access permissions
by Adam Williams
I'm reading through Chapter 6 of the Openldap Software 2.3
Admninistrator's Guide, but I'm a little confused on access
permissions. I think my access permissions are wrong.
I have 2 users loaded in openldap, adam and testuser. in slapd.conf I have:
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write
by * read
but adam can change testuser's password, and I want it so that a user
can only change their password and not someone else's:
[root@gomer ~]# su -l adam
[adam@gomer ~]$ ldapmodify -D
"uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx
-x -v -f changepasswd.ldif
ldap_initialize( <DEFAULT> )
replace userPassword:
{CRYPT}xxxxxxxxxxxx
modifying entry
"uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us"
modify complete
[root@gomer ~]# cat ~adam/changepasswd.ldif
dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
changetype: modify
userPassword: {CRYPT}xxxxxxxxxxx
And adam and testuser are different users:
[root@gomer ~]# ldapsearch -D
'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b
"uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x
# extended LDIF
#
# LDAPv3
# base <uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# testuser, People, gomer.mdah.state.ms.us
dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
uid: testuser
cn: test user
telephoneNumber: xxxxxxx
roomNumber: IS
homePhone: xxxxxxxx
givenName: test
sn: user
mail: testuser@dc=mdah,dc=state,dc=ms,dc=us
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 13705
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 101
homeDirectory: /home/testuser
gecos: test user,IS,xxxxxxx,xxxxxxxxx
userPassword:: xxxxxxxxxxxxx
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@gomer ~]# ldapsearch -D
'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b
"uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxx
-x # extended LDIF
#
# LDAPv3
# base <uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# adam, People, gomer.mdah.state.ms.us
dn: uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
uid: adam
cn: adam williams
telephoneNumber: xxxxxxxxxxxxx
roomNumber: IS
homePhone: xxxxxxxxxxx
givenName: adam
sn: williams
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: xxxxxxxxxxxxxxxxx
shadowLastChange: 13705
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 100
homeDirectory: /home/adam
gecos: adam williams,IS,xxxxxxx,xxxxxxx
mail: awilliam(a)mdah.state.ms.us
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
14 years, 11 months
ldap_bind: Invalid credentials (49)
by Villem Alari
Hi!
Now I get this error when I try to ldapadd -x -D
"cn=admin,dc=test,dc=ekool,dc=ee" -W -f init.ldif.
Regards,
Villem Alari
14 years, 11 months
Maximum size of the database.
by Sumith Narayanan
Hi Group,
We have a coorporate openldap database in production which has more
than 4 million entries. The slapd process serves three different
physical dabases of sizes 4 GB , 12 GB and 24 GB respecievely.
Earlier it was runnning in ldab backend and was crashing once in 3 -4
days. We upgraded to OpenLDAP 2.3.27 and BDB backend 4.4.20. Mac OS
Tiger with 4GB RAM in the master and 8 GB ram in the slave. Now it
crashes often may be couple of times in a day or sometimes once in 2
days. There is nothing much written in the log files but at times it
shows out of memory exception. However , the search performance is
still good.
- What is the maximum size of the database that OpenLDAP can support ?
- What is the maxmum number of dns it can hold ?
- Is there any solution for the above problem ?
Any help will be greatly appreciated.
Thanks, Sumith.
14 years, 11 months
dap_bind: Invalid DN syntax (34)
by Villem Alari
Hi!
When I try to do this ldapadd -x -D
"cn=admin,dc=<test>,dc=<ekool>,dc=<ee>" -W -f init.ldif
I get this error:
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
What's wrong? What have I done wrong?
Regards,
Villem Alari
14 years, 11 months
information regarding rfc
by Arunachalam Parthasarathy
Hello all,
Is openldap 2.3 , complying to RFC 4511.
Please reply regarding the above..
Thanks in advance,
Arunachalam.
****************************************************************************
****************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!
14 years, 11 months
/etc/ldap/ldap.conf file is ignored if i use SSL
by Stefan Riha
Hello
I have installed a Debian etch server with OpenLDAP as ldap server.
