Re: tls private key
by Chris Jacobs
There's one sure fire way to find out...
Start it up with a syncrepl, then move the private key, and see if it syncs fine both ways.
Wait a day or so, and make a change and see if that synced.
If I had to put a dollar on it, if guess that it doesn't need the key after startup. I could be horribly wrong though - I'm not a dev, just a user of the software.
:)
- chris
Chris Jacobs, Jr. Unix System Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs(a)apollogrp.edu
----- Original Message -----
From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org <openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org>
To: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Thu Mar 25 18:44:47 2010
Subject: Re: tls private key
HI
On Fri, Mar 26, 2010 at 12:09 PM, Tyler Gates <tgates81(a)gmail.com> wrote:
> Alex,
> encrypting the private key really isn't necessary and I highly doubt it
> would work for your application nor be worth the hassel. Securing via file
> permisssions as mentioned previously is really the best way to tackle this.
> Think of 'other layers of protection' being firewalls, intrusion detection,
> restricted logins, chroot jails, etc., etc...
yep go those, firewalls, permissions etc.
I am not sure why every one is against me trying to use another layer
of protection, just because I permission it as root.root 440, doesn't
mean its safe. I could make it safer, but unecrypting the private key,
starting slapd and removing the unecrypted file.
Or thing of it another way, my private key could be on a usb key, that
i insert into the machine on start up and remove once slapd has
started.
I have seen secure machine compromised before, somebody installed cvs
forgot to change the cvs userid password, root hack and a remote user
had access to the system. Some times people do silly things
on my laptop - I encrypt the fs and the swap space and my gpg key have
userid/passwords and my certs have userid password protection, like to
do the same for my ldap setup as well :)
I understand the reasons for encrypting and signing packets or
information, just asking if slapd needs access to the private key
after it has read the file on startup.
> Encryption really works best for UDP like transportation like email where
> you cannot guarantee the recipient is the only person able to 'see' the
> document ;)
>
[snip]
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
11 years
tls private key
by Alex Samad
Hi
I am setting up my sync repl to use certificates, my problem is I don't
want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd
load up time, ie can i unencrypt the file start slapd and then remove
the un encrypted file ?
Alex
11 years
Slapd database goes corrupt repeatedly after recovery
by Kaspar Fischer
Dear list,
We are using an OpenLDAP/slapd server to manage the user accounts of our Samba server and have recently run into the problem that users cannot connect to Samba drives anymore after some time. Samba complains that it cannot connect to the LDAP server (see below for error message in Samba log) and the slapd log shows
Mar 25 11:38:15 office-server slapd[3433]: <= bdb_equality_candidates: (gidNumber) not indexed
Mar 25 11:38:15 office-server slapd[3433]: <= bdb_equality_candidates: (gidNumber) not indexed
Mar 25 11:38:15 office-server slapd[3433]: <= bdb_equality_candidates: (uid) not indexed
Mar 25 11:38:15 office-server slapd[3433]: <= bdb_equality_candidates: (gidNumber) not indexed
Mar 25 11:38:15 office-server slapd[3433]: <= bdb_equality_candidates: (sambaSID) not indexed
Mar 25 11:38:15 office-server slapd[3433]: <= bdb_equality_candidates: (sambaSID) not indexed
Mar 25 11:38:15 office-server slapd[3433]: bdb(dc=foo,dc=org): file id2entry.bdb has LSN 1/382892, past end of log at 1/283666
Mar 25 11:38:15 office-server slapd[3433]: bdb(dc=foo,dc=org): Commonly caused by moving a database from one database environment
Mar 25 11:38:15 office-server slapd[3433]: bdb(dc=foo,dc=org): to another without clearing the database LSNs, or by removing all of
Mar 25 11:38:15 office-server slapd[3433]: bdb(dc=foo,dc=org): the log files from a database environment
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): DB_ENV->log_flush: LSN of 1/382892 past current end-of-log of 1/283666
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): id2entry.bdb: unable to flush page: 5
