openldap-technical March 2010

openldap-technical@openldap.org

73 participants
87 discussions

Re: tls private key
by Chris Jacobs 26 Mar '10

26 Mar '10

There's one sure fire way to find out... Start it up with a syncrepl, then move the private key, and see if it syncs fine both ways. Wait a day or so, and make a change and see if that synced. If I had to put a dollar on it, if guess that it doesn't need the key after startup. I could be horribly wrong though - I'm not a dev, just a user of the software. :) - chris Chris Jacobs, Jr. Unix System Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ----- Original Message ----- From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org <openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org> To: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org> Sent: Thu Mar 25 18:44:47 2010 Subject: Re: tls private key HI On Fri, Mar 26, 2010 at 12:09 PM, Tyler Gates <tgates81(a)gmail.com> wrote: > Alex, > encrypting the private key really isn't necessary and I highly doubt it > would work for your application nor be worth the hassel. Securing via file > permisssions as mentioned previously is really the best way to tackle this. > Think of 'other layers of protection' being firewalls, intrusion detection, > restricted logins, chroot jails, etc., etc... yep go those, firewalls, permissions etc. I am not sure why every one is against me trying to use another layer of protection, just because I permission it as root.root 440, doesn't mean its safe. I could make it safer, but unecrypting the private key, starting slapd and removing the unecrypted file. Or thing of it another way, my private key could be on a usb key, that i insert into the machine on start up and remove once slapd has started. I have seen secure machine compromised before, somebody installed cvs forgot to change the cvs userid password, root hack and a remote user had access to the system. Some times people do silly things on my laptop - I encrypt the fs and the swap space and my gpg key have userid/passwords and my certs have userid password protection, like to do the same for my ldap setup as well :) I understand the reasons for encrypting and signing packets or information, just asking if slapd needs access to the private key after it has read the file on startup. > Encryption really works best for UDP like transportation like email where > you cannot guarantee the recipient is the only person able to 'see' the > document ;) > [snip] This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

3 2

tls private key
by Alex Samad 26 Mar '10

26 Mar '10

Hi I am setting up my sync repl to use certificates, my problem is I don't want to leave my private key for the server un encrypted. the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie can i unencrypt the file start slapd and then remove the un encrypted file ? Alex

4 5

Slapd database goes corrupt repeatedly after recovery
by Kaspar Fischer 25 Mar '10

