Re: password change and ppolicy
by Gustavo Mendes de Carvalho
Hi Tizo,
Suposed that your users has to login in some linux/Unix machine using their
LDAP accounts, I sugest you to create some binary or script to allow your
users to change their passwords invoking ldappasswd command.
I mean, you can create a C program or shell script or even a PHP page, to
validate some weaks in their passwords, like min length, capital letters,
numbers, and so on.
After that, you can call ldappasswd command with all parameters (using
system() call in a C source code) to change it.
I know that this is not an elegant option, but it works.
Let me know if it works for you that I can post my C source code here to
help you there.
See you
Gustavo
Date: Wed, 10 Jun 2009 18:54:14 -0300
From: tizo <tizone(a)gmail.com>
Subject: Re: password change and ppolicy
To: openldap-technical(a)openldap.org
Message-ID:
<e55f48520906101454i3e5b4b59v2b755278cd34437(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
On Tue, Jun 9, 2009 at 12:12 PM, tizo <tizone(a)gmail.com> wrote:
>
> Before starting this, I have been testing password changing with
> phpLDAPAdmin. The fact is that I could only change a user password with
> clear text. I guess that this behaviour happens because we have
> pwdCheckQulity setting in 2 in our default password policy. So, when the
> client (phpLDAPAdmin) tries to modify the password enconding it, the
server
> (OpenLDAP) cannot check the min length of the password, as it is encoded,
> and then fails. I am guessing too, that phpLDAPAdmin is performing a
simple
> modify operation to change the password, as it is stored in clear text. On
> the other hand, I could change passwords with ldappasswd withouth problem,
> and they are stored with SSHA. I know that this command uses RFC 3062.
>
> tizo
>
>
11 years, 10 months
slapd-config(5) Disaster Recovery - Best Practices?
by gruntler-ldap@yahoo.com
Hi,
I am considering migrating from a monolithic slapd.conf file to the newer DIT slapd-config(5).
My primary concern is how to recover if a dynamic change brings down slapd so it becomes difficult to recover since the configuration is in a database and slapd will not start.
Is it as simple as making a slapcat backup of the configuration database (or some other backup of the configuration database that resides in the slapd.d directory) prior to making changes so that a roll-back would consist of replacing the contents of the slapd.d directory? Or is there some other recovery method that is preferred?
Thanks,
Ken
11 years, 10 months
pwdFailureTime not being deleted
by Adam Leach
I'm having a problem with the pwdFailureTime entries not being deleted after
a successful login. What steps could I take to see if there is an error
occurring?
I'm running openldap 2.4.11 RHEL5, rpms came from
http://staff.telkomsa.net/packages/rhel5/openldap/i386/
Thanks
--
Adam Leach
BS Computer/Electrical Engineering
West Virginia University
Systems Administrator - Raytheon
(304)677-4455
11 years, 10 months
LDAP search question
by Tihomir Culjaga
Hello,
maybe it is a dummy question but i'd like to know why i have so big
discrepancy in execution between two apparently identical ldapsearch ?
The 1st search takes 94 ms while the 2nd one only 7 ms. It doesn't matter
how many times i execute the 1st search (meaning everytihng should be
already cached) .. it is always the same.
Does anyone know why?
~$ time ldapsearch -h localhost -x -b ou=redirecting,ou=Dir,dc=ot,dc=hr -D
cn=admin,dc=ot,dc=hr -w **** uniqueID=38512303736
# extended LDIF
#
# LDAPv3
# base <ou=redirecting,ou=Dir,dc=ot,dc=hr> with scope subtree
# filter: uniqueID=38512303736
# requesting: ALL
#
# 38512303736, redirecting, Dir, ot.hr
dn: uniqueID=38512303736,ou=redirecting,ou=Dir,dc=ot,dc=hr
objectClass: top
objectClass: uniqueID
Prefix: 68A10
uniqueID: 38512303736
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
*real 0m0.094s*
user 0m0.004s
sys 0m0.000s
~$ time ldapsearch -h localhost -x -b ou=redirecting,ou=Dir,dc=ot,dc=hr -D
cn=admin,dc=ot,dc=hr -w **** uniqueID=38515000400
# extended LDIF
#
# LDAPv3
# base <ou=redirecting,ou=Direktor,dc=ot,dc=hr> with scope subtree
# filter: uniqueID=38515000400
# requesting: ALL
#
# 38515000400, redirecting, Dir, ot.hr
dn: uniqueID=38515000400,ou=redirecting,ou=Dir,dc=ot,dc=hr
objectClass: top
objectClass: uniqueID
Prefix: 68B99
uniqueID: 38515000400
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
*real 0m0.007s*
user 0m0.000s
sys 0m0.004s
tculjaga@l01sipindir2:~$
11 years, 10 months
How to temporarily downgrade to LDAPv2 ?
by J. Bakshi
Dear all,
I like to downgrade the ldap communication protocol to do some
experiments. An api which has been designed in 2005 can not work with
my ldap server ( suse 11.1) as the log reports
`````````````````````````
historical protocol version requested, use LDAPv3 instead
`````````````````````````````````````
so i need to temporarily allow the old v2 protocol so that the api can
communicate with the ldap server.
