Not getting password expiry warnings on login
by Chris Jacobs
Hello,
I've gotten our password policy to function as it should - password expire requiring password changes, can't use old passwords, etc.
I'm working on last little detail - getting the password expiration warning to display.
For example, I see in the logs:
"Mar 29 19:27:38 ldapmaster1 slapd[32653]: ppolicy_bind: Setting warning for password expiry for uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net = 3141 seconds"
But I never get the notice on login clients - regardless of client type (even from machine to itself).
I suspect ya'll are going to be interested in ldap.conf and pam config, so here they are, along with some possibly relevant bits:
/etc/ldap.conf:
uri ldaps://ldapmaster1.corp.aptimus.net
timelimit 10
bind_timelimit 10
bind_policy soft
base dc=unix,dc=aptimus,dc=net
scope sub
ssl on
tls_checkpeer no
tls_cacertfile /etc/openldap/cacert.pem
pam_login_attribute uid
pam_lookup_policy yes
pam_password exop
/etc/pam.d/system-auth-ac:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
# grep -i pam /etc/ssh/sshd_config
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# PAMAuthenticationViaKbdInt no
UsePAM yes
Ppolicy directives in /etc/openldap/slapd.conf (under the sold database definition):
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout
AND just for giggles, I decided to see if I could get the version of pam_ldap.so that's installed, and ran strings on it. I notice two things:
1.3.6.1.4.1.42.2.27.8.5.1
(objectclass=passwordPolicy)
The ppolicy.schema file compiled used IDs 1.3.6.1.4.1.42.2.27.8.1.x - not ..8.5.x - could I possibly have some weird mismatch here?
(I suspect and hope that the last bit here is a totally unrelated red herring.)
Thanks,
- chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jacobs(a)apollogrp.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
11 years
AD, freeradius, openldap combination
by Serge Fonville
Hi,
I'm setting up a HA environment with centralized user administration.
I'm currently considering the following setup
For MS clients, authenticate directly to AD
For *nix clients, authenticate to an OpenLDAP proxy which authenticate to AD
For Routers/switches use FreeRadius to authenticate against the OpenLDAP proxy
The goals for the setup are:
1. One login for all networked nodes
2. Centralized user authentication
3. Single resource for user information
4. Highly available authentication service
5. No serious performance impact
6. Alternative login when service is unavailable
7. Easily scalable
8. Easy rollout
1, 2, 3 and 7 are achieved using AD
4 can be achieved by a combination of a loadbalancer for each service
and multiple instances of each service
not sure if 5 is realistic, but it should be possible I suppose
6 is no problem for any host
8 can be done through scripting
What I would like to know now is:
Is it advisable to set it up like this?
Are there 'better' ways to achieve the same result. (performance,
availability, ease of maintenance)
Would it be better to let radius talk directly to AD, possibly even
using the MS radius server.
Is it advisable to use an OpenLDAP proxy for *nix authentication or
can I just as well use AD directly.
The main reasons for me to assume this setup is the most suitable are:
AD replicates by default
OpenLDAP proxy does not need to replicate
OpenLDAP is more 'compatible' with the *nix clients
FreeRadius does not need to replicate
All can be loadbalanced easily.
The main question I want to know from the OpenLDAP list is: "how well
does the OpenLDAP proxy perform?"
For the remainder, if anyone wants to shed some light on this, I would
greatly appreciate it.
Thanks a lot in advance.
Regards,
Serge Fonville
--
http://www.sergefonville.nl
Convince Google!!
They need to support Adsense over SSL
https://www.google.com/adsense/support/bin/answer.py?hl=en&answer=10528
http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923...
11 years
Re: Configuring OpenLDAP on Ubuntu 9.10 [using slapd.conf??]
by Shamika Joshi
Thank you guys for your help! I'll try my way through it.
