Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources)
by Jose G. Torres
Hello again,
Well I tried the following.
Added the full path of the check_password.so in my slapd.conf under "moduleload".
moduleload /opt/openldap/etc/openldap/modules/check_password.so
Added the full path to my check_password.so module in my ldif
pwdCheckModule: /opt/openldap/etc/openldap/modules/check_password.so
Recompiled the sources again using the configure used to build the openSUSE package.
CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \
LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \
./configure --prefix=/opt/openldap --with-tls \
--enable-spasswd --enable-crypt --with-gnu-ld \
--enable-ppolicy --enable-modules --enable-dynamic
--enable-aci --enable-bdb --enable-hdb \
--enable-rewrite --enable-ldap=yes --enable-meta=mod \
--enable-monitor=yes --enable-slp --enable-overlays=yes \
Still no luck. At least within my ldap logs I see the "Password fails quality checking policy" so at least it is hitting the ldap server for password checking. Any ideas????? Thanks!!!!
Jose
> I am trying to get my solaris 10 openldap 2.4.21 server to use my check_password.so module using the ppolicy overlay. When I try to change a user's
> password from a linux client, I get the following error message.
>
> passwd ldapuser
> Changing password for ldapuser.
> Enter login(LDAP) password:
> New Password:
> Reenter New Password:
> LDAP password information update failed: Constraint violation
> Password fails quality checking policy
> passwd: Permission denied
>
>
> Within
> my logs, I do not see any error messages from my check_password.so
> module. I created the directory /opt/openldap/etc/openldap/modules and
> placed my module in that directory and I added the modulepath in my
> slapd.conf.
>
> Is there something I missed? Is this a PAM thing? I know this setup works on a OpenSUSE 11.2 openldap server. Help.
>
> I included part of my slapd.conf, openldap configure, check_password.c source, makefile and ldd of my check_password.so.
>
> Thanks!!!!
>
> Jose Torres
>
>
> openldap configure
> ******************
>
> CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \
> LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \
> ./configure --prefix=/opt/openldap --with-tls \
> --enable-spasswd --enable-crypt --with-gnu-ld \
> --enable-ppolicy --enable-modules --enable-dynamic
>
>
> slapd.conf:
> **********
>
> include /opt/openldap/etc/openldap/schema/ppolicy.schema
>
> # Add password policies.
> modulepath /opt/openldap/etc/openldap/modules
> overlay ppolicy
> ppolicy_default "cn=default,ou=policies,dc=caci,dc=ymp,dc=com"
> ppolicy_use_lockout
>
> I tried ppolicy_clear_txt I still have the same problem.
>
> check_password.c:
> ****************
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <ctype.h>
> #include "portable.h"
> #include "slap.h"
>
> int init_module()
> {
> return 0;
> }
>
> int check_password(char *pPasswd, char **ppErrStr, Entry *pEntry)
> {
> char error=0;
> char retmsg[255];
> char *message,*buffer,*token;
> const char special[] ="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~";
> const char number[] ="1234567890";
> const char CAPS[] ="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
>
> error = 0;
>
>
> if (strstr( pPasswd, " ") != NULL)
> {
> error = 1;
> strcpy(retmsg , "******** CHECKPW: Password contains SPACES! ********");
> }
>
> buffer = strdup(pPasswd);
> token = strtok(buffer,special);
> if ( !(strcmp(token,pPasswd)) || (token == NULL) )
> {
> error = 1;
> strcpy(retmsg , "******** CHECKPW: Password does not contain any special c
> haracters! ********");
> }
>
> buffer = strdup(pPasswd);
> token = strtok(buffer,number);
>
> if ( !(strcmp(token,pPasswd)) || (token == NULL) )
> {
> error = 1;
> strcpy(retmsg , "******** CHECKPW: Password does not contain any numbers!