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): DB_ENV->log_flush: LSN of 1/378772 past current end-of-log of 1/283666
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): id2entry.bdb: unable to flush page: 7
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): DB_ENV->log_flush: LSN of 1/373647 past current end-of-log of 1/283666
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): id2entry.bdb: unable to flush page: 8
Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): txn_checkpoint: failed to flush the buffer cache: DB_RUNRECOVERY: Fatal error, run database recovery
Mar 25 11:38:51 office-server slapd[3433]: conn=62 op=29 do_search: invalid dn (sambaDomainName=,sambaDomainName=foo,dc=foo,dc=org)
Mar 25 11:38:51 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery
Mar 25 11:39:01 office-server slapd[3433]: last message repeated 26 times
Mar 25 11:39:01 office-server CRON[3657]: (root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm)
Mar 25 11:39:14 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery
Mar 25 11:39:47 office-server slapd[3433]: last message repeated 35 times
Mar 25 11:39:48 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery
Mar 25 11:39:49 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery
Mar 25 11:39:50 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery
Mar 25 11:40:51 office-server slapd[3433]: last message repeated 164 times
Mar 25 11:40:51 office-server slapd[3433]: last message repeated 3 times
Mar 25 11:40:52 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery
Mar 25 11:41:53 office-server slapd[3433]: last message repeated 294 times
Strangely, restarting slapd helps and users can use Samba again for a limited and arbitrary period of time until the problem pops up again. I tried fixing the database using
db4.7_recover -v -h /var/lib/ldap
but again, the problem pops up again later.
I realized that when I shut down slapd using "/etc/init.d/slapd stop", it complains about the database being corrupt (even if so far no problems appeared):
Mar 25 10:12:35 office-server slapd[16880]: slapd shutdown: waiting for 0 operations/tasks to finish
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): DB_ENV->log_flush: LSN of 1/382892 past current end-of-log of 1/278482
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): id2entry.bdb: unable to flush page: 5
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): DB_ENV->log_flush: LSN of 1/378772 past current end-of-log of 1/278482
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): id2entry.bdb: unable to flush page: 7
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): DB_ENV->log_flush: LSN of 1/373647 past current end-of-log of 1/278482
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): id2entry.bdb: unable to flush page: 8
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery
Mar 25 10:12:35 office-server slapd[16880]: bdb_db_close: database "dc=foo,dc=org": txn_checkpoint failed: DB_RUNRECOVERY: Fatal error, run database recovery (-30974).
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): File handles still open at environment close
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): Open file handle: /var/lib/ldap/log.0000000001
Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery
Mar 25 10:12:35 office-server slapd[16880]: bdb_db_close: database "dc=foo,dc=org": close failed: DB_RUNRECOVERY: Fatal error, run database recovery (-30974)
Mar 25 10:12:35 office-server slapd[16880]: slapd stopped.
Mar 25 10:12:46 office-server slapd[19194]: @(#) $OpenLDAP: slapd 2.4.18 (Sep 8 2009 17:47:22) $#012#011buildd@crested:/build/buildd/openldap-2.4.18/debian/build/servers/slapd
Does anybody have an idea what the problem might be?
Many thanks for any hints or pointers!
Kaspar
--
Samba Log File:
[2008/09/23 11:22:22, 0] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldap://localhost/ with dn="cn=admin,dc=foo,dc=org" Error: Can't contact LDAP server (unknown)
[2008/09/23 11:22:22, 1] lib/smbldap.c:another_ldap_try(1153)
Connection to LDAP server failed for the 1 try!
[2008/09/23 11:22:23, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2008/09/23 11:22:23, 2] lib/smbldap.c:smbldap_connect_system(982)
failed to bind to server ldap://localhost/ with dn="cn=admin,dc=foo,dc=org" Error: Can't contact LDAP server (unknown)
[2008/09/23 11:22:23, 1] lib/smbldap.c:another_ldap_try(1153)
Connection to LDAP server failed for the 2 try!