One more question here, i have a old working slapd.conf file from a RHEL
server, if I want to same slapd.conf file & provide its path in
/etc/default/slapd as SLAPD_CONF=/etc/ldap/slapd.conf should that work? Or
should I need to make more changes?
Has anyone done this before? Any articles you may want to suggest I should
go through to achieve this?
Thanks
Shamika
On Tue, Mar 30, 2010 at 5:43 PM, Matt Kassawara <mkassawara(a)gmail.com>wrote:
> Starting with Ubuntu Karmic (9.10), the slapd package changed from creating
> a typical LDAP administrator account (i.e., username and password) to using
> LDAPI and SASL EXTERNAL which automatically provides LDAP administrator
> access via the system root account. As root, run your LDAP utilities with
> "-Y external -H "ldapi:///" instead of "-x", "-D", and "-W" where
> appropriate. For example, to search your LDAP directory:
>
> ldapsearch -Y external -H "ldapi:///" -b dc=domain,dc=com
>
> I'm not sure why the Ubuntu Server Guide for 9.10 did not get updated to
> reflect these changes, but if you search the web for "ubuntu sasl external"
> you'll get quite a few hits on the issue. You may also want to read these
> bugs when configuring clients:
>
> https://bugs.launchpad.net/bugs/423252
>
> https://bugs.launchpad.net/bugs/427842
>
> Matt
>
>
> On 3/30/10 4:04 AM, Shamika Joshi wrote:
>
>> I have followed following article to install/configure OpenLDAP on
>> Ubuntu Server 9.10
>> https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html
>>
>> There is no slapd.conf in picture here instead running "dpkg-reconfigure
>> slapd" should come up with following Wizard (got this after running
>> through numerous articles on this)
>>
>> *Wizard steps:*
>>
>> 1. *omit openldap server configuration? – no*
>> 2. *dns domain name? vm.example.org <http://vm.example.org>*
>> 3. *organization name? myCompany*
>> 4. *database backend to use? hdb*
>> 5. *do you want the database to be removed when slapd is purged? yes*
>> 6. *may be the question: move old database? yes*
>> 7. *administrator password? the same one as entered during installation*
>> 8. *confirm password? see last step*
>> 9. *allow LDAPv2 protocol? no*
>>
>>
>> However in my installation wizards asks
>> *
>> Omit OpenLDAP server configuration? No
>> Do you want the database to be removed when slapd is purged? No
>> Allow LDAPv2 protocol? No
>> Creating initial slapd configuration... done.
>> Starting OpenLDAP: slapd.
>>
>> *Has anyone attempted this before? What I'm missing here? Could someone
>> like to pitch in for some help?
>>
>> So when I run "ldapsearch -x" it gives me following output
>>
>> admins@x6:/etc/ldap$ ldapsearch -x
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <> (default) with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 32 No such object
>>
>> # numResponses: 1
>>
>>
>> where is should give the output like
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base (default) with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> #vm.example.org <http://vm.example.org>
>>
>>
>> dn: dc=vm,dc=example,dc=org
>> objectClass: top
>> objectClass: dcObject
>> objectClass: organization
>> o: myCompany
>> dc: vm
>>
>> # admin,vm.example.org <http://vm.example.org>
>>
>> dn: cn=admin,dc=vm,dc=example,dc=org
>>
>> objectClass: simpleSecurityObject
>> objectClass: organizationalRole
>> cn: admin
>> description: LDAP administrator
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 3
>> # numEntries: 2
>>
>>
>>
>> Thanks
>> Shamika
>>
>
11 years
"new style" on ubuntu 8.04
by Luis Paulo
Hi, all
I am installing openldap for the first time. On ubuntu 8.04 server.
Things are going, I have a server, still without SASL, and a client working.