> ********");
> }
>
> buffer = strdup(pPasswd);
> token = strtok(buffer,number);
>
> if ( !(strcmp(token,pPasswd)) || (token == NULL) )
> {
> error = 1;
> strcpy(retmsg , "******** CHECKPW: Password does not contain any CAPITAL L
> ETTERS! ********");
> }
>
> if (error)
> {
> /* Allocate */
> message = (char *)malloc(sizeof(char) * (strlen(retmsg)+1));
> /* Copy the contents of the string. */
> strcpy(message, retmsg);
> *ppErrStr=message;
> }
> return error;
> }
>
> Makefile:
> *********
>
> check_password.so: check_password.o
> gcc -L/opt/openldap/lib -lldap -shared -o check_password.so check_passwo
> rd.o
> check_password.o: check_password.c
> gcc -fpic -I../../include -I. -c check_password.c
> clean:
> rm check_password.so check_password.o
>
>
> It seems to find the right libraries.
>
> $ ldd modules/check_password.so
> libldap-2.4.so.2 => /opt/openldap/lib/libldap-2.4.so.2
> libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1
> liblber-2.4.so.2 => /opt/openldap/lib/liblber-2.4.so.2
> libresolv.so.2 => /usr/lib/libresolv.so.2
> libgen.so.1 => /usr/lib/libgen.so.1
> libnsl.so.1 => /usr/lib/libnsl.so.1
> libsocket.so.1 => /usr/lib/libsocket.so.1
> libsasl.so.1 => /usr/lib/libsasl.so.1
> libssl.so.0.9.7 => /usr/sfw/lib/libssl.so.0.9.7
> libcrypto.so.0.9.7 => /usr/sfw/lib/libcrypto.so.0.9.7
> libc.so.1 => /usr/lib/libc.so.1
> libmp.so.2 => /usr/lib/libmp.so.2
> libmd.so.1 => /usr/lib/libmd.so.1
> libscf.so.1 => /usr/lib/libscf.so.1
> libdoor.so.1 => /usr/lib/libdoor.so.1
> libuutil.so.1 => /usr/lib/libuutil.so.1
> libssl_extra.so.0.9.7 => /usr/sfw/lib/libssl_extra.so.0.9.7
> libcrypto_extra.so.0.9.7 => /usr/sfw/lib/libcrypto_extra.so.0.9.7
> libm.so.2 => /usr/lib/libm.so.2
13 years, 9 months
a newbie trying to get the basics of syncrepl going
by Seger, Mark
I'm an admitted ldap lightweight but have been able to bring up an ldap server and populate it with the contents of my /etc/passwd file. Now I want to set up a replica on another machine using sync replication and am having a few issues getting it to work. My most recent success was getting simple authentication working because before it was failing and now it's not so I've at least gotten that far. Here's what my replication section looks like in ldap.conf:
syncrepl rid=123
provider=ldap://10.99.99.99:389
type=refreshOnly
interval=01:00:00:00
searchbase="dc=myldap,dc=com"
filter="(objectClass=account)"
scope=sub
schemachecking=off
updatedn="cn=replica,dc=myldap,dc=com"
bindmethod=simple
binddn="uid=lsfadmin,ou=People,dc=myldap,dc=com"
credentials=Something
I'm pretty sure I have the search parameters set correctly because if I run:
ldapsearch -x -h 10.99.99.99 -b 'dc=myldap,dc=com' -A uid
it dumps all my uids.
The part I'm on clear on is how to define things on the slave side. For example I have the main part of the conf set the same on the master, just to make things easy on me and so I have the following which is exactly how I have the master set up.
database bdb
suffix "dc=myldap,dc=com"
rootdn "cn=Manager,dc=myldap,dc=com"
rootpw {SSHA}ZmTfiKLVf8X5GERsT3b3AoB3/hFV3l7R
directory /var/lib/ldap
I'm guessing my problem may be with updatedn="cn=replica,dc=myldap,dc=com", but I'm not sure what it should be and whether or not I have to prime the replica with any special authentication to be able to write to it.
If I run "ldapsearch -x -b 'dc=myldap,dc=com'" against the replica it comes up empty so I'm sure nothing is getting replicated. Further if I run the slave slapd with -d128 I get:
[root@hpdc3dmgt1 ~]# slapd -d 128
@(#) $OpenLDAP: slapd 2.3.43 (Nov 6 2008 02:53:24) $
brewbuilder@hs20-bc1-5.build.redhat.com:/builddir/build/BUILD/openldap-2.3.43/openldap-2.3.43/build-servers/servers/slapd
slapd starting
request done: ld 0x2ac52b507c70 msgid 1
=> bdb_entry_get: cannot find entry: "dc=myldap,dc=com"
do_syncrep2: rid 123got search entry without control
do_syncrepl: rid 123 quitting
but I have no idea where it's looking for the entry, on the master or the slave? But I do have that entry on the master.
