###### TLSCACertificateFile #####SECRET###### database bdb # Overlay Directives overlay ppolicy ppolicy_default "cn=defaultPolicy,ou=policies,#####SECRET#######" ppolicy_use_lockout directory "/var/lib/ldap" # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 # for more information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on access to dn.children="ou=people,#####SECRET######" attrs=userPassword by group/groupOfNames/member="#####SECRET######" write by self write by * auth * defaultPolicy.ldif ======================== dn: cn=defaultPolicy,ou=policies,#####SECRET###### cn: defaultPolicy objectClass: organizationalRole objectClass: pwdPolicy objectClass: top pwdLockout: TRUE pwdMaxFailure: 3 pwdAttribute: userPassword pwdGraceAuthNLimit: 3 pwdLockoutDuration: 15 pwdAllowUserChange: TRUE * ppolicytest.ldif ========================= dn: uid=ppolicytest,ou=people,#####SECRET###### uid: ppolicytest uidNumber: 1012 gidNumber: 100 homeDirectory: /home/ppolicytest loginShell: /bin/bash objectClass: inetOrgPerson objectClass: posixAccount objectClass: top structuralObjectClass: inetOrgPerson entryUUID: e4c33596-d832-102b-8c70-39998be84848 creatorsName: #####SECRET###### createTimestamp: 20070806063457Z pwdPolicySubentry: cn=defaultPolicy,ou=policies,#####SECRET###### userPassword: {MD5}Gh3JHJBzJcaScd3wyUS8cg== pwdChangedTime: 20070806070643Z cn: ppolicytest entryCSN: 20070806070815Z#000000#00#000000 modifiersName: #####SECRET###### modifyTimestamp: 20070806070815Z entryDN: uid=ppolicytest,ou=people,#####SECRET###### subschemaSubentry: cn=Subschema hasSubordinates: FALSE So with this all in place I get no errors starting slapd (the module gets loaded.) I run the following command 4 times: ldapsearch -P 3 -x -LLL -e ppolicy -D "uid=ppolictest,ou=people,#####SECRET######" -W "(objectclass=*)" Entering an incorrect password each time, however the account never gets locked out and the operational attributes never change. TIA, for any advice!

3 2

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software August 2007