# slapd -VV
@(#) $OpenLDAP: slapd 2.3.30 (Mar 9 2007 06:10:06) $
buildd@excelsior:/build/buildd/openldap2.3-2.3.30/debian/build/servers/slapd
# ldapsearch -VV
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.3.30 (Mar 9 2007 06:09:26) $
buildd@excelsior:/build/buildd/openldap2.3-2.3.30/debian/build/clients/tools
(LDAP library: OpenLDAP 20330)
I have config my ldap server and client as followed.
# ls -all /etc/default/slapd
-rw-r--r-- 1 root root 162 2007-08-16 10:27 /etc/default/slapd
# cat /etc/default/slapd
SLAPD_CONF=
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLURPD_START=auto
SLAPD_SERVICES="ldap://0.0.0.0:389/"
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""
# ls -all /etc/ldap/slapd.conf
-rw------- 1 root root 1202 2007-08-16 10:41 /etc/ldap/slapd.conf
# cat /etc/ldap/slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
checkpoint 512 30
database bdb
suffix "dc=riha,dc=home"
rootdn "cn=Manager,dc=riha,dc=home"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
access to attrs=userPassword,shadowLastChange
by dn="cn=Manager,dc=riha,dc=home" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=Manager,dc=riha,dc=home" write
by * read
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by self write
by anonymous auth
by * none
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# ls -all ldap.conf
-rw-r--r-- 1 root root 65 2007-08-16 11:00 ldap.conf
# cat ldap.conf
BASE dc=riha,dc=home
URI ldap://0.0.0.0:389/
HOST 192.168.1.100
Everything work fine.
# ldapsearch -x "(&(objectClass=posixAccount)(uid=stefan))"
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=stefan))
# requesting: ALL
#
# stefan, Users, riha.home
dn: uid=stefan,ou=Users,dc=riha,dc=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: stefan
sn: stefan
givenName: stefan
uid: stefan
uidNumber: 1001
gidNumber: 513
homeDirectory: /home/stefan
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-1222799212-533558969-2148455424-3002
sambaPrimaryGroupSID: S-1-5-21-1222799212-533558969-2148455424-513
sambaLogonScript: logon.bat
sambaProfilePath: \\samba\profiles\stefan
sambaHomePath: \\samba\stefan
sambaHomeDrive: H:
sambaLMPassword: 618728E26F93449D613E9293942509F0
sambaAcctFlags: [U]
sambaNTPassword: 48503E58AB7D0FC63BB5256C90D4C94C
sambaPwdLastSet: 1186529591
sambaPwdMustChange: 1190417591
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Aug 16 11:16:44 pluto slapd[18138]: conn=0 fd=10 ACCEPT from
IP=192.168.1.100:60615 (IP=0.0.0.0:389)
Aug 16 11:16:44 pluto slapd[18138]: conn=0 op=0 BIND dn="" method=128
Aug 16 11:16:44 pluto slapd[18138]: conn=0 op=0 RESULT tag=97 err=0 text=
Aug 16 11:16:44 pluto slapd[18138]: conn=0 op=1 SRCH
base="dc=riha,dc=home" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=stefan))"
Aug 16 11:16:44 pluto slapd[18138]: <= bdb_equality_candidates: (uid)
index_param failed (18)
Aug 16 11:16:45 pluto slapd[18138]: conn=0 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 16 11:16:45 pluto slapd[18138]: conn=0 op=2 UNBIND
Aug 16 11:16:45 pluto slapd[18138]: conn=0 fd=10 closed
But now i want to use SSL to secure the connection.
First i create a ssl cert.
#openssl req -newkey rsa:2048 -x509 -nodes -out ldap-server.pem -keyout
ldap-server.pem -days 730
# ls -all /etc/ldap/ldap-server.pem
-rw-r----- 1 root openldap 3025 2007-08-11 21:59 /etc/ldap/ldap-server.pem
I have modified the config for my ldap server and client as followed.
