openldap-technical March 2010

openldap-technical@openldap.org

73 participants
87 discussions

Tips when implementing password policies
by Chris Jacobs 23 Mar '10

23 Mar '10

Hello, I'm upgrading our LDAP infrastructure (it'll be a cut-over) and I've noticed that after adding pwdPolicySubentry to a user's account, it doesn't seem to have any affect. This user hasn't /ever/ reset their password, and the user's account doesn't show any password policy grace period usage after the test. The pwdPolicySubentry is still the only password policy related entry on his account. This suggests that I'll need to force people to change their password's at some point. 1) Is what I'm seeing normal/expected? 2) What method(s) have you used to force people to change their password - beyond asking them? Thanks! - chris Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs(a)apollogrp.edu This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

2 1

Re: brief tips and tricks for running ldaps on slackware
by Meena Ram 23 Mar '10

23 Mar '10

Dear folks: Wanted some quick help in deleting the entries and adding more users with a different set of DN Our DN earlier was like this cn = manager, dc = ind, dc=ban, dc =com. now it is changed to three levels like cn = manager, dc = gubbi, dc = ind, dc=ban, dc =com. when i try to modify using ldap modify i can not modify instead i get the following error: One more level is added. I get the following error if i try to modify using ldapmodify modifying entry "dc=gubbi,dc=ind,dc=ban,dc=com" ldap_modify: Constraint violation (19) additional info: structuralObjectClass: no user modification allowed Cheers!!!!!!! RAM ________________________________ From: Meena Ram <meenaram21(a)yahoo.com> To: openldap-technical(a)openldap.org Sent: Thu, March 11, 2010 6:07:03 PM Subject: brief tips and tricks for running ldaps on slackware Dear folks: If any one has a brief tips, tricks or cheatsheet for running slapd with SSL/TLS can you please post it. plain ldap works perfect but ldaps search and related stuff seams to have some issues Cheers!!!!!!!!

1 0

Problem with getent passwd
by Lynn York 23 Mar '10

23 Mar '10

Hello, When I issue “getent passwd” I can see it query the ldap server for all the information and the server is returning the correct information. However, “getent passwd” doesn’t actually show the users that are in ldap. I am not sure where my problem might be. Can anyone offer any suggestions on where to look? Lynn York II MavenWire Hosting Admin www.mavenwire.com (866) 343-4870 x717 MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message. MavenWire - We DELIVER http://www.mavenwire.com This e-mail and any attached files may contain confidential and/or privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive this e-mail for the recipient), you may not review, copy or distribute this message. Please contact the sender by reply e-mail and delete all copies of this message.

1 0

RE: attribute 'pwdPolicySubentry' cannot have multiple values
by Chris Jacobs 23 Mar '10

23 Mar '10

Howard, Tyler, Michael, My apologies: I take that back. The entry is indeed on the account - and it is, in fact, a system attribute. I will endeavor to not reply to messages at 4am in the future - a bit too quick on the /assume/ thing. BTW: How do you identify whether an attribute will be a system attribute or not? I've plenty to learn on ldap, but even I knew to look at the schema file - and I'm not certain how one could know whether an attribute would be a system attribute. Anyway - assuming the policy functions as expected - I'm nearly done with this beast of a one-man project. Thanks! - chris PS: I'd failed to reply-to-all on my previous emails. Please pardon my mailing list etiquette and use failure. :) ________________________________________ From: Chris Jacobs Sent: Monday, March 22, 2010 4:12 AM To: Howard Chu Subject: RE: attribute 'pwdPolicySubentry' cannot have multiple values No - there's no pwdPolicySubEntry entry. