Tips when implementing password policies
by Chris Jacobs
Hello,
I'm upgrading our LDAP infrastructure (it'll be a cut-over) and I've noticed that after adding pwdPolicySubentry to a user's account, it doesn't seem to have any affect.
This user hasn't /ever/ reset their password, and the user's account doesn't show any password policy grace period usage after the test.
The pwdPolicySubentry is still the only password policy related entry on his account.
This suggests that I'll need to force people to change their password's at some point.
1) Is what I'm seeing normal/expected?
2) What method(s) have you used to force people to change their password - beyond asking them?
Thanks!
- chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jacobs(a)apollogrp.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
12 years, 2 months
Re: brief tips and tricks for running ldaps on slackware
by Meena Ram
Dear folks:
Wanted some quick help in deleting the entries and adding more users with a different set of DN
Our DN earlier was like this
cn = manager, dc = ind, dc=ban, dc =com.
now it is changed to three levels like
cn = manager, dc = gubbi, dc = ind, dc=ban, dc =com.
when i try to modify using ldap modify i can not modify instead i get the following error:
One more level is added. I get the following error if i try to modify using ldapmodify
modifying entry "dc=gubbi,dc=ind,dc=ban,dc=com"
ldap_modify: Constraint violation (19)
additional info: structuralObjectClass: no user modification allowed
Cheers!!!!!!!
RAM
________________________________
From: Meena Ram <meenaram21(a)yahoo.com>
To: openldap-technical(a)openldap.org
Sent: Thu, March 11, 2010 6:07:03 PM
Subject: brief tips and tricks for running ldaps on slackware
Dear folks:
If any one has a brief tips, tricks or cheatsheet for running slapd with SSL/TLS can you please post it.
plain ldap works perfect but ldaps search and related stuff seams to have some issues
Cheers!!!!!!!!
12 years, 2 months
Problem with getent passwd
by Lynn York
Hello,
When I issue “getent passwd” I can see it query the ldap
server for all the information and the server is returning the correct
information. However, “getent passwd” doesn’t actually show the users that
are in ldap. I am not sure where my problem might be. Can anyone offer any
suggestions on where to look?
Lynn York II
MavenWire Hosting Admin
www.mavenwire.com
(866) 343-4870 x717
MavenWire - We DELIVER
http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or
privileged material for the sole use of the intended recipient. Any review,
use, distribution or disclosure by others is strictly prohibited. If you are
not the intended recipient (or authorized to receive this e-mail for the
recipient), you may not review, copy or distribute this message. Please
contact the sender by reply e-mail and delete all copies of this message.
MavenWire - We DELIVER
http://www.mavenwire.com
This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.
12 years, 2 months
RE: attribute 'pwdPolicySubentry' cannot have multiple values
by Chris Jacobs
Howard, Tyler, Michael,
My apologies: I take that back. The entry is indeed on the account - and it is, in fact, a system attribute.
I will endeavor to not reply to messages at 4am in the future - a bit too quick on the /assume/ thing.
BTW:
How do you identify whether an attribute will be a system attribute or not? I've plenty to learn on ldap, but even I knew to look at the schema file - and I'm not certain how one could know whether an attribute would be a system attribute.
Anyway - assuming the policy functions as expected - I'm nearly done with this beast of a one-man project.
Thanks!
- chris
PS: I'd failed to reply-to-all on my previous emails. Please pardon my mailing list etiquette and use failure. :)
________________________________________
From: Chris Jacobs
Sent: Monday, March 22, 2010 4:12 AM
To: Howard Chu
Subject: RE: attribute 'pwdPolicySubentry' cannot have multiple values
No - there's no pwdPolicySubEntry entry.
The contents of the LDAP db were built via a slapcat dump from an OpenLDAP 2.2 installation, with no ppolicy.
As you can see from the LDIF of the chrisjtest 'account' - there's no pwdPolicySubEntry currently. Apache's directory studio and slapcat agree.