I used the migration tools, and set rootdn and rootpw on my database conf
I was reading a bit more, and I saw a command that didn't work
$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
on https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html
(note, 9.10, not 8.04)
A bit more reading, and I tried to get the "new style" configuration
as in http://www.openldap.org/doc/admin24/slapdconf2.html with
$ sudo mkdir /etc/ldap/slapd.d
$ sudo chown -R openldap:openldap /etc/ldap/slapd.d
$ sudo slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d
and change, in */etc/default/slapd*,
SLAPD_CONF=/etc/ldap/slapd.d
Still can't run the command (with the plain rootpw password from the
old slapd.conf)
$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase={1}hdb
ldap_bind: Invalid credentials (49)
I've read http://www.openldap.org/doc/admin24/appendix-common-errors.html
and am now trying to check things and reading around the "new style" and ACL's.
Should I be able to run that command and use the "new style" with
ubuntu 8.04 (hardy)?
If so, I'll thank you for any help.
PS:
ii slapd 2.4.9-0ubuntu0.8.04.3 OpenLDAP server (slapd)
ii ldap-utils 2.4.9-0ubuntu0.8.04.3 OpenLDAP utilities
ii migrationtools 47-3ubuntu2 Migration scripts for LDAP
Linux main 2.6.24-27-server #1 SMP Fri Mar 12 01:23:09 UTC 2010 x86_64 GNU/Linux
11 years
ldap_ssl_client_init equivalent?
by phiroc@free.fr
Hi,
is there a ldap_ssl_client_init function in the openldap C API? I couldn't find any in the openldap header files.
What is the equivalent of the following ldapsearch query in C using the API, on Linux?
ldapsearch -x -H 'ldaps://activedirectory.abc.com/636'
-b 'dc=abc,dc=com' -D 'testdn'
-W '(&(objectclass=user)(!(objectclass=computer))(samaccountname=myname))'
samaccountname
Many thanks.
p
11 years
Re: ldap_ssl_client_init equivalent?
by masarati@aero.polimi.it
> Hi,
>
> is there a ldap_ssl_client_init function in the openldap C API? I couldn't
> find any in the openldap header files.
Because there isn't.
>
> What is the equivalent of the following ldapsearch query in C using the
> API, on Linux?
>
> ldapsearch -x -H 'ldaps://activedirectory.abc.com/636'
> -b 'dc=abc,dc=com' -D 'testdn'
> -W '(&(objectclass=user)(!(objectclass=computer))(samaccountname=myname))'
> samaccountname
You can find that information in
clients/tools/common.c
clients/tools/ldapsearch.c
p.
11 years
Re-engaging the Samba4 LDAP backend
by Andrew Bartlett
I'm trying to pick up the ball again on the OpenLDAP and Fedora DS
backends, and hopefully to bring them back up to speed as a working and
respectable solution.
LDB will always be the Samba Team's primary backend for Samba4. This is
particularly the case as there seems no reasonable prospect that we will
do DRS replication against the OpenLDAP or FedoraDS backeed. (This
simplifies the requirements dramatically).
However, we do need them to work, as far as practical, for the rest of
Samba4's DC functionality. The things I need soon from the backends
are:
- a replacement for the Samba4 rdn_name module. For OpenLDAP I have
tried out ITS#6055 but it fails, sadly.
http://www.openldap.org/its/index.cgi/Development?id=6055;selectid=6055
I don't know of any comparable effort in Fedora DS.
- A RID allocation tool. Fedora DS has the 'distributed numeric
assignment' plugin, and I'm sure it will be no challenge for OpenLDAP to
match it. Safely adding new users to an OpenLDAP backend really does
need a safe way to allocate RID values.
- A way to invoke slpad -Ttest -f <config file> -F <config dir> without
issuing errors because of the missing databases
- Transaction support. While most of the transaction-aware tasks in
Samba have now been either pushed off as 'too hard on LDAP' or into
modules that are now in the LDAP backend, we still do need transactions
over LDAP.
- A way to easily detect that we have OpenLDAP or Fedora DS installed
on the system, and what it's version is. Once we have that, we could
start trying to run at least some of Samba4's tests against such a
backend regularly (and stop breaking it so often).