I'm sure I'm doing something wrong but am also hoping it's relatively minor.
-mark
13 years, 9 months
Re: Adding a schema to OpenLdap
by Francis, Steve (IHG)
Thanks, I just figured it out. Somehow the ftp of the other ldif made it unusable. So I moved over my java program that creates the ldif file, and all is well.
Steve Francis
IHG - z/OS Technical Advisor
Sent from my BlackBerry
________________________________
From: Jonathan Clarke <jonathan(a)phillipoux.net>
To: Francis, Steve (IHG)
Cc: <openldap-technical(a)openldap.org> <openldap-technical(a)openldap.org>
Sent: Tue Feb 23 17:21:50 2010
Subject: Re: Adding a schema to OpenLdap
On 23 févr. 2010, at 17:38, "Francis, Steve (IHG)" <Steve.Francis(a)ihg.com> wrote:
I have a schema that I have used on a z/OS Ldap server for over six years. I received a NOID from IANA and have had no issues running ldapmodify commands on the z/OS ldap server to allow the objectclass's use.
Now, I'm working to port he application that uses this ldap server to Linux and can't seem to get OpenLdap to allow the use of my objectclass. I have created my own schema file and have included it in the slapd.conf, which start with no errors; however, the ldapadd to process the ldif file fails with the famous "ldap_add: Invalid syntax (21) additional info: objectclass: value #1 invalid per syntax" . I know this to be my objectclass, since the following is my ldif file.
dn: cn=10.172.50.0, o=SAH
objectclass: top
objectclass: saHolidex
cn: 10.172.50.0
sn: AADAL
ou: HOTEL
mtrStatus: N
ipAddr: 10.172.50.0
pqsStatus: MQSOFF
subNetMask: 255.255.255.0
Make sure that you don't have any spaces trailing after your objectClass name in your LDIF file. This is a common source of this error.
If this doesn't solve your problem, start slaps with "loglevel config" in slapd.conf and make sure your objectclass is read in.
Hope this helps,
Jonathan
The z/OS ldap server had gotten away from including schema files and so I simply issued the ldapmodify command to update "cn=schema,o=sah" as my suffix was o=sah.
The schema file I created looks like the following, as my IANA number is 15132:
attributetype ( 1.3.6.1.4.1.15132.0.1.2.4
NAME 'mtrStatus'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch )
attributetype ( 1.3.6.1.4.1.15132.0.1.2.3
NAME 'ipAddr'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
EQUALITY caseExactIA5Match )
attributetype ( 1.3.6.1.4.1.15132.0.1.2.5
NAME 'pqsStatus'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch )
attributetype ( 1.3.6.1.4.1.15132.0.1.2.6
NAME 'subNetMask'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
EQUALITY caseExactIA5Match )
objectClass ( 1.3.6.1.4.1.15123.0.1.2.1
NAME 'saHolidex'
DESC 'IHG Sah'
SUP top STRUCTURAL
MUST ( cn $ sn )
MAY ( ou $ mtrStatus $ ipAddr $ pqsStatus $ subNetMask ) )
The old ldif file for the z/OS systems looks like the following:
dn: cn=schema,o=SAH
changetype:modify
add:x
attributetypes: ( 15132.0.1.2.4 NAME 'mtrStatus' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch )
ibmattributetypes: ( 15132.0.1.2.4 ACCESS-CLASS normal)
attributetypes: ( 15132.0.1.2.3 NAME 'ipAddr' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match )
ibmattributetypes: ( 15132.0.1.2.3 ACCESS-CLASS normal)
attributetypes: ( 15132.0.1.2.5 NAME 'pqsStatus' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch )
ibmattributetypes: ( 15132.0.1.2.5 ACCESS-CLASS normal)
attributetypes: ( 15132.0.1.2.6 NAME 'subNetMask' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match )
ibmattributetypes: ( 15132.0.1.2.6 ACCESS-CLASS normal)
objectclasses: ( 15123.0.1.2.1 NAME 'saHolidex' SUP top MUST ( cn $ sn ) MAY ( ou $ mtrStatus $ ipAddr $ pqsStatus $ subNetMask ) )
Can anyone help me figure out why I can't get this objectclass to work. It works fine with the z/OS Ldap Server, and has for many years, all the way back to the OS390 days, prior to z/OS.