- chris
________________________________________
From: Howard Chu [hyc(a)symas.com]
Sent: Saturday, March 20, 2010 2:49 AM
To: Tyler Gates
Cc: Chris Jacobs; openldap-technical(a)openldap.org
Subject: Re: attribute 'pwdPolicySubentry' cannot have multiple values
Tyler Gates wrote:
> I'm pretty sure pwdPolicySubEntry requires the pwdPolicy objectClass
> in the target dn
No. The pwdPolicy class is for the entry that contains the policy attributes,
not the entry being controlled by the policy.
> although that wouldn't explain the error message...
The error message is quite clear - the pwdPolicySubentry attribute is
single-valued, you can't set multiple values for it.
> Are you sure the attribute doesn't already exist? It is a system
> attribute so depending on the browser you are using at may not appear.
That's most likely what's going on here.
> On Mar 19, 2010, at 6:59 PM, Chris Jacobs<Chris.Jacobs(a)apollogrp.edu>
> wrote:
>
>> Hello,
>>
>> I've got my ldap infrastructure (mirrormode masters, 2 slaves per
>> datacenter) working fantastic (I can clear a db on a remote slave
>> and in less than 30 seconds after startup, it'll reacquire the
>> entire db!).
>>
>> I'm now having an issue with one of the very last things: getting a
>> password policy into effect.
>>
>> When I attempt to add the 'pwdPolicySubentry' attribute to a user
>> account, I get the error:
>>
>> Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry
>> (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute
>> 'pwdPolicySubentry' cannot have multiple values
>> Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check:
>> attribute 'pwdPolicySubentry' cannot have multiple values
>>
>> I get that error in the logs whether I try to add it by hand via
>> Apache Directory Studio, or an ldif import/modify:
>>
>> dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
>> changetype: modify
>> add: pwdPolicySubentry
>> pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
>>
>> Here are the related slapd.conf overlay directives:
>>
>> overlay ppolicy
>> ppolicy_hash_cleartext
>> ppolicy_use_lockout
>>
>> (Notice there's no ppolicy_default set - I'm still testing this
>> feature out before I roll it out.)
>>
>> And for completeness, here's the entry that I'm attempting to add
>> this attribute to:
>>
>> dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
>> objectClass: top
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> cn: ChrisJ Test
>> gidNumber: 200
>> homeDirectory: /home/chrisjtest
>> sn: chrisjtest
>> uid: chrisjtest
>> uidNumber: 583
>> description: ChrisJ Test
>> gecos: ChrisJ Test
>> loginShell: /bin/bash
>> shadowLastChange: 14657
>> userPassword::<<snipped>>
>>
>> And here's the password policy ldif:
>>
>> dn: ou=policies,dc=unix,dc=aptimus,dc=net
>> objectClass: organizationalUnit
>> objectClass: top
>> ou: policies
>>
>> dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
>> objectClass: top
>> objectClass: device
>> objectClass: pwdPolicy
>> cn: default
>> pwdAttribute: userPassword
>> pwdAllowUserChange: TRUE
>> pwdExpireWarning: 172800
>> pwdFailureCountInterval: 0
>> pwdGraceAuthNLimit: 0
>> pwdInHistory: 10
>> pwdLockout: TRUE
>> pwdLockoutDuration: 1200
>> pwdMaxAge: 15897600
>> pwdMaxFailure: 3
>> pwdMinLength: 8
>> pwdMustChange: FALSE
>> pwdSafeModify: TRUE
>>
>> When I built openldap, I enabled all overlays (I know, not the most
>> efficient), and when I attempt to add moduleload ppolicy.la or
>> ppolicy.so I get in the logs:
>>
>> line 18 (moduleload ppolicy.la)
>> module_load: (ppolicy.la) already present (static)
>>
>> Which I'm pretty sure means it's already loaded...
>>
>> Any idea as to what I'm doing wrong?
>>
>> Thanks,
>> - chris
>>
>> Chris Jacobs, Jr. Linux Administrator, Information Technology&
>> Operations
>> Apollo Group | Apollo Marketing | Aptimus, Inc.
>> 2001 6th Ave | Ste 3200 | Seattle, WA 98121
>> phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
>> email: chris.jacobs(a)apollogrp.edu
>>
>>
>> This message is private and confidential. If you have received it in
>> error, please notify the sender and remove it from your system.
