openldap-technical January 2010

openldap-technical@openldap.org

56 participants
66 discussions

Consumer ACLs
by Jaap Winius 07 Jan '10

07 Jan '10

Hi all, A question regarding ACLs on OpenLDAP consumer servers. If the ACLs on the provider give clients write access to some attributes, such as loginShell or userPassword, shouldn't the ACLs on the consumers do the same? I'm not sure about this, since consumer databases are always read-only, but it seems to me that the clients would otherwise have no way of knowing that changing certain attributes was possible (via the updateref option or the chain overlay). Thanks, Jaap

2 1

Password Policy setting
by Saavedra, Gisella 07 Jan '10

07 Jan '10

I read the entry in Chapter 6 http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples regarding setting the Password Policy Control. I have installed OpenLDAP through Cygwin. OpenLDAP is version 2.3.43 I created my db and included the Password Policy control schema, but I am getting the following error when I try to load my default and user policies: $ ldapadd -H ldap://localhost:666 -x -D "cn=Manager,dc=zes_example,dc=com" -w secret -f /etc/openldap/data/ppolicy.ldif adding new entry "ou=pwdpolicies,dc=zes_example,dc=com" adding new entry "cn=default,ou=pwdpolicies,dc=zes_example,dc=com" ldapadd: Object class violation (65) additional info: no structural object class provided Any idea? Do I need to add the password policy (ldif file) before I give the directive in slapd.conf? ----------------------------------------- The policy.ldif: dn: ou=pwdpolicies,dc=zes_example,dc=com ou: pwdpolicies description: All password Policies objectclass: organizationalunit # Default Password Policy dn: cn=default,ou=pwdpolicies,dc=zes_example,dc=com objectClass: pwdPolicy cn: default # User can change his/her password pwdAllowUserChange: TRUE # Return warning to bind attempt (seconds) -- 3 days pwdExpireWarning: 259200 # Interval in seconds to reset failure pwd count pwdFailureCountInterval: 100 # Do not allow to bind on expired passwords pwdGraceAuthNLimit: 0 # Reject any password changes in this list pwdInHistory: 3 # Lock out account when user tries more than x attempts using invalid password pwdLockout: TRUE # Do not allow the system to unlock the account pwdLockoutDuration: 0 # Consecutinve # of failure attempts pwdMaxFailure: 5 # How long the password lasts before user has to change it (seconds) -- 90 days pwdMaxAge: 77760000 # Password length pwdMinLength: 6 The commands in my slapd.conf are: ... include /etc/openldap/schema/ppolicy.schema ... (not usre if I need the next line) loadmodule ppolicy.la # invokes password policies for this DIT only overlay ppolicy # Default ppolicy ppolicy_default "cn=default,ou=pwdpolicies,dc=zes_example,dc=com" # Some ppolicy directives ppolicy_use_lockout Gisella Saavedra Sr. Software Engineer gsaavedra(a)zebra.com<mailto:gsaavedra@zebra.com> [cid:image001.gif@01CA8D67.CCDB6A40] 1000 Broadway, Suite 150, Oakland, CA 94607 | T+1 510 267 5123 T Main+1 510 267 5000 F+1 510 267 5100 | http://www.zebra.com/zes ________________________________ - CONFIDENTIAL- This email and any files transmitted with it are confidential, and may also be legally privileged. If you are not the intended recipient, you may not review, use, copy, or distribute this message. If you receive this email in error, please notify the sender immediately by reply email and then delete this email.