Server details: Ubuntu 9.10, slapd 2.4.18
Slapd configuration file (slapd.conf):
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/misc.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel 392
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_bdb
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb
#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>
#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb
# The base of your directory in database #1
suffix "dc=baselgovernance,dc=org"
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn "cn=admin,dc=baselgovernance,dc=org"
# Where the database file are physically stored for database #1
directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts. They do NOT override existing an existing DB_CONFIG
# file. You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index objectClass eq
# Save the time that the entry gets modified, for database #1
lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint 512 30
# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=baselgovernance,dc=org" write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="cn=admin,dc=baselgovernance,dc=org" write
by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
# by dn="cn=admin,dc=baselgovernance,dc=org" write
# by dnattr=owner write
#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database <other>
# The base of your directory for database #2
#suffix "dc=debian,dc=org"
# Indices to maintain
## required by OpenLDAP
#index objectclass eq
index cn pres,sub,eq
index sn pres,sub,eq
## required to support pdb_getsampwnam
index uid pres,sub,eq
## required to support pdb_getsambapwrid()
index displayName pres,sub,eq
## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
##index uidNumber eq
##index gidNumber eq
##index memberUid eq
index sambaSID pres,sub,eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
11 years
Re: Re: Pre-requisites to enable SSL/TLS in OpenLDAP 2.4
by Arun Srinivasan
Thanks for the reply, Dieter. Yes it seems slapd has not been built with openssl.
Here is the output of ldd:
$ ldd /usr/local/libexec/slapd
libdb-4.8.so => /usr/local/BerkeleyDB.4.8/lib/libdb-4.8.so (0x00002ad9ac26a000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003542a00000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x000000354ba00000)
libc.so.6 => /lib64/libc.so.6 (0x0000003541e00000)
/lib64/ld-linux-x86-64.so.2 (0x0000003541a00000)
Can you please let me know if there is any workaround for this or do we need to re-configure openldap with (--with-tls=openssl) ?
Also let me know if we need to configure openldap with any other configuration options for TLS/SSL to work properly.
Please suggest.
Thanks.
On Wed, 24 Mar 2010 19:24:29 +0530 wrote
>"Arun Srinivasan" writes:
> Hi All,
>
> I am using OpenLDAP 2.4.21 on RHEL 5.3.
>
> I have configured the openldap with "./configure --with-tls" option to enable
> ssl in the server. I used the built-in openssl that comes with RHEL 5.3.
> Berkley GB is 4.8.26.
[...]
>
> then I get the following output:
>>>>>>>>>
> daemon_init: ldap:// ldaps://
> daemon_init: listen on ldap://
> daemon_init: listen on ldaps://
> daemon_init: 2 listeners to open...
> ldap_url_parse_ext(ldap://)
> daemon: listener initialized ldap://
> ldap_url_parse_ext(ldaps://)
> daemon: TLS not supported (ldaps://)
> slapd stopped.
> connections_destroy: nothing to destroy.
>>>>>>>>>>
[...]
It seems that slapd has not been built with openssl, you may check the
shared libraries linked to slapd calling ldd(1).
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E
11 years
Re: OpenLDAP DB_CONFIG values for a big Server
by Echedey Lorenzo
Thanks,
this guide is helping me a lot.
KR
2010/3/12 Quanah Gibson-Mount <quanah(a)zimbra.com>
> --On Friday, March 12, 2010 10:24 AM +0000 Echedey Lorenzo <
> echedey(a)gmail.com> wrote:
>
>
> Any help will be appreciated since my experiences with OpenLDAP
>> performance against Sun Directory Server 5.2 has not been good, taking
>> several seconds to answer any ldaprequest :(
>>
>
> OpenLDAP, when properly tuned, is always magnitudes faster than SunOne DS.
>
> I suggest reading over:
>
> <http://wiki.zimbra.com/index.php?title=OpenLDAP_Performance_Tuning_6.0>
>
> which, particularly with the BDB portions, should give you a lot of
> guidance.
>
> Someday when the OpenLDAP foundation has a real wiki, I'll put this
> information there.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Principal Software Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
--
--------------------------------------------
| Echedey Lorenzo Arencibia |
--------------------------------------------
11 years
Pre-requisites to enable SSL/TLS in OpenLDAP 2.4
by Arun Srinivasan
Hi All,
I am using OpenLDAP 2.4.21 on RHEL 5.3.