>>
>>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
12 years, 2 months
Difficulty configuring a shared addressbook
by Jonathan
Despite following 2 tutorials, seems we're not able to get openldap configured correctly. Since this had to be done yesterday, is there anyone on this list who is available for an hour or 2 of consulting to get this running? Ideally tonight (Pacific time).
Server is running fine, and no problem logged in as manager, but can't add the schema or a new user (dies with "Server is unwilling to perform (53) -- additional info: no global superior knowledge" or "ldapadd: No such object (32)"). Also TLS dies with "TLS: peer cert untrusted or revoked (0x42)" even though we are using a good, working SSL certificate.
Also concerned about any unexpected issues trying to get a shared addressbook working across Thunderbird, Outlook, and others.
Many thanks.
12 years, 2 months
attribute 'pwdPolicySubentry' cannot have multiple values
by Chris Jacobs
Hello,
I've got my ldap infrastructure (mirrormode masters, 2 slaves per datacenter) working fantastic (I can clear a db on a remote slave and in less than 30 seconds after startup, it'll reacquire the entire db!).
I'm now having an issue with one of the very last things: getting a password policy into effect.
When I attempt to add the 'pwdPolicySubentry' attribute to a user account, I get the error:
Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute 'pwdPolicySubentry' cannot have multiple values
Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: attribute 'pwdPolicySubentry' cannot have multiple values
I get that error in the logs whether I try to add it by hand via Apache Directory Studio, or an ldif import/modify:
dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
Here are the related slapd.conf overlay directives:
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout
(Notice there's no ppolicy_default set - I'm still testing this feature out before I roll it out.)
And for completeness, here's the entry that I'm attempting to add this attribute to:
dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: ChrisJ Test
gidNumber: 200
homeDirectory: /home/chrisjtest
sn: chrisjtest
uid: chrisjtest
uidNumber: 583
description: ChrisJ Test
gecos: ChrisJ Test
loginShell: /bin/bash
shadowLastChange: 14657
userPassword:: <<snipped>>
And here's the password policy ldif:
dn: ou=policies,dc=unix,dc=aptimus,dc=net
objectClass: organizationalUnit
objectClass: top
ou: policies
dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdExpireWarning: 172800
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 1200
pwdMaxAge: 15897600
pwdMaxFailure: 3
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: TRUE
When I built openldap, I enabled all overlays (I know, not the most efficient), and when I attempt to add moduleload ppolicy.la or ppolicy.so I get in the logs:
line 18 (moduleload ppolicy.la)
module_load: (ppolicy.la) already present (static)
Which I'm pretty sure means it's already loaded...
Any idea as to what I'm doing wrong?
Thanks,
- chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jacobs(a)apollogrp.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
12 years, 2 months
Re: ldap_sasl_bind vs. ldap_sasl_interactive_bind_s
by masarati@aero.polimi.it
> On Fri, Mar 19, 2010 at 1:27 PM, <masarati(a)aero.polimi.it> wrote:
>>> Hi,
>>>
>>> I am still trying to make an sasl bind. Now I use ldap_sasl_bind_s
>>> with 'CRAM-MD5'. The server sends a 'LDAP_SASL_BIND_IN_PROGRESS' back,
>>> but as far as I can see the server cred are empty. How do I make the
>>> next call with ldap_sasl_bind_s?
>>>
>>> In the documentation I have seen that the use of ldap_sasl_bind is not
>>> recommended as client use, instead the ldap_sasl_interactive_bind_s
>>> should be preferred. Has anyone a working example of how to use this
>>> method, or some api doc? I have no clue how to set 'flags' the
>>> LDAP_SASL_INTERACT_PROC, an the 'defaults' params..
>>
>> You first say that you're using ldap_sasl_bind_s(), and then you note
>> that
>> ldap_sasl_bind() is not recommended. Do you realize that despite some
>> similarities in the name, the two functions are profoundly different?
>> By
>> no means ldap_sasl_bind_s() can return LDAP_SASL_BIND_IN_PROGRESS.
>
> Yes, I know that those methods behave differently - as I have read in
> the docs, I just search for the simplest alternative as possible for
> ldap_simple_bind, since I have seen that the ldap_simple_bind methods
> are deprecated.