3 2

Server Side sort and the cn attribute
by Edward Capriolo 06 Jan '10

06 Jan '10

We use openldap as a back end for many things. One of the thing, it can be used for is an address book for outlook. Recently we upgrade to 2.4.16->2.4.20 from 2.(who knows how old). Outlook 2003 clients stopped working: http://support.microsoft.com/kb/555536 So I followed the instructions here to enable server side sorting: http://bacedifo.blogspot.com/2009/09/server-side-sort-with-openldap2418.html I was able to add the ordering to the sn attribute. attributetype ( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last (family) name(s) for which the entity is known by' ORDERING caseIgnoreOrderingMatch SUP name ) Unfortunately outlook is looking at the cn attribute @400000004b21316a0e808064 sssvlv: no ordering rule specified and no default ordering rule for attribute cn @400000004b21316a0e808834 <= get_ctrls: n=1 rc=18 err="serverSort control: No ordering rule" That unfortunately is not defined in the core.schema # system schema #attributetype ( 2.5.4.3 NAME ( 'cn' 'commonName' ) # DESC 'RFC2256: common name(s) for which the entity is known by' # SUP name ) I am sure there is a good reason why cn does not have an ordering, but I am guessing it used to have this in the distant past since this previously worked. So how would I go about changing the system schema? Or does anyone have a better way to deal with this. (I know I could play with client registry (kb) article but I would like to handle this server side) Thank you for your insights.

1 1

Password Policy - Password Modification
by SAGNIMORTE Thomas (CAMPUS) 06 Jan '10

06 Jan '10

Hello, I get some trouble with the password policy settings. I try to modify an user password when I am connected as an admin, but I can't due tu "User Alteration of Password is not allowed". I connect with an "Admin profile" who have right to write on all the directory Jan 5 15:06:25 clawma01 slapd[4363]: conn=94459 op=0 BIND dn="cn=adm_alecle23,ou=administrator,ou=security,o=oxylane" mech=SIMPLE ssf=0 Jan 5 15:06:25 clawma01 slapd[4363]: conn=94459 op=0 RESULT tag=97 err=0 text= When I try to change a password for a standard user, I get this error message. Jan 5 15:06:43 clawma01 slapd[4363]: conn=94459 op=12 MOD dn="uid=o2alecle23,ou=o2,ou=people,o=oxylane" Jan 5 15:06:43 clawma01 slapd[4363]: conn=94459 op=12 MOD attr=userPassword Jan 5 15:06:43 clawma01 slapd[4363]: conn=94459 op=12 RESULT tag=103 err=50 text=User alteration of password is not allowed Here is the password policy used for this user dn: cn=userDefault,ou=policy,ou=security,o=oxylane objectClass: top objectClass: pwdPolicy objectClass: person cn: userDefault pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 1 pwdExpireWarning: 432000 pwdFailureCountInterval: 1800 pwdGraceAuthNLimit: 0 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 2764800 pwdMaxFailure: 15 pwdMinAge: 172800 pwdMinLength: 6 pwdMustChange: FALSE sn: default_user Could I change password for an user with an other account instead of rootdn? How can I allow admin user to change password of standard user? Regards, Thomas

1 0

ldap_modify_s Insufficient access
by Fujisan 04 Jan '10

04 Jan '10

Users in my LDAP database have trouble changing passwords. $ passwd Changing password for user XXX. Enter login(LDAP) password: New password: Retype new password: LDAP password information update failed: Insufficient access passwd: Authentication token manipulation error In /var/log/message, I have: passwd: pam_ldap: ldap_modify_s Insufficient access In slapd.conf on the server, I have the following: database bdb suffix dc=mydomain,dc=fr checkpoint 1024 15 rootdn cn=Manager,dc=mydomain,dc=fr rootpw {SSHA}XXXXX access to attrs=userPassword by self write by * none access to dn.subtree="dc=mydomain,dc=fr" by dn="cn=Manager,dc=mydomain,dc=fr" write by self write by * read Any idea what is wrong? Thanks in advance. F.

2 1

Encoded entries on LDIF file
by Diego Lima 04 Jan '10

04 Jan '10

Hello all, I'm trying to import an LDIF file where some users have values that appear to be encoded on the file. The values have two : (i.e. ::) and appear like this: # entry-id: 36545 dn: uid=someuser,ou=funcionarios,ou=pessoal,o=xxx,c=xxx l:: UkYgLSAyqiBFc3RhbmNpYQ== This isn't consistent with other entries, as most of them are on this format: # entry-id: 36546 dn: uid=otheruser,ou=funcionarios,ou=pessoal,o=xxx,c=xxx l: DRA-01 NSI Is there any reason why some entries would show up on a different format? I've seen some entries where other attributes are like that, such as sn, telephoneNumber, cn or title. Thank you -- Diego Lima

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2010