# cat /etc/default/slapd
SLAPD_CONF=
SLAPD_USER="openldap"
SLAPD_GROUP="openldap"
SLAPD_PIDFILE=
SLURPD_START=auto
SLAPD_SERVICES="ldaps://0.0.0.0:636/"
SLAPD_OPTIONS=""
SLURPD_OPTIONS=""
# cat /etc/ldap/slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
modulepath /usr/lib/ldap
moduleload back_bdb
sizelimit 500
tool-threads 1
backend bdb
checkpoint 512 30
database bdb
suffix "dc=riha,dc=home"
rootdn "cn=Manager,dc=riha,dc=home"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
TLSCertificateFile /etc/ldap/ldap-server.pem
TLSCertificateKeyFile /etc/ldap/ldap-server.pem
TLSCACertificateFile /etc/ldap/ldap-server.pem
TLSVerifyClient allow
access to attrs=userPassword,shadowLastChange
by dn="cn=Manager,dc=riha,dc=home" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=Manager,dc=riha,dc=home" write
by * read
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by self write
by anonymous auth
by * none
rootpw {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# cat /etc/ldap/ldap.conf
BASE dc=riha,dc=home
URI ldaps://0.0.0.0:636/
HOST 192.168.1.100
TLS_CACERT /etc/ldap/ldap-server.pem
TLS_CERT /etc/ldap/ldap-server.pem
TLS_KEY /etc/ldap/ldap-server.pem
TLS_REQCERT allow
But now i have the following ploblem
# ldapsearch -x "(&(objectClass=posixAccount)(uid=stefan))" -H
ldaps://192.168.1.100:636/
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Aug 16 13:43:45 pluto slapd[18235]: conn=0 fd=10 ACCEPT from
IP=192.168.1.100:49149 (IP=0.0.0.0:636)
Aug 16 13:43:45 pluto slapd[18235]: conn=0 fd=10 closed (TLS
negotiation failure)
The cert seems to be ok
# openssl s_client -connect 192.168.1.100:636 -CAfile
/etc/ldap/ldap-server.pem -cert /etc/ldap/ldap-server.pem -key
/etc/ldap/ldap-server.pem -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /C=AT/ST=Austria/O=Home/CN=192.168.1.100
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=AT/ST=Austria/O=Home/CN=192.168.1.100
i:/C=AT/ST=Austria/O=Home/CN=192.168.1.100
---
Server certificate
-----BEGIN CERTIFICATE-----
..............................................................
-----END CERTIFICATE-----
subject=/C=AT/ST=Austria/O=Home/CN=192.168.1.100
issuer=/C=AT/ST=Austria/O=Home/CN=192.168.1.100
---
Acceptable client certificate CA names
/C=AT/ST=Austria/O=Home/CN=192.168.1.100
---
SSL handshake has read 1202 bytes and written 1682 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 947C2BE5F94D1DFDF734C037404209BAB417252D2633A73A9F016A38A2DC09D8
Session-ID-ctx:
Master-Key: DDD638xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key-Arg : None
Start Time: 1187257722
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Aug 16 11:48:42 pluto slapd[18177]: conn=0 fd=10 ACCEPT from
IP=192.168.1.100:39847 (IP=0.0.0.0:636)
Aug 16 11:48:42 pluto slapd[18177]: conn=0 fd=10 TLS established
tls_ssf=256 ssf=256
Aug 16 11:49:00 pluto slapd[18177]: conn=0 fd=10 closed (connection lost)
My last idea was to copy the ldap client config file to the user ldap
client config file.