>
> Nevertheless ldap_sasl_bind_s returns LDAP_SASL_BIND_IN_PROGRESS which
> I understand as a challenge which should be returned back to the
> server. This one seems to had a similiar issue: http://bit.ly/awT4D4
>
> But I think I have to look at the examples for better understanding -
> thx for the tip!
ldap_sasl_bind_s() can be used, passing LDAP_SASL_SIMPLE, in lieu of
ldap_simple_bind_s(). ldap_sasl_interactive_bind_s(), only need to be
used for those methods that require multiple steps;
LDAP_SASL_BIND_IN_PROGRESS indicates that a further step is expected,
which never happens when performing a simple bind. See the code snippet
in slap_client_connect(), in servers/slapd/config.c for a complete example
of how both functions can be used in the most complete form.
p.
12 years, 2 months
ldap_sasl_bind vs. ldap_sasl_interactive_bind_s
by Thilko Richter
Hi,
I am still trying to make an sasl bind. Now I use ldap_sasl_bind_s
with 'CRAM-MD5'. The server sends a 'LDAP_SASL_BIND_IN_PROGRESS' back,
but as far as I can see the server cred are empty. How do I make the
next call with ldap_sasl_bind_s?
In the documentation I have seen that the use of ldap_sasl_bind is not
recommended as client use, instead the ldap_sasl_interactive_bind_s
should be preferred. Has anyone a working example of how to use this
method, or some api doc? I have no clue how to set 'flags' the
LDAP_SASL_INTERACT_PROC, an the 'defaults' params..
Thx,
Thilko
12 years, 2 months
replication
by Frank Bonnet
Hello
I wanted to start a "replicant/backup" server at our site.
Actually we only have one openldap server that serve our LAN
and I want to start a slave server in case of master's crash.
I've read documentaion here
http://www.openldap.org/doc/admin24/replication.html
But I need some help to choose the best config for our site
( a backup server , that's all )
Thank you
12 years, 2 months
Can't get password passthrough to work with openldap
by k pur
Hi,
I am trying to get Pass-Through authentication to work for password
verification.
Following the 'Pass-Through authentication' (14.5) in the openldap 2.4
admin guide, I hve configured saslauthd and slapd.conf (sasl) and
managed to successfully authenticate with Active Directory (AD) using
the 'testsaslauthd' utility.
Setting a user password in my openldap database in the form
dn: uid=user,ou=org,dc=org.com
userPassword: {SASL}joe(a)ad.example.com <SASL%7Duser(a)ad.example.com>
where joe(a)ad.example.com <user(a)ad.example.com> is the
userPrincipalName defined for this
user in AD.
I can't authenticate, when using the ldapsearch command
$ ldapsearch -x -v -D 'uid=joe,ou=people,dc=myorg.com' -W -h ldaphost
Comes up with error (49)
I have enabled --enable-spasswd --with-cyrus-sasl when compiling openldap
Has anybody configured this type of setup successfully?
My question is - how do I configure my openldap server to talk to
'saslauthd' - which openldap's passthrough delegates password
authentication to, when the userpassword is in the form
userPassword: {SASL}joe(a)ad.example.com <SASL%7Duser(a)ad.example.com>
Do I need to have some extra configurations in my openldap slapd.conf
file? Currently I only have sasl-host and sasl-secprops defined, as:-
sasl-host 127.0.0.1 # (where my openldap server runs as well)
sasl-secprops none
Do I need to do any auth-regex for any translation?
This is my openldap entry for user joe
dn: uid=joe,ou=people,dc=myorg.com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Joe
sn: Bloggs
telephoneNumber: 3333
userPassword: {SASL}joe(a)ad.example.com <SASL%7Djoe(a)ad.example.com>
physicalDeliveryOfficeName: J2B/1
givenName: joe
uid: joe
Below is my /usr/lib/sasl2/slapd.conf file
mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
Below is my /etc/saslauthd.conf file
ldap_servers: ldap://ad.example.com:389
ldap_search_base: ou=People,dc=ad,dc=example,dc=com
ldap_filter: (userPrincipalName=%u)
ldap_bind_dn: cn=admin,cn=Users,dc=ad,dc=example,dc=com
ldap_password: mypassword
Any help will be greatly appreciated.
Many Thanks
krishan
12 years, 2 months