25 Mar '10

Dear list, We are using an OpenLDAP/slapd server to manage the user accounts of our Samba server and have recently run into the problem that users cannot connect to Samba drives anymore after some time. Samba complains that it cannot connect to the LDAP server (see below for error message in Samba log) and the slapd log shows Mar 25 11:38:15 office-server slapd[3433]: <= bdb_equality_candidates: (gidNumber) not indexed Mar 25 11:38:15 office-server slapd[3433]: <= bdb_equality_candidates: (gidNumber) not indexed Mar 25 11:38:15 office-server slapd[3433]: <= bdb_equality_candidates: (uid) not indexed Mar 25 11:38:15 office-server slapd[3433]: <= bdb_equality_candidates: (gidNumber) not indexed Mar 25 11:38:15 office-server slapd[3433]: <= bdb_equality_candidates: (sambaSID) not indexed Mar 25 11:38:15 office-server slapd[3433]: <= bdb_equality_candidates: (sambaSID) not indexed Mar 25 11:38:15 office-server slapd[3433]: bdb(dc=foo,dc=org): file id2entry.bdb has LSN 1/382892, past end of log at 1/283666 Mar 25 11:38:15 office-server slapd[3433]: bdb(dc=foo,dc=org): Commonly caused by moving a database from one database environment Mar 25 11:38:15 office-server slapd[3433]: bdb(dc=foo,dc=org): to another without clearing the database LSNs, or by removing all of Mar 25 11:38:15 office-server slapd[3433]: bdb(dc=foo,dc=org): the log files from a database environment Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): DB_ENV->log_flush: LSN of 1/382892 past current end-of-log of 1/283666 Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): id2entry.bdb: unable to flush page: 5 Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): DB_ENV->log_flush: LSN of 1/378772 past current end-of-log of 1/283666 Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): id2entry.bdb: unable to flush page: 7 Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): DB_ENV->log_flush: LSN of 1/373647 past current end-of-log of 1/283666 Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): id2entry.bdb: unable to flush page: 8 Mar 25 11:38:17 office-server slapd[3433]: bdb(dc=foo,dc=org): txn_checkpoint: failed to flush the buffer cache: DB_RUNRECOVERY: Fatal error, run database recovery Mar 25 11:38:51 office-server slapd[3433]: conn=62 op=29 do_search: invalid dn (sambaDomainName=,sambaDomainName=foo,dc=foo,dc=org) Mar 25 11:38:51 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery Mar 25 11:39:01 office-server slapd[3433]: last message repeated 26 times Mar 25 11:39:01 office-server CRON[3657]: (root) CMD ( [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -type f -cmin +$(/usr/lib/php5/maxlifetime) -print0 | xargs -n 200 -r -0 rm) Mar 25 11:39:14 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery Mar 25 11:39:47 office-server slapd[3433]: last message repeated 35 times Mar 25 11:39:48 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery Mar 25 11:39:49 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery Mar 25 11:39:50 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery Mar 25 11:40:51 office-server slapd[3433]: last message repeated 164 times Mar 25 11:40:51 office-server slapd[3433]: last message repeated 3 times Mar 25 11:40:52 office-server slapd[3433]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery Mar 25 11:41:53 office-server slapd[3433]: last message repeated 294 times Strangely, restarting slapd helps and users can use Samba again for a limited and arbitrary period of time until the problem pops up again. I tried fixing the database using db4.7_recover -v -h /var/lib/ldap but again, the problem pops up again later. I realized that when I shut down slapd using "/etc/init.d/slapd stop", it complains about the database being corrupt (even if so far no problems appeared): Mar 25 10:12:35 office-server slapd[16880]: slapd shutdown: waiting for 0 operations/tasks to finish Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): DB_ENV->log_flush: LSN of 1/382892 past current end-of-log of 1/278482 Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): id2entry.bdb: unable to flush page: 5 Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): DB_ENV->log_flush: LSN of 1/378772 past current end-of-log of 1/278482 Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): id2entry.bdb: unable to flush page: 7 Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): DB_ENV->log_flush: LSN of 1/373647 past current end-of-log of 1/278482 Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): Database environment corrupt; the wrong log files may have been removed or incompatible database files imported from another environment Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): PANIC: DB_RUNRECOVERY: Fatal error, run database recovery Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): id2entry.bdb: unable to flush page: 8 Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery Mar 25 10:12:35 office-server slapd[16880]: bdb_db_close: database "dc=foo,dc=org": txn_checkpoint failed: DB_RUNRECOVERY: Fatal error, run database recovery (-30974). Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): File handles still open at environment close Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): Open file handle: /var/lib/ldap/log.0000000001 Mar 25 10:12:35 office-server slapd[16880]: bdb(dc=foo,dc=org): PANIC: fatal region error detected; run recovery Mar 25 10:12:35 office-server slapd[16880]: bdb_db_close: database "dc=foo,dc=org": close failed: DB_RUNRECOVERY: Fatal error, run database recovery (-30974) Mar 25 10:12:35 office-server slapd[16880]: slapd stopped. Mar 25 10:12:46 office-server slapd[19194]: @(#) $OpenLDAP: slapd 2.4.18 (Sep 8 2009 17:47:22) $#012#011buildd@crested:/build/buildd/openldap-2.4.18/debian/build/servers/slapd Does anybody have an idea what the problem might be? Many thanks for any hints or pointers! Kaspar -- Samba Log File: [2008/09/23 11:22:22, 0] lib/smbldap.c:smbldap_connect_system(982) failed to bind to server ldap://localhost/ with dn="cn=admin,dc=foo,dc=org" Error: Can't contact LDAP server (unknown) [2008/09/23 11:22:22, 1] lib/smbldap.c:another_ldap_try(1153) Connection to LDAP server failed for the 1 try! [2008/09/23 11:22:23, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2008/09/23 11:22:23, 2] lib/smbldap.c:smbldap_connect_system(982) failed to bind to server ldap://localhost/ with dn="cn=admin,dc=foo,dc=org" Error: Can't contact LDAP server (unknown) [2008/09/23 11:22:23, 1] lib/smbldap.c:another_ldap_try(1153) Connection to LDAP server failed for the 2 try! Server details: Ubuntu 9.10, slapd 2.4.18 Slapd configuration file (slapd.conf): # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/misc.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 392 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # The base of your directory in database #1 suffix "dc=baselgovernance,dc=org" # rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. # rootdn "cn=admin,dc=baselgovernance,dc=org" # Where the database file are physically stored for database #1 directory "/var/lib/ldap" # The dbconfig settings are used to generate a DB_CONFIG file the first # time slapd starts. They do NOT override existing an existing DB_CONFIG # file. You should therefore change these settings in DB_CONFIG directly # or remove DB_CONFIG and restart slapd for changes to take effect. # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 for more # information. # Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index objectClass eq # Save the time that the entry gets modified, for database #1 lastmod on # Checkpoint the BerkeleyDB database periodically in case of system # failure and to speed slapd shutdown. checkpoint 512 30 # Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn="cn=admin,dc=baselgovernance,dc=org" write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=baselgovernance,dc=org" write by * read # For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=baselgovernance,dc=org" write # by dnattr=owner write ####################################################################### # Specific Directives for database #2, of type 'other' (can be bdb too): # Database specific directives apply to this databasse until another # 'database' directive occurs #database <other> # The base of your directory for database #2 #suffix "dc=debian,dc=org" # Indices to maintain ## required by OpenLDAP #index objectclass eq index cn pres,sub,eq index sn pres,sub,eq ## required to support pdb_getsampwnam index uid pres,sub,eq ## required to support pdb_getsambapwrid() index displayName pres,sub,eq ## uncomment these if you are storing posixAccount and ## posixGroup entries in the directory as well ##index uidNumber eq ##index gidNumber eq ##index memberUid eq index sambaSID pres,sub,eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub

