Consumer ACLs
by Jaap Winius
Hi all,
A question regarding ACLs on OpenLDAP consumer servers. If the ACLs on
the provider give clients write access to some attributes, such as
loginShell or userPassword, shouldn't the ACLs on the consumers do the
same?
I'm not sure about this, since consumer databases are always
read-only, but it seems to me that the clients would otherwise have no
way of knowing that changing certain attributes was possible (via the
updateref option or the chain overlay).
Thanks,
Jaap
13 years, 2 months
Password Policy setting
by Saavedra, Gisella
I read the entry in Chapter 6
http://www.zytrax.com/books/ldap/ch6/ppolicy.html#examples
regarding setting the Password Policy Control.
I have installed OpenLDAP through Cygwin. OpenLDAP is version 2.3.43
I created my db and included the Password Policy control schema, but I am getting the following error when I try to load my default and user policies:
$ ldapadd -H ldap://localhost:666 -x -D "cn=Manager,dc=zes_example,dc=com" -w secret -f /etc/openldap/data/ppolicy.ldif
adding new entry "ou=pwdpolicies,dc=zes_example,dc=com"
adding new entry "cn=default,ou=pwdpolicies,dc=zes_example,dc=com"
ldapadd: Object class violation (65)
additional info: no structural object class provided
Any idea? Do I need to add the password policy (ldif file) before I give the directive in slapd.conf?
-----------------------------------------
The policy.ldif:
dn: ou=pwdpolicies,dc=zes_example,dc=com
ou: pwdpolicies
description: All password Policies
objectclass: organizationalunit
# Default Password Policy
dn: cn=default,ou=pwdpolicies,dc=zes_example,dc=com
objectClass: pwdPolicy
cn: default
# User can change his/her password
pwdAllowUserChange: TRUE
# Return warning to bind attempt (seconds) -- 3 days
pwdExpireWarning: 259200
# Interval in seconds to reset failure pwd count
pwdFailureCountInterval: 100
# Do not allow to bind on expired passwords
pwdGraceAuthNLimit: 0
# Reject any password changes in this list
pwdInHistory: 3
# Lock out account when user tries more than x attempts using invalid password
pwdLockout: TRUE
# Do not allow the system to unlock the account
pwdLockoutDuration: 0
# Consecutinve # of failure attempts
pwdMaxFailure: 5
# How long the password lasts before user has to change it (seconds) -- 90 days
pwdMaxAge: 77760000
# Password length
pwdMinLength: 6
The commands in my slapd.conf are:
...
include /etc/openldap/schema/ppolicy.schema
... (not usre if I need the next line)
loadmodule ppolicy.la
# invokes password policies for this DIT only
overlay ppolicy
# Default ppolicy
ppolicy_default "cn=default,ou=pwdpolicies,dc=zes_example,dc=com"
# Some ppolicy directives
ppolicy_use_lockout
Gisella Saavedra
Sr. Software Engineer
gsaavedra(a)zebra.com<mailto:gsaavedra@zebra.com>
[cid:image001.gif@01CA8D67.CCDB6A40]
1000 Broadway, Suite 150, Oakland, CA 94607 | T+1 510 267 5123 T Main+1 510 267 5000 F+1 510 267 5100 | http://www.zebra.com/zes
________________________________
- CONFIDENTIAL-
This email and any files transmitted with it are confidential, and may also be legally privileged. If you are not the intended recipient, you may not review, use, copy, or distribute this message. If you receive this email in error, please notify the sender immediately by reply email and then delete this email.
13 years, 2 months
Server Side sort and the cn attribute
by Edward Capriolo
We use openldap as a back end for many things. One of the thing, it
can be used for is an address book for outlook. Recently we upgrade to
2.4.16->2.4.20 from 2.(who knows how old).