Thanks, i advance,
Steve Francis
Technical Advisor - zSeries, zLinux, z/OS
IHG
Alpharetta Data Center
Ph: 770-442-7157
Cell: 770-906-3122
IM: francisihg
13 years, 9 months
Adding a schema to OpenLdap
by Francis, Steve (IHG)
I have a schema that I have used on a z/OS Ldap server for over six
years. I received a NOID from IANA and have had no issues running
ldapmodify commands on the z/OS ldap server to allow the objectclass's
use.
Now, I'm working to port he application that uses this ldap server to
Linux and can't seem to get OpenLdap to allow the use of my objectclass.
I have created my own schema file and have included it in the
slapd.conf, which start with no errors; however, the ldapadd to process
the ldif file fails with the famous "ldap_add: Invalid syntax (21)
additional info: objectclass: value #1 invalid per syntax" . I know
this to be my objectclass, since the following is my ldif file.
dn: cn=10.172.50.0, o=SAH
objectclass: top
objectclass: saHolidex
cn: 10.172.50.0
sn: AADAL
ou: HOTEL
mtrStatus: N
ipAddr: 10.172.50.0
pqsStatus: MQSOFF
subNetMask: 255.255.255.0
The z/OS ldap server had gotten away from including schema files and so
I simply issued the ldapmodify command to update "cn=schema,o=sah" as my
suffix was o=sah.
The schema file I created looks like the following, as my IANA number
is 15132:
attributetype ( 1.3.6.1.4.1.15132.0.1.2.4
NAME 'mtrStatus'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch )
attributetype ( 1.3.6.1.4.1.15132.0.1.2.3
NAME 'ipAddr'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
EQUALITY caseExactIA5Match )
attributetype ( 1.3.6.1.4.1.15132.0.1.2.5
NAME 'pqsStatus'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch )
attributetype ( 1.3.6.1.4.1.15132.0.1.2.6
NAME 'subNetMask'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
EQUALITY caseExactIA5Match )
objectClass ( 1.3.6.1.4.1.15123.0.1.2.1
NAME 'saHolidex'
DESC 'IHG Sah'
SUP top STRUCTURAL
MUST ( cn $ sn )
MAY ( ou $ mtrStatus $ ipAddr $ pqsStatus $ subNetMask ) )
The old ldif file for the z/OS systems looks like the following:
dn: cn=schema,o=SAH
changetype:modify
add:x
attributetypes: ( 15132.0.1.2.4 NAME 'mtrStatus' SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch )
ibmattributetypes: ( 15132.0.1.2.4 ACCESS-CLASS normal)
attributetypes: ( 15132.0.1.2.3 NAME 'ipAddr' SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match )
ibmattributetypes: ( 15132.0.1.2.3 ACCESS-CLASS normal)
attributetypes: ( 15132.0.1.2.5 NAME 'pqsStatus' SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 EQUALITY caseIgnoreMatch )
ibmattributetypes: ( 15132.0.1.2.5 ACCESS-CLASS normal)
attributetypes: ( 15132.0.1.2.6 NAME 'subNetMask' SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseExactIA5Match )
ibmattributetypes: ( 15132.0.1.2.6 ACCESS-CLASS normal)
objectclasses: ( 15123.0.1.2.1 NAME 'saHolidex' SUP top MUST ( cn $ sn )
MAY ( ou $ mtrStatus $ ipAddr $ pqsStatus $ subNetMask ) )
Can anyone help me figure out why I can't get this objectclass to work.
It works fine with the z/OS Ldap Server, and has for many years, all the
way back to the OS390 days, prior to z/OS.