3 3

Re: Re: Pre-requisites to enable SSL/TLS in OpenLDAP 2.4
by Arun Srinivasan 24 Mar '10

24 Mar '10

Thanks for the reply, Dieter. Yes it seems slapd has not been built with openssl. Here is the output of ldd: $ ldd /usr/local/libexec/slapd libdb-4.8.so => /usr/local/BerkeleyDB.4.8/lib/libdb-4.8.so (0x00002ad9ac26a000) libpthread.so.0 => /lib64/libpthread.so.0 (0x0000003542a00000) libresolv.so.2 => /lib64/libresolv.so.2 (0x000000354ba00000) libc.so.6 => /lib64/libc.so.6 (0x0000003541e00000) /lib64/ld-linux-x86-64.so.2 (0x0000003541a00000) Can you please let me know if there is any workaround for this or do we need to re-configure openldap with (--with-tls=openssl) ? Also let me know if we need to configure openldap with any other configuration options for TLS/SSL to work properly. Please suggest. Thanks. On Wed, 24 Mar 2010 19:24:29 +0530 wrote >"Arun Srinivasan" writes: > Hi All, > > I am using OpenLDAP 2.4.21 on RHEL 5.3. > > I have configured the openldap with "./configure --with-tls" option to enable > ssl in the server. I used the built-in openssl that comes with RHEL 5.3. > Berkley GB is 4.8.26. [...] > > then I get the following output: >>>>>>>>> > daemon_init: ldap:// ldaps:// > daemon_init: listen on ldap:// > daemon_init: listen on ldaps:// > daemon_init: 2 listeners to open... > ldap_url_parse_ext(ldap://) > daemon: listener initialized ldap:// > ldap_url_parse_ext(ldaps://) > daemon: TLS not supported (ldaps://) > slapd stopped. > connections_destroy: nothing to destroy. >>>>>>>>>> [...] It seems that slapd has not been built with openssl, you may check the shared libraries linked to slapd calling ldd(1). -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°37'09,95"N 10°08'02,42"E

2 1

Re: OpenLDAP DB_CONFIG values for a big Server
by Echedey Lorenzo 24 Mar '10

24 Mar '10

Thanks, this guide is helping me a lot. KR 2010/3/12 Quanah Gibson-Mount <quanah(a)zimbra.com> > --On Friday, March 12, 2010 10:24 AM +0000 Echedey Lorenzo < > echedey(a)gmail.com> wrote: > > > Any help will be appreciated since my experiences with OpenLDAP >> performance against Sun Directory Server 5.2 has not been good, taking >> several seconds to answer any ldaprequest :( >> > > OpenLDAP, when properly tuned, is always magnitudes faster than SunOne DS. > > I suggest reading over: > > <http://wiki.zimbra.com/index.php?title=OpenLDAP_Performance_Tuning_6.0> > > which, particularly with the BDB portions, should give you a lot of > guidance. > > Someday when the OpenLDAP foundation has a real wiki, I'll put this > information there. > > --Quanah > > > -- > > Quanah Gibson-Mount > Principal Software Engineer > Zimbra, Inc > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- -------------------------------------------- | Echedey Lorenzo Arencibia | --------------------------------------------