# cp /etc/ldap/ldap.conf ~/.ldaprc
# ls -all ~/.ldaprc
-rw-r--r-- 1 root root 192 2007-08-16 11:51 /root/.ldaprc
# ldapsearch -x "(&(objectClass=posixAccount)(uid=stefan))" -H
ldaps://192.168.1.100:636/
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=stefan))
# requesting: ALL
#
# stefan, Users, riha.home
dn: uid=stefan,ou=Users,dc=riha,dc=home
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: stefan
sn: stefan
givenName: stefan
uid: stefan
uidNumber: 1001
gidNumber: 513
homeDirectory: /home/stefan
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: System User
sambaSID: S-1-5-21-1222799212-533558969-2148455424-3002
sambaPrimaryGroupSID: S-1-5-21-1222799212-533558969-2148455424-513
sambaLogonScript: logon.bat
sambaProfilePath: \\samba\profiles\stefan
sambaHomePath: \\samba\stefan
sambaHomeDrive: H:
sambaLMPassword: 618728E26F93449D613E9293942509F0
sambaAcctFlags: [U]
sambaNTPassword: 48503E58AB7D0FC63BB5256C90D4C94C
sambaPwdLastSet: 1186529591
sambaPwdMustChange: 1190417591
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Aug 16 13:44:34 pluto slapd[18247]: conn=0 fd=10 ACCEPT from
IP=192.168.1.100:49162 (IP=0.0.0.0:636)
Aug 16 13:44:34 pluto slapd[18247]: conn=0 fd=10 TLS established
tls_ssf=256 ssf=256
Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=0 BIND dn="" method=128
Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=0 RESULT tag=97 err=0 text=
Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=1 SRCH
base="dc=riha,dc=home" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=stefan))"
Aug 16 13:44:34 pluto slapd[18247]: <= bdb_equality_candidates: (uid)
index_param failed (18)
Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Aug 16 13:44:34 pluto slapd[18247]: conn=0 op=2 UNBIND
Aug 16 13:44:34 pluto slapd[18247]: conn=0 fd=10 closed
Now it works but i have two questions:
1) Why is my ldap.conf ignored when i use SSL?
2) Why must i use the option "-H ldaps://192.168.1.100:636/" when using SSL?
Stefan Riha
14 years, 11 months
preserve value order with referential integrity overlay?
by Zhang Weiwu
Hello.
I deployed an LDAP system and a set of applications around it that is
highly sensitive to the order of values, e.g first telephoneNumber must
be the main contact method, first value of companyRepresentative must be
the DN of the main contact person. The value of the data is almost rely
on the order of the values, and I used referential integrity overlay
without first checking if it preserve the order of values
my discovery: referential integrity overlay always puts the last
modified value at the bottom.
e.g.
companyRepresentative: cn=David Jone,ou=sales,o=example.com
companyRepresentative: cn=John Carmack,ou=development,o=example.com
Now if David Jone is renamed to "David Jones" because people find his
name is misspelled, then after modrdn operation, the result is:
companyRepresentative: cn=John Carmack,ou=development,o=example.com
companyRepresentative: cn=David Jones,ou=sales,o=example.com
So people begin to contact John Carmack for all affairs.
What's the best way to solve this problem? I can only think of 1) try to
modify source code of slapo-refint to make it maintain order (big
problem, never worked on C source code before, or 2) try to use several
attributes like "FirstCompanyRepresentative",
"SecondCompanyRepresentative", "ThirdCompanyRepresentative"
--
锐业软服(国内业务) http://www.realss.cn
Real SoftService http://www.realss.com
销售咨询(Sales Department): 0086 592 20 99987 (Chinese, German,
English)
国际业务(International Sales): 0086 10 8460 6011 (German and English)
联系:厦门大学科技园,嘉庚二号楼6楼
邮政:厦门大学2312号信箱(邮编361005)
14 years, 11 months
Re: preserve value order with referential integrity overlay?
by Pierangelo Masarati
I don't want to make this longer than necessary, but if you have a table
favourite_drink
person_id, drink
containing
'ando' 'coke'
'ando' 'beer'
and you
"delete from favourite_drink where person_id='ando' and drink='coke';"
and
"insert into favourite_drink (person_id,drink) values ('ando','wine');"
I'm pretty confident 'wine' will not come before 'beer', even if 'wine' is
what I really prefer.
In this sense, I think LDAP was designed to be almost as dumb as most
applications (and application developers) but not dumber. So, values with
the very same importance go into sets, and values with special importance
go into specific attributes, possibly with SINGLE-VALUE constraint if
appropriate, as I explained in my previous message.