How can i do this ?
Thanks
11 years, 10 months
Re: openLDAP with Berkeley DB - "Permission denied" problems after setting different data and log directories in DB_CONFIG - SOLVED
by Francesco Cicolani
You got it Matt!
I really missed the point that an apparmor profile for slapd is generated by default in Ubuntu during openldap installation.
I did a test putting slapd apparmor profile in compliant-mode and all went well this time!
Now, time for a resume of the steps I eventually made to successfully change Berkeley DB data and log file directories, integrated with a BDB backup and recovery, on Ubuntu 8.04.2 with Apparmor framework enabled, just in case it could also help someone else having similar problems in the future:
1. Make a standard BDB backup (see Berkeley DB Reference Guide, in particular: http://www.oracle.com/technology/documentation/berkeley-db/db/ref/transap...):
1.1. stop slapd
1.2. force a checkpoint with db4.2_checkpoint -1v
1.3. copy all .bdb files returned by db4.2_archive -s to backup location /backup (cp -p)
1.4. copy all log.XXXXXXXXXX files returned by db4.2_archive -l to backup location /backup (cp -p)
2. Update apparmor profile for slapd (/etc/apparmor.d/usr.sbin.slapd):
## customized bdb data and log files:
/new/path/to/bdbdata/ r,
/new/path/to/bdbdata/* rw,
/new/path/to/bdblogs/ r,
/new/path/to/bdblogs/* rw,
## lock file in customized bdbdata dir
/new/path/to/bdbdata/alock kw,
3. Parse updated apparmor profile for slapd:
apparmor_parser -r < /etc/apparmor.d/usr.sbin.slapd
4. Update bdb data 'directory' directive in slapd.conf
directory "/new/path/to/bdbdata"
5. remove all .bdb, alock, __db.XXX and log.XXXXXXXXXX files from /var/lib/ldap (old default location)
6. edit DB_CONFIG file with new directives set_data_dir and set_lg_dir:
# Directory for the data files
set_data_dir /new/path/to/bdbdata
[...]
# Directory for the logfiles
set_lg_dir /new/path/to/bdblogs
7. move DB_CONFIG file to /new/path/to/bdbdata and verify ownerships are preserved:
-rw-r--r-- 1 openldap openldap 410 2009-06-15 22:00 DB_CONFIG
8. copy .bdb files from backup location /backup to /new/path/to/bdbdata (cp -p)
9. copy log.XXXXXXXXXX file from backup location /backup to /new/path/to/bdblogs (cp -p)
10. Finally, cd to /new/path/to/bdbdata and issue the recovery command (as root):
root@bob:/new/path/to/bdbdata# db4.2_recover -cv
db_recover: Finding last valid log LSN: file: 1 offset 141201
db_recover: Recovery starting from [1][28]
db_recover: Recovery complete at Mon Jun 15 22:14:04 2009
db_recover: Maximum transaction ID 80000044 Recovery checkpoint [1][141201]
11. Restart slapd and force a checkpoint just to keep things clean on db side:
root@bob:/new/path/to/bdbdata# /etc/init.d/slapd start
root@bob:/new/path/to/bdbdata# db4.2_checkpoint -1v
db_checkpoint: checkpoint: Mon Jun 15 22:18:03 2009
Note1: doing a backup and recovery of bdb could not be strictly required, but I thought that removing the bdb data and log files from the old path would contribute to keep things cleaner.
Note2: putting slapd logging level to 'any' prior to restarting slapd would help to troubleshoot startup problems and verify that bdb starts cleanly.
Thank you again guys!... and see you to the next 'mayday' thread! =)
fra
--- On Mon, 6/15/09, Matt Kassawara <battery(a)writeme.com> wrote:
> From: Matt Kassawara <battery(a)writeme.com>
> Subject: Re: openLDAP with Berkeley DB - "Permission denied" problems after setting different data and log directories in DB_CONFIG
> To: "Klaus Lemkau" <klaus.lemkau(a)tu-berlin.de>
> Cc: "Francesco Cicolani" <francescocicolani(a)yahoo.it>, openldap-technical(a)openldap.org
> Date: Monday, June 15, 2009, 6:40 PM
> By default, the Ubuntu AppArmor
> profile for slapd prevents it from writing databases to
> anywhere but /var/lib/ldap. You'll need to modify the
> usr.sbin.slapd profile in /etc/apparmor.d to correct the
> problem.