1 0

Pre-requisites to enable SSL/TLS in OpenLDAP 2.4
by Arun Srinivasan 24 Mar '10

24 Mar '10

Hi All, I am using OpenLDAP 2.4.21 on RHEL 5.3. I have configured the openldap with "./configure --with-tls" option to enable ssl in the server. I used the built-in openssl that comes with RHEL 5.3. Berkley GB is 4.8.26. But after creating the certificates and configuring the slapd.conf with the below lines: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /usr/local/etc/openldap/cacert.pem TLSCertificateFile /usr/local/etc/openldap/servercrt.pem TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem However, when I try to run the slapd with the -h option as "/usr/local/libexec/slapd -h "ldap:// ldaps://" -d 255" then I get the following output: >>>>>>>> daemon_init: ldap:// ldaps:// daemon_init: listen on ldap:// daemon_init: listen on ldaps:// daemon_init: 2 listeners to open... ldap_url_parse_ext(ldap://) daemon: listener initialized ldap:// ldap_url_parse_ext(ldaps://) daemon: TLS not supported (ldaps://) slapd stopped. connections_destroy: nothing to destroy. >>>>>>>>> I am guessing something is wrong at the openldap configuration level itself. Can somebody let me know what are the pre-requisites to be followed while configuring openldap (configure options)so that SSL can be enabled successfully. Thanks

2 1

Quick help on ldap modify with different domain name
by Meena Ram 24 Mar '10

24 Mar '10

Dear folks: Wanted some quick help in deleting the entries and adding more users with a different set of DN Our DN earlier was like this cn = manager, dc = ind, dc=ban, dc =com. now it is changed to three levels like cn = manager, dc = gubbi, dc = ind, dc=ban, dc =com. when i try to modify using ldap modify i can not modify instead i get the following error: One more level is added. I get the following error if i try to modify using ldapmodify modifying entry "dc=gubbi,dc=ind,dc=ban,dc=com" ldap_modify: Constraint violation (19) additional info: structuralObjectClass: no user modification allowed Cheers!!!!!!! RAM ________________________________ From: Meena Ram <meenaram21(a)yahoo.com> To: openldap-technical(a)openldap.org Sent: Thu, March 11, 2010 6:07:03 PM Subject: brief tips and tricks for running ldaps on slackware Dear folks: If any one has a brief tips, tricks or cheatsheet for running slapd with SSL/TLS can you please post it. plain ldap works perfect but ldaps search and related stuff seams to have some issues Cheers!!!!!!!!

2 1

Re: Problem with getent passwd
by Tyler Gates 24 Mar '10

24 Mar '10

And don't forget nsswitch. ldap should be first for group and passwd. On Mar 23, 2010, at 8:25 PM, Tyler Gates <tgates81(a)gmail.com> wrote: > Sounds like it's a problem with your client side pam_ldap > authentication. There's a whole buch of steps to get that working, > just google it. If you have a redhat variant authconfig or setup > will step you through it. It would help if you could post your > system_auth file. > > On Mar 23, 2010, at 11:40 AM, Lynn York <lynn.york(a)mavenwire.com> > wrote: > >> Hello, >> >> >> >> When I issue “getent passwd” I can see it query >> the ldap server for all the information and the server is returnin >> g the correct information. However, “getent passwd” doesn’t >> actually show the users that are in ldap. I am not sure where my >> problem might be. Can anyone offer any suggestions on where to look? >> >> >> >> Lynn York II >> >> MavenWire Hosting Admin >> >> www.mavenwire.com >> >> (866) 343-4870 x717 >> >> >> >> MavenWire - We DELIVER >> >> http://www.mavenwire.com >> >> >> >> This e-mail and any attached files may contain confidential and/or >> privileged material for the sole use of the intended recipient. >> Any review, use, distribution or disclosure by others is strictly >> prohibited. If you are not the intended recipient (or authorized to >> receive this e-mail for the recipient), you may not review, copy or >> distribute this message. Please contact the sender by reply e-mail >> and delete all copies of this message. >> >> >> >> MavenWire - We DELIVER >> http://www.mavenwire.com >> >> This e-mail and any attached files may contain confidential and/or >> privileged material for the sole use of the intended recipient. >> Any review, use, distribution or disclosure by others is strictly >> prohibited. If you are not the intended recipient (or authorized to >> receive this e-mail for the recipient), you may not review, copy or >> distribute this message. Please contact the sender by reply e-mail >> and delete all copies of this message. >>