Thanks, i advance,
Steve Francis
Technical Advisor - zSeries, zLinux, z/OS
IHG
Alpharetta Data Center
Ph: 770-442-7157
Cell: 770-906-3122
IM: francisihg
13 years, 9 months
Re: the parent of a result.
by Peter Mogensen
This sounds like an inherent relational problem.
Any special reason for using a directory to store the forum data?
/Peter
13 years, 9 months
the parent of a result.
by Mihamina Rakotomandimby
Manao ahoana, Hello, Bonjour,
I look for the way to search for the parent of the matched target.
FOr example, let's image a forum, with multiple topics
- boys
- girls
- dogs
Each topic has comments (for simplicit let's make them flat)
- boys
- comment 234
- comment 65
- girls
- comment 659
- comment 4
- dogs
- comment 351
- comment 323
Comments ID are unique.
I perform a search:
ldapsearch (...) commentId=659
The only way to have the parent (girls) is for me to parse the
resulting "dn" of that search, splitting it by ",". Bad & Dirty.
How (which argument/option) to get the parent of commentId=659?
Misaotra, Thanks, Merci.
--
Architecte Informatique chez Blueline/Gulfsat:
Administration Systeme, Recherche & Developpement
+261 34 29 155 34 / +261 33 11 207 36
13 years, 9 months
Syncrepl for AD replication
by Siddhartha Jain
Hi,
I am looking to setup a LDAP server that can pull certain user attributes from Active Directory like userid (sAMAccountName), cn, sn and populate some other attributes like public keys via user input.
Is it possible to automate the AD to LDAP replication using syncrepl? Also, looking at syncrepl documentation, it isn't clear how syncrepl adds records? For example, if a new user gets added on the master, how does the replica know what objectclasses to include while adding that user?
Thanks,
Siddhartha
13 years, 9 months
openldap client GSSAPI authentication segfaults in fbgsd8-stable i386
by George Mamalakis
Dear all,
I have submitted this email to freebsd-stable mailing list as well, but
with no luck until now; so, I decided to share it with this list as
well. The email is large, only because I have tested my setup in six
different machines, and I explain my results for each one. The problem
is more simple; my email subject explains it all.
So, here is how it goes:
I am facing many instabilities in FBSD8 with openldap-client and sasl
authentication (GSSAPI in particular). I have setup an openldap 2.4.1
server with gssapi support (through cyrus-sasl-2.1.23) on a fbsd8-stable
amd64 latest sources, in a esxi host. In the same host I have setup two
fbsd8-stable i386 clients; one has latest sources, the other one is
installed via the iso-image of January's fbsd snapshot; on both systems
openldap client and sasl is installed (all ldap/cyrus versions on all
hosts mentioned in this email are the same). My laptop has fbsd8-i386
stable (sources 25 January 2010), and on my laptop I have setup an
fbsd8-stable i386 (snapshot iso image) on a virtualbox client. Lastly,
on the esxi host I have setup another fbsd8-stable amd64 system, to act
as an ldap client (latest sources).
To summarize, and put a label-number on each host, we have:
1 - esxi: fbsd8(latest) amd64 openldap server
2 - esxi: fbsd8(latest) i386 openldap client
3 - esxi: fbsd8(snapshot) i386 openldap client
4 - esxi: fbsd8(latest) amd64 openldap client
5 - laptop: fbsd8(jan 25) i386 openldap client
6 - laptop/vbox: fbsd8(snapshot) i386 openldap client
The openldap server is installed in a jail, and the client is tested in
the same jail.
Kerberos works on all machines (same /etc/krb5.conf), and ldap as well.
In all machines, line 96 of /usr/bin/krb5-config is changed to read:
lib_flags="$lib_flags -lgssapi -lgssapi_spnego -lgssapi_krb5 -lheimntlm"
instead of:
lib_flags="$lib_flags -lgssapi -lheimntlm"
which was the default, since without these lines I couldn't get gssapi
authentication to work for cyrus (and spnego). This change was made
after recommendations given from freebsd-stable mailing list, and I was
very happy to see that after this change the ldap server worked as I
expected.