As a general rule, don't ask software to do what can be better done by
yourself, and viceversa :)
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
14 years, 12 months
Problem changing passwords after import
by Rick Tautin
I am having a problem changing a password after I import the user into ldap. But once I change the users password with the manager account it works fine. I have pasted the output below and what my slapd.conf file looks like.
access to attrs=userPassword
by self write
by * auth
access to *
by * read
and here is the command that I am entering
ldappasswd -x -D
"uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w rt#12345
-s tt#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com"
ldap_bind: Invalid credentials (49)
when I change the password as manager
ldappasswd -x -D "cn=manager,dc=example,dc=com" -W -s js#12345
"uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com"
Enter LDAP Password:
Result: Success (0)
Now I can change it as the user
ldappasswd -x -D
"uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w js#12345
-s tt#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com"
Result: Success (0)
Thanks for the help
14 years, 12 months
ppolicy *help*
by Scott Phelps
Environment:
===============
* OS:
Ubuntu Feisty 7.04
* Slapd Version:
slapd 2.3.30
* Apt-Package Compile Options (per launchpadlibrarian.net):
--prefix=/usr --libexecdir='${prefix}/lib'
--sysconfdir=/etc --localstatedir=/var
--mandir='${prefix}/share/man'
--enable-debug --enable-dynamic
--enable-syslog
--enable-proctitle
--enable-ipv6
--enable-local
--enable-slapd
--enable-aci
--enable-cleartext
--enable-crypt
--enable-spasswd
--enable-modules
--enable-rewrite
--enable-rlookups
--enable-slp
--enable-wrappers
--enable-backends=mod
--enable-ldbm=no
--enable-overlays=mod
--enable-slurpd
--with-subdir=ldap
--with-cyrus-sasl
--with-threads
--with-tls
* slapd.conf (abbridged)
=============
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/sudo.schema
include /etc/ldap/schema/autofs.schema
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/authldap.schema
include /etc/ldap/schema/solaris.schema
include /etc/ldap/schema/solaris-nis.schema
include /etc/ldap/schema/solarisdua.schema
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload ppolicy
schemacheck on
TLSCipherSuite #####SECRET######
TLSCertificateFile #####SECRET######
TLSCertificateKeyFile #####SECRET######
TLSCACertificateFile #####SECRET######
database bdb
# Overlay Directives
overlay ppolicy
ppolicy_default "cn=defaultPolicy,ou=policies,#####SECRET#######"
ppolicy_use_lockout
directory "/var/lib/ldap"
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
access to dn.children="ou=people,#####SECRET######" attrs=userPassword
by group/groupOfNames/member="#####SECRET######" write
by self write
by * auth
* defaultPolicy.ldif
========================
dn: cn=defaultPolicy,ou=policies,#####SECRET######
cn: defaultPolicy
objectClass: organizationalRole
objectClass: pwdPolicy
objectClass: top
pwdLockout: TRUE
pwdMaxFailure: 3
pwdAttribute: userPassword
pwdGraceAuthNLimit: 3
pwdLockoutDuration: 15
pwdAllowUserChange: TRUE
* ppolicytest.ldif
=========================
dn: uid=ppolicytest,ou=people,#####SECRET######
uid: ppolicytest
uidNumber: 1012
gidNumber: 100
homeDirectory: /home/ppolicytest
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
structuralObjectClass: inetOrgPerson
entryUUID: e4c33596-d832-102b-8c70-39998be84848
creatorsName: #####SECRET######
createTimestamp: 20070806063457Z
pwdPolicySubentry: cn=defaultPolicy,ou=policies,#####SECRET######
userPassword: {MD5}Gh3JHJBzJcaScd3wyUS8cg==
pwdChangedTime: 20070806070643Z
cn: ppolicytest
entryCSN: 20070806070815Z#000000#00#000000
modifiersName: #####SECRET######
modifyTimestamp: 20070806070815Z
entryDN: uid=ppolicytest,ou=people,#####SECRET######
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
So with this all in place I get no errors starting slapd (the module
gets loaded.) I run the following command 4 times:
ldapsearch -P 3 -x -LLL -e ppolicy -D
"uid=ppolictest,ou=people,#####SECRET######" -W "(objectclass=*)"
Entering an incorrect password each time, however the account never gets
locked out and the operational attributes never change.
TIA, for any advice!
14 years, 12 months