I have configured the openldap with "./configure --with-tls" option to enable ssl in the server. I used the built-in openssl that comes with RHEL 5.3. Berkley GB is 4.8.26.
But after creating the certificates and configuring the slapd.conf with the below lines:
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
However, when I try to run the slapd with the -h option as "/usr/local/libexec/slapd -h "ldap:// ldaps://" -d 255"
then I get the following output:
>>>>>>>>
daemon_init: ldap:// ldaps://
daemon_init: listen on ldap://
daemon_init: listen on ldaps://
daemon_init: 2 listeners to open...
ldap_url_parse_ext(ldap://)
daemon: listener initialized ldap://
ldap_url_parse_ext(ldaps://)
daemon: TLS not supported (ldaps://)
slapd stopped.
connections_destroy: nothing to destroy.
>>>>>>>>>
I am guessing something is wrong at the openldap configuration level itself. Can somebody let me know what are the pre-requisites to be followed while configuring openldap (configure options)so that SSL can be enabled successfully.
Thanks
11 years
Quick help on ldap modify with different domain name
by Meena Ram
Dear folks:
Wanted some quick help in deleting the entries and adding more users with a different set of DN
Our DN earlier was like this
cn = manager, dc = ind, dc=ban, dc =com.
now it is changed to three levels like
cn = manager, dc = gubbi, dc = ind, dc=ban, dc =com.
when i try to modify using ldap modify i can not modify instead i get the following error:
One more level is added. I get the following error if i try to modify using ldapmodify
modifying entry "dc=gubbi,dc=ind,dc=ban,dc=com"
ldap_modify: Constraint violation (19)
additional info: structuralObjectClass: no user modification allowed
Cheers!!!!!!!
RAM
________________________________
From: Meena Ram <meenaram21(a)yahoo.com>
To: openldap-technical(a)openldap.org
Sent: Thu, March 11, 2010 6:07:03 PM
Subject: brief tips and tricks for running ldaps on slackware
Dear folks:
If any one has a brief tips, tricks or cheatsheet for running slapd with SSL/TLS can you please post it.
plain ldap works perfect but ldaps search and related stuff seams to have some issues
Cheers!!!!!!!!
11 years
Re: Problem with getent passwd
by Tyler Gates
And don't forget nsswitch. ldap should be first for group and passwd.
On Mar 23, 2010, at 8:25 PM, Tyler Gates <tgates81(a)gmail.com> wrote:
> Sounds like it's a problem with your client side pam_ldap
> authentication. There's a whole buch of steps to get that working,
> just google it. If you have a redhat variant authconfig or setup
> will step you through it. It would help if you could post your
> system_auth file.
>
> On Mar 23, 2010, at 11:40 AM, Lynn York <lynn.york(a)mavenwire.com>
> wrote:
>
>> Hello,
>>
>>
>>
>> When I issue “getent passwd” I can see it query
>> the ldap server for all the information and the server is returnin
>> g the correct information. However, “getent passwd” doesn’t
>> actually show the users that are in ldap. I am not sure where my
>> problem might be. Can anyone offer any suggestions on where to look?
>>
>>
>>
>> Lynn York II
>>
>> MavenWire Hosting Admin
>>
>> www.mavenwire.com
>>
>> (866) 343-4870 x717
>>
>>
>>
>> MavenWire - We DELIVER
>>
>> http://www.mavenwire.com
>>
>>
>>
>> This e-mail and any attached files may contain confidential and/or
>> privileged material for the sole use of the intended recipient.
>> Any review, use, distribution or disclosure by others is strictly
>> prohibited. If you are not the intended recipient (or authorized to
>> receive this e-mail for the recipient), you may not review, copy or
>> distribute this message. Please contact the sender by reply e-mail
>> and delete all copies of this message.
>>
>>
>>
>> MavenWire - We DELIVER
>> http://www.mavenwire.com
>>
>> This e-mail and any attached files may contain confidential and/or
>> privileged material for the sole use of the intended recipient.
>> Any review, use, distribution or disclosure by others is strictly
>> prohibited. If you are not the intended recipient (or authorized to
>> receive this e-mail for the recipient), you may not review, copy or
>> distribute this message. Please contact the sender by reply e-mail
>> and delete all copies of this message.