On all system, cat /usr/local/etc/openldap/ldap.conf:
BASE dc=ee,dc=auth,dc=gr
URI ldap://ldap.ee.auth.gr
SASL_MECH GSSAPI
without kiniting in any client I get the following outcomes when I give
ldapwhoami (with no arguments):
1:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown)
which is expected.
2:
SASL/GSSAPI authentication started
Segmentation fault: 11 (core dumped)
which is not rational at all
3:
SASL/GSSAPI authentication started
Segmentation fault: 11 (core dumped)
4:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown)
which is the same as 1 (as expected)
5:
SASL/GSSAPI authentication started
Segmentation fault: 11 (core dumped)
6:
SASL/GSSAPI authentication started
Segmentation fault: 11 (core dumped)
if I kinit to mamalos, ldapwhoami returns:
1:
SASL/GSSAPI authentication started
SASL username: mamalos(a)EE.AUTH.GR
SASL SSF: 56
SASL data security layer installed.
dn:uid=mamalos,ou=people,dc=ee,dc=auth,dc=gr
which is super!
2:
SASL/GSSAPI authentication started
Segmentation fault: 11 (core dumped)
which is dramatic.
3:
SASL/GSSAPI authentication started
Segmentation fault: 11 (core dumped)
4:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (unknown mech-code 2529638919 for mech
unknown)
which is very strange, since mech-code seems unnaturally large.
5:
SASL/GSSAPI authentication started
SASL username: mamalos(a)EE.AUTH.GR
SASL SSF: 56
SASL data security layer installed.
dn:uid=mamalos,ou=people,dc=ee,dc=auth,dc=gr
which is super, but without kinit the same command segfaulted on this
machine
6:
SASL/GSSAPI authentication started
SASL username: mamalos(a)EE.AUTH.GR
SASL SSF: 56
SASL data security layer installed.
dn:uid=mamalos,ou=people,dc=ee,dc=auth,dc=gr
which is the exact same behavior as 5 above.
All this means that there is no single pattern!!!!!!!
If I gdb ldapwhoami in the clients that segfault, I get:
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols
found)...
(gdb) run -d0
Starting program: /usr/local/bin/ldapwhoami -d0
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...(no debugging symbols found)...(no debugging
symbols found)...(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging symbols
found)...(no debugging symbols found)...(no debugging symbols
found)...SASL/GSSAPI authentication started
Program received signal SIGSEGV, Segmentation fault.
0x2831e187 in free () from /lib/libc.so.7
(gdb) where
#0 0x2831e187 in free () from /lib/libc.so.7
#1 0x2850fb82 in gss_release_buffer () from /usr/lib/libgssapi.so.10
#2 0x2850f552 in gss_release_name () from /usr/lib/libgssapi.so.10
#3 0x2850bea9 in gss_init_sec_context () from /usr/lib/libgssapi.so.10
#4 0x283f9abf in gssapi_client_mech_step () from
/usr/local/lib/sasl2/libgssapiv2.so.2
#5 0x280e84b1 in sasl_client_step () from /usr/local/lib/libsasl2.so.2
#6 0x28443100 in ?? ()
#7 0x00000000 in ?? ()
#8 0x00000000 in ?? ()
#9 0xbfbfe968 in ?? ()
#10 0xbfbfe954 in ?? ()
#11 0xbfbfe964 in ?? ()
#12 0x28445860 in ?? ()
#13 0x280e83fe in sasl_client_step () from /usr/local/lib/libsasl2.so.2
#14 0xbfbfe8a8 in ?? ()
#15 0x280e9135 in sasl_client_start () from /usr/local/lib/libsasl2.so.2
#16 0x00000000 in ?? ()
#17 0x00000000 in ?? ()
#18 0xbfbfe968 in ?? ()
#19 0xbfbfe954 in ?? ()
#20 0xbfbfe964 in ?? ()
#21 0xd7a3b2da in ?? ()
#22 0x283abad8 in ?? () from /lib/libc.so.7
#23 0x00000000 in ?? ()
#24 0x283ab730 in __stderrp () from /lib/libc.so.7
#25 0xbfbfe878 in ?? ()
#26 0x2838c764 in vfprintf () from /lib/libc.so.7
Previous frame inner to this frame (corrupt stack?)