- Some help debugging the existing 'make test' failures!
To address a broader range of use cases, I'm looking forward to the work
Endi has promised for a 'ldap backend config file' as input to
provision. Hopefully this will reduce the options we have to present to
users on the provision command line.
(Apologies in advance for the cross-post to multiple member-only lists,
but I just wanted to get everyone on the same page).
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
11 years
Re: ldap
by Patrick Mburu
Hi all,
Thanks for your help, i created another domain and from my slapcat output i get this
dn: dc=mycompnay,dc=com
objectClass: dcObject
objectClass: organization
o: mycompany
dc: mycompany
structuralObjectClass: organization
entryUUID: e235aa56-cd4a-102e-9e99- 4f8ab88a5141
creatorsName: cn=root,dc=mycompany,dc=com
modifiersName:
cn=root,dc=mycompany,dc=com
createTimestamp: 20100326174351Z
modifyTimestamp: 20100326174351Z
entryCSN: 20100326174351Z#000000#00# 000000
dn: dc=mycompany,dc=local
objectClass: dcObject
objectClass: organization
o: mycompany
dc: mycompany
structuralObjectClass: organization
entryUUID:
4c85f2e4-cf9e-102e-9a60- f35afa4f4768
creatorsName:
cn=root,dc=mycompany,dc=local
modifiersName:
cn=root,dc=mycompany,dc=local
createTimestamp: 20100329164559Z
modifyTimestamp: 20100329164559Z
entryCSN: 20100329164559Z#000000#00# 000000
i want to delete the first domain entry
"dc=mycompany,dc=com"so i am left with the last one ie
"dc=mycompany,dc=local"
Also, i get this error from ldasearch; ldap_bind Can't contact LDAP server,
i
have gotten a lead on linuxquestions which i will try end of day, but a
quick suggestion will be appreciated.
I am doing some good
reading on openldap so it wont be long until i get openldap right.
I am also checking on the forums.
This is a small project i am working on, and soon i will be doing ZCS running on CentOS.
Thanks
in advance.
________________________________
From: Patrick Mburu <patrick_lists(a)yahoo.com>
To: openldap-technical(a)openldap.org
Sent: Mon, March 29, 2010 12:37:01 PM
Subject: ldap
Hi all,
I have been trying to work with my .ldif file which looks like below but i get an error: All Services are started in this scenario;
My ldif file
dn: dc=mycompany,dc=COM
objectclass: dcObject
objectclass:
organization
o: mycompany
dc: mycompany
dn:
cn=root,dc=mycompany,dc=COM
objectclass: organizationalRole
cn: root
Error
=> bdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair already exists (-30996)
=> bdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry dn="dc=mycompnaye,dc=com" (line=6): txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
What am i not getting right, urgent help needed.
11 years
ldap
by Shabbir Ahmed
hi,
i am running a directory service which will hold about a million entries
which is running openldap mean time, i m runnig a oracle DB which holds the
same db for SQL clients and i store the same data in openldap as well for
the client of directory services, now what i want is to run a single DB
(oracle) and openldap should be able to access it from there or any other
directory service,
now i want a good suggestion from you people whether i should run Oracle
Internet Directory and make changes in SQL db which is reflected in
Directory.
second option is to run ldap but compiled with oracle DB as backend besides
BDB so the data is saved in one place and when ever directory client
accesses it openldap fetches it from the oracle DB and replies to client.
third option is that i run it as it is with duplicating data in both oracle
db and openldap but i am only worried for the performance issues in future
ill face.
Ill be thank full for the help.
11 years
Active Directory schema into OpenLDAP
by Shahzad Fateh Ali
Hi,
I need to store Active Directory Data into OpenLDAP and for that I want to
create the Active Directory schema into OpenLDAP. How to do it?
--
Shahzad Fateh Ali
C: +92 334 392 4334
11 years