>>
11 years
Re: Tips when implementing password policies
by Chris Jacobs
Okay, it says:
"If pwdChangedTime does not exist, the user's password will not expire."
How have you guys dealt with this? I suspect that just asking people to please change their passwords so we can make sure they expire will result in a low turn-out rate. :p
I also don't want people to just end-up locked out either, if at all possible.
Thoughts?
Thanks!
- chris
Chris Jacobs, Jr. Unix System Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs(a)apollogrp.edu
----- Original Message -----
From: Howard Chu <hyc(a)symas.com>
To: Chris Jacobs
Cc: 'tgates81(a)gmail.com' <tgates81(a)gmail.com>; 'openldap-technical(a)openldap.org' <openldap-technical(a)openldap.org>
Sent: Tue Mar 23 19:27:53 2010
Subject: Re: Tips when implementing password policies
Chris Jacobs wrote:
> I've a few accounts that I was testing with - after I set the password
/after/ ppolicy was in place, things work as expected. Password history, #
grace auths, etc.
>
> However, for those accounts existing before the ppolicy was in place, no
enforcement - there's no password change date set, nor any other policy items
added - other than the pwdpolicysubentry.
Please read the slapo-ppolicy(5) manpage. In particular, read the description
of the pwdChangedTime attribute.
> One note: early on in the old ldap installations use, inetorgperson wasn't
> a
class on accounts. Is that necessary for pwdpolicy? Would that make everything
else work for the legacy accounts?
>
> I'll send an example LDIF of a test account and a legacy account later.
> - chris
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
11 years
Re: Tips when implementing password policies
by Chris Jacobs
I've a few accounts that I was testing with - after I set the password /after/ ppolicy was in place, things work as expected. Password history, # grace auths, etc.
However, for those accounts existing before the ppolicy was in place, no enforcement - there's no password change date set, nor any other policy items added - other than the pwdpolicysubentry.
One note: early on in the old ldap installations use, inetorgperson wasn't a class on accounts. Is that necessary for pwdpolicy? Would that make everything else work for the legacy accounts?
I'll send an example LDIF of a test account and a legacy account later.
- chris
Chris Jacobs, Jr. Unix System Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jacobs(a)apollogrp.edu
----- Original Message -----
From: Tyler Gates <tgates81(a)gmail.com>
To: Chris Jacobs
Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org>
Sent: Tue Mar 23 18:55:21 2010
Subject: Re: Tips when implementing password policies
pwdPolicySubentry should work -it's honored in place of the default
password policy which is set in your config. If it doesn't work than
likely your config lacks the necessary directives to use ppolicy.
As far as enforcement pwdMustchange can be set in your policy which
looks at the entrys pwdReset value. If both are true then ldap will
allow a limited set of rights on the dn enough to bind as tls or ssl
and change his or her password.
On Mar 23, 2010, at 5:19 PM, Chris Jacobs <Chris.Jacobs(a)apollogrp.edu>
wrote:
> Hello,
>
> I'm upgrading our LDAP infrastructure (it'll be a cut-over) and I've
> noticed that after adding pwdPolicySubentry to a user's account, it
> doesn't seem to have any affect.
>
> This user hasn't /ever/ reset their password, and the user's account
> doesn't show any password policy grace period usage after the test.
>
> The pwdPolicySubentry is still the only password policy related
> entry on his account.
>
> This suggests that I'll need to force people to change their
> password's at some point.
>
> 1) Is what I'm seeing normal/expected?
> 2) What method(s) have you used to force people to change their
> password - beyond asking them?
>
> Thanks!
> - chris
>
> Chris Jacobs, Jr. Linux Administrator, Information Technology &
> Operations
> Apollo Group | Apollo Marketing | Aptimus, Inc.
> 2001 6th Ave | Ste 3200 | Seattle, WA 98121
> phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
> email: chris.jacobs(a)apollogrp.edu
>
> This message is private and confidential. If you have received it in
> error, please notify the sender and remove it from your system.
>
>
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
11 years