2 1

Re: Tips when implementing password policies
by Chris Jacobs 24 Mar '10

24 Mar '10

Okay, it says: "If pwdChangedTime does not exist, the user's password will not expire." How have you guys dealt with this? I suspect that just asking people to please change their passwords so we can make sure they expire will result in a low turn-out rate. :p I also don't want people to just end-up locked out either, if at all possible. Thoughts? Thanks! - chris Chris Jacobs, Jr. Unix System Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ----- Original Message ----- From: Howard Chu <hyc(a)symas.com> To: Chris Jacobs Cc: 'tgates81(a)gmail.com' <tgates81(a)gmail.com>; 'openldap-technical(a)openldap.org' <openldap-technical(a)openldap.org> Sent: Tue Mar 23 19:27:53 2010 Subject: Re: Tips when implementing password policies Chris Jacobs wrote: > I've a few accounts that I was testing with - after I set the password /after/ ppolicy was in place, things work as expected. Password history, # grace auths, etc. > > However, for those accounts existing before the ppolicy was in place, no enforcement - there's no password change date set, nor any other policy items added - other than the pwdpolicysubentry. Please read the slapo-ppolicy(5) manpage. In particular, read the description of the pwdChangedTime attribute. > One note: early on in the old ldap installations use, inetorgperson wasn't > a class on accounts. Is that necessary for pwdpolicy? Would that make everything else work for the legacy accounts? > > I'll send an example LDIF of a test account and a legacy account later. > - chris -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

3 3

Re: Tips when implementing password policies
by Chris Jacobs 24 Mar '10

24 Mar '10

I've a few accounts that I was testing with - after I set the password /after/ ppolicy was in place, things work as expected. Password history, # grace auths, etc. However, for those accounts existing before the ppolicy was in place, no enforcement - there's no password change date set, nor any other policy items added - other than the pwdpolicysubentry. One note: early on in the old ldap installations use, inetorgperson wasn't a class on accounts. Is that necessary for pwdpolicy? Would that make everything else work for the legacy accounts? I'll send an example LDIF of a test account and a legacy account later. - chris Chris Jacobs, Jr. Unix System Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs(a)apollogrp.edu ----- Original Message ----- From: Tyler Gates <tgates81(a)gmail.com> To: Chris Jacobs Cc: openldap-technical(a)openldap.org <openldap-technical(a)openldap.org> Sent: Tue Mar 23 18:55:21 2010 Subject: Re: Tips when implementing password policies pwdPolicySubentry should work -it's honored in place of the default password policy which is set in your config. If it doesn't work than likely your config lacks the necessary directives to use ppolicy. As far as enforcement pwdMustchange can be set in your policy which looks at the entrys pwdReset value. If both are true then ldap will allow a limited set of rights on the dn enough to bind as tls or ssl and change his or her password. On Mar 23, 2010, at 5:19 PM, Chris Jacobs <Chris.Jacobs(a)apollogrp.edu> wrote: > Hello, > > I'm upgrading our LDAP infrastructure (it'll be a cut-over) and I've > noticed that after adding pwdPolicySubentry to a user's account, it > doesn't seem to have any affect. > > This user hasn't /ever/ reset their password, and the user's account > doesn't show any password policy grace period usage after the test. > > The pwdPolicySubentry is still the only password policy related > entry on his account. > > This suggests that I'll need to force people to change their > password's at some point. > > 1) Is what I'm seeing normal/expected? > 2) What method(s) have you used to force people to change their > password - beyond asking them? > > Thanks! > - chris > > Chris Jacobs, Jr. Linux Administrator, Information Technology & > Operations > Apollo Group | Apollo Marketing | Aptimus, Inc. > 2001 6th Ave | Ste 3200 | Seattle, WA 98121 > phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 > email: chris.jacobs(a)apollogrp.edu > > This message is private and confidential. If you have received it in > error, please notify the sender and remove it from your system. > > This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2010