>
> Matt
11 years, 10 months
Re: openLDAP with Berkeley DB - "Permission denied" problems after setting different data and log directories in DB_CONFIG
by Francesco Cicolani
Hi Klaus,
thx for your reply.
I checked ownership and permissions on /var/lib/ldap:
francesco@bob:/var/lib$ ls -l | grep ldap
drwxr-xr-x 5 openldap openldap 4096 2009-06-15 17:03 ldap
while the two subdirs I'm trying to place bdb data files and logs have:
francesco@bob:/var/lib$ ls -l ldap
[...]
drwxr-xr-x 2 openldap openldap 4096 2009-06-14 18:39 bdbdata
drwxr-xr-x 2 openldap openldap 4096 2009-06-14 18:39 bdblogs
[...]
During test, I also tried to change permissions on bdbdata and bdblogs to 775 and even 777: but I had no success in getting bdb log.0000000001 accessible when placed in bdblogs.
I'm running short of ideas... I'm even wondering if someone else had similar problems when trying to set different dir for data files and logs...
see you
fra
--- On Sun, 6/14/09, Klaus Lemkau <klaus.lemkau(a)tu-berlin.de> wrote:
From: Klaus Lemkau <klaus.lemkau(a)tu-berlin.de>
Subject: Re: openLDAP with Berkeley DB - "Permission denied" problems after setting different data and log directories in DB_CONFIG
To: "Francesco Cicolani" <francescocicolani(a)yahoo.it>
Cc: openldap-technical(a)openldap.org
Date: Sunday, June 14, 2009, 9:03 PM
Hi Francesco,
likely the files in
/var/lib/ldap/
have the wrong owner (root?).
chown -R openldap:openldap /var/lib/ldap
should solve Your problem.
Greetings
Klaus
11 years, 10 months
Re: TLS certificates
by Michael Ströder
Matthew, please stay on the mailing list (Cc:-ed) when answering so
others can answer and learn as well.
Matthew Edlefsen wrote:
> 2009/6/13 Michael Ströder <michael(a)stroeder.com>:
>> Matthew Edlefsen wrote:
>>> Hello, I'm trying to get TLS setup with openldap and am having some
>>> issues. I have a CA signed certificate (not self-signed) and have
>>> created a chain with my CA cert and the root CA cert. I've verified
>>> that it works with openssl verify -CAfile on both the client and
>>> server but then when I try to connect using ldaps I get the following
>>> error on the client:
>>>
>>> TLS certificate verification: depth: 2, err: 19, subject:
>>> /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
>>> External CA Root, issuer: /C=SE/O=AddTrust AB/OU=AddTrust External TTP
>>> Network/CN=AddTrust External CA Root
>>> TLS certificate verification: Error, self signed certificate in
>>> certificate chain
>>> TLS trace: SSL3 alert write:fatal:unknown CA
>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>> TLS trace: SSL_connect:error in SSLv3 read server certificate B
>>> TLS: can't connect.
>>>
>>> I assume it's saying that the root CA is self signed, but if I don't
>>> include it in the chain it says it can't trust the CA.
>> Could you please elaborate on how you configured TLS settings on your
>> LDAP client? I assume that your OpenLDAP build was linked to OpenSSL
>> libs. Is that right?
>
> I did not configure my client at all. I confirmed it is linked to
> OpenSSL though. I'm hoping to not have to do any client configuration
> (other than turning it on obviously) because we would like end users
> to be able to use ldaps without any hassle.
You have to configure each LDAP client to trust the CA cert.
For OpenLDAP command-line clients or derived clients you should consult
the man page ldap.conf(5) about how to place system-wide or specific
configuration files and the client-side (TLS-related) configuration options.
Ciao, Michael.
11 years, 10 months
OpenLDAP and AD integration
by Santosh Balan
Hi Friends,
I am newbee to this community and want to know how I can integrate an
OpenLdap Server with MS Active Directory. Such that I create a user in
LDAP it reflects in AD as well and vice-a-versa. Similarly any changes
should effect on both AD and LDAP. Also I want to know how this can be
done with a technical documentation. Also a user incase AD is not
available gets authenticated using LDAP and vice-a-versa.
Your urgent help on this issue will be highly appreciated. Expecting a
reply from you at the earliest.
Thanks and Regards
Santosh Balan
+91-9819419509
--
Be Yourself @ mail.com!
Choose From 200+ Email Addresses
Get a Free Account at www.mail.com
11 years, 10 months