Outlook 2003 clients stopped working:
http://support.microsoft.com/kb/555536
So I followed the instructions here to enable server side sorting:
http://bacedifo.blogspot.com/2009/09/server-side-sort-with-openldap2418.html
I was able to add the ordering to the sn attribute.
attributetype ( 2.5.4.4 NAME ( 'sn' 'surname' )
DESC 'RFC2256: last (family) name(s) for which the entity is known by'
ORDERING caseIgnoreOrderingMatch
SUP name )
Unfortunately outlook is looking at the cn attribute
@400000004b21316a0e808064 sssvlv: no ordering rule specified and no
default ordering rule for attribute cn
@400000004b21316a0e808834 <= get_ctrls: n=1 rc=18 err="serverSort
control: No ordering rule"
That unfortunately is not defined in the core.schema
# system schema
#attributetype ( 2.5.4.3 NAME ( 'cn' 'commonName' )
# DESC 'RFC2256: common name(s) for which the entity is known by'
# SUP name )
I am sure there is a good reason why cn does not have an ordering, but
I am guessing it used to have this in the distant past since this
previously worked. So how would I go about changing the system schema?
Or does anyone have a better way to deal with this.
(I know I could play with client registry (kb) article but I would
like to handle this server side)
Thank you for your insights.
13 years, 2 months
Password Policy - Password Modification
by SAGNIMORTE Thomas (CAMPUS)
Hello,
I get some trouble with the password policy settings.
I try to modify an user password when I am connected as an admin, but I
can't due tu "User Alteration of Password is not allowed".
I connect with an "Admin profile" who have right to write on all the
directory
Jan 5 15:06:25 clawma01 slapd[4363]: conn=94459 op=0 BIND
dn="cn=adm_alecle23,ou=administrator,ou=security,o=oxylane" mech=SIMPLE
ssf=0
Jan 5 15:06:25 clawma01 slapd[4363]: conn=94459 op=0 RESULT tag=97
err=0 text=
When I try to change a password for a standard user, I get this error
message.
Jan 5 15:06:43 clawma01 slapd[4363]: conn=94459 op=12 MOD
dn="uid=o2alecle23,ou=o2,ou=people,o=oxylane"
Jan 5 15:06:43 clawma01 slapd[4363]: conn=94459 op=12 MOD
attr=userPassword
Jan 5 15:06:43 clawma01 slapd[4363]: conn=94459 op=12 RESULT tag=103
err=50 text=User alteration of password is not allowed
Here is the password policy used for this user
dn: cn=userDefault,ou=policy,ou=security,o=oxylane
objectClass: top
objectClass: pwdPolicy
objectClass: person
cn: userDefault
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 1
pwdExpireWarning: 432000
pwdFailureCountInterval: 1800
pwdGraceAuthNLimit: 0
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 2764800
pwdMaxFailure: 15
pwdMinAge: 172800
pwdMinLength: 6
pwdMustChange: FALSE
sn: default_user
Could I change password for an user with an other account instead of
rootdn?
How can I allow admin user to change password of standard user?
Regards,
Thomas
13 years, 2 months
ldap_modify_s Insufficient access
by Fujisan
Users in my LDAP database have trouble changing passwords.
$ passwd
Changing password for user XXX.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information update failed: Insufficient access
passwd: Authentication token manipulation error
In /var/log/message, I have:
passwd: pam_ldap: ldap_modify_s Insufficient access
In slapd.conf on the server, I have the following:
database bdb
suffix dc=mydomain,dc=fr
checkpoint 1024 15
rootdn cn=Manager,dc=mydomain,dc=fr
rootpw {SSHA}XXXXX
access to attrs=userPassword
by self write
by * none
access to dn.subtree="dc=mydomain,dc=fr"
by dn="cn=Manager,dc=mydomain,dc=fr" write
by self write
by * read
Any idea what is wrong?
Thanks in advance.
F.
13 years, 2 months
Encoded entries on LDIF file
by Diego Lima
Hello all,
I'm trying to import an LDIF file where some users have values that appear
to be encoded on the file. The values have two : (i.e. ::) and appear like
this:
# entry-id: 36545
dn: uid=someuser,ou=funcionarios,ou=pessoal,o=xxx,c=xxx
l:: UkYgLSAyqiBFc3RhbmNpYQ==
This isn't consistent with other entries, as most of them are on this
format:
# entry-id: 36546
dn: uid=otheruser,ou=funcionarios,ou=pessoal,o=xxx,c=xxx
l: DRA-01 NSI
Is there any reason why some entries would show up on a different format?
I've seen some entries where other attributes are like that, such as sn,
telephoneNumber, cn or title.
Thank you
--
Diego Lima
13 years, 2 months