I built openldap and cyrus-sasl on this machine from sources (not
ports), and (after a long time of trying to find out how to run
configure successfully in both installations) the outcome was exactly
the same (meaning segfaults). So, one of my admins wrote a c program
that overrides gss_release_buffer returning always 0 (what is expected
after normal operation) and compiled it as a library. The program code
is nothing more than just:
int gss_release_buffer(void *a, void *b) {
return 0;
}
we ld_preloaded the library, and when we ran ldapwhoami the outcome was:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (unknown mech-code 2529638919 for mech
unknown)
When we ran it with no kerberos tickets, we got:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (unknown mech-code 2 for mech unknown)
The exact same errors as the aforementioned client 4 (esxi,
amd64)!!!!!!!!!!!!!
What on earth is happening?!?!!?!?!
Now one can easily see that there is a definite problem regarding memory
freeing, and after overcoming that the mech-code 2529638919 implies that
some segment in memory is overwritten by some "random" value, so
mech-code returns the number 2529638919 instead of a number of
marginality 1.
What is more definite, is that openldap doesn't work out-of-the-box if
gssapi support is required, and behaves randomly in different
architectures/virtualHosts/platforms.
The problem may have been something related to line 96 in
/usr/bin/krb5-config... I don't know.
What is sure, is that I am having second thoughts on using fbsd as my
openldap/heimdal server for my setup, which would be quite disappointing
for me, since I am using fbsd for the last many-many years, on all my
laptops and servers. The only "good part" is that the only machine that
works seamlessly (until now, at least) is the heimdal/ldap server.
Thank you all in advance and I hope that we will find an answer to all
this.
--
George Mamalakis
IT Officer
Electrical and Computer Engineer (Aristotle Un. of Thessaloniki),
MSc (Imperial College of London)
Department of Electrical and Computer Engineering
Faculty of Engineering
Aristotle University of Thessaloniki
phone number : +30 (2310) 994379
13 years, 9 months
Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources) server
by Jose G. Torres
Hello everyone!,
I am trying to get my solaris 10 openldap 2.4.21 server to use my check_password.so module using the ppolicy overlay. When I try to change a user's
password from a linux client, I get the following error message.
passwd ldapuser
Changing password for ldapuser.
Enter login(LDAP) password:
New Password:
Reenter New Password:
LDAP password information update failed: Constraint violation
Password fails quality checking policy
passwd: Permission denied
Within
my logs, I do not see any error messages from my check_password.so
module. I created the directory /opt/openldap/etc/openldap/modules and
placed my module in that directory and I added the modulepath in my
slapd.conf.
Is there something I missed? Is this a PAM thing? I know this setup works on a OpenSUSE 11.2 openldap server. Help.
I included part of my slapd.conf, openldap configure, check_password.c source, makefile and ldd of my check_password.so.
Thanks!!!!
Jose Torres
openldap configure
******************
CC=/usr/sfw/bin/gcc CPPFLAGS=-I/opt/openldap/include \
LDFLAGS="-L/opt/openldap/lib -R/opt/openldap/lib" \
./configure --prefix=/opt/openldap --with-tls \
--enable-spasswd --enable-crypt --with-gnu-ld \
--enable-ppolicy --enable-modules --enable-dynamic
slapd.conf:
**********
include /opt/openldap/etc/openldap/schema/ppolicy.schema
# Add password policies.
modulepath /opt/openldap/etc/openldap/modules
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=caci,dc=ymp,dc=com"
ppolicy_use_lockout
I tried ppolicy_clear_txt I still have the same problem.
check_password.c:
****************
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include "portable.h"
#include "slap.h"
int init_module()
{
return 0;
}
int check_password(char *pPasswd, char **ppErrStr, Entry *pEntry)
{
char error=0;
char retmsg[255];
char *message,*buffer,*token;
const char special[] ="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~";
const char number[] ="1234567890";
const char CAPS[] ="ABCDEFGHIJKLMNOPQRSTUVWXYZ";
error = 0;
if (strstr( pPasswd, " ") != NULL)
{
error = 1;
strcpy(retmsg , "******** CHECKPW: Password contains SPACES! ********");
}
buffer = strdup(pPasswd);
token = strtok(buffer,special);
if ( !(strcmp(token,pPasswd)) || (token == NULL) )
{
error = 1;
strcpy(retmsg , "******** CHECKPW: Password does not contain any special c
haracters! ********");
}
buffer = strdup(pPasswd);
token = strtok(buffer,number);
if ( !(strcmp(token,pPasswd)) || (token == NULL) )
{
error = 1;
strcpy(retmsg , "******** CHECKPW: Password does not contain any numbers!
********");
}
buffer = strdup(pPasswd);
token = strtok(buffer,number);
if ( !(strcmp(token,pPasswd)) || (token == NULL) )
{
error = 1;
strcpy(retmsg , "******** CHECKPW: Password does not contain any CAPITAL L
ETTERS! ********");
}
if (error)
{
/* Allocate */
message = (char *)malloc(sizeof(char) * (strlen(retmsg)+1));
/* Copy the contents of the string. */
strcpy(message, retmsg);
*ppErrStr=message;
}
return error;
}
Makefile:
*********
check_password.so: check_password.o
gcc -L/opt/openldap/lib -lldap -shared -o check_password.so check_passwo
rd.o
check_password.o: check_password.c
gcc -fpic -I../../include -I. -c check_password.c
clean:
rm check_password.so check_password.o
It seems to find the right libraries.
$ ldd modules/check_password.so
libldap-2.4.so.2 => /opt/openldap/lib/libldap-2.4.so.2
libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1
liblber-2.4.so.2 => /opt/openldap/lib/liblber-2.4.so.2
libresolv.so.2 => /usr/lib/libresolv.so.2
libgen.so.1 => /usr/lib/libgen.so.1
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libsasl.so.1 => /usr/lib/libsasl.so.1
libssl.so.0.9.7 => /usr/sfw/lib/libssl.so.0.9.7
libcrypto.so.0.9.7 => /usr/sfw/lib/libcrypto.so.0.9.7
libc.so.1 => /usr/lib/libc.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libmd.so.1 => /usr/lib/libmd.so.1
libscf.so.1 => /usr/lib/libscf.so.1
libdoor.so.1 => /usr/lib/libdoor.so.1
libuutil.so.1 => /usr/lib/libuutil.so.1
libssl_extra.so.0.9.7 => /usr/sfw/lib/libssl_extra.so.0.9.7
libcrypto_extra.so.0.9.7 => /usr/sfw/lib/libcrypto_extra.so.0.9.7
libm.so.2 => /usr/lib/libm.so.2
13 years, 9 months
Re: objectclass not found inetorgperson?
by Ray Carrender
Actually it was that slapd.conf wasn't restarting correctly, I did a full
reboot on my server and got this stuff to start to work. Not exactly sure
why this is the case versus /usr/local/libexec/slapd.d restart but it works
now and I'm all the wiser.
Thanks!
*Ray*
Message: 13
> Date: Mon, 22 Feb 2010 05:47:12 +0100
> From: "Dieter Kluenter" <dieter(a)dkluenter.de>
> Subject: Re: objectclass not found inetorgperson?
> To: openldap-technical(a)openldap.org
> Message-ID: <87zl3198rz.fsf(a)rubin.avci.de>
> Content-Type: text/plain; charset=utf-8
>
> Ray Carrender <mrsmiley32(a)gmail.com> writes:
>
> > I keep getting a ldap_add: Invalid syntax (21)
> > ???????????????????????????? additional info: objectclass: value #0
> invalid
> > per syntax
> >
> > (ldif)
> > dn: cn=Charlton Heston,ou=people,dc=afranius,dc=com
> > cn: Charlton
> > sn: Heston
> > mail: heston(a)actor.com
> > telephoneNumber:508-555-1212
> > objectclass: inetOrgPerson
>
> check the ldif file whether inetorgPerson is followed by a space.
>
> -Dieter
>
> --
> Dieter Kl?nter | Systemberatung
> http://dkluenter.de
> GPG Key ID:8EF7B6C6
> 53?37'09,95"N
> 10?08'02,42"E
>
13 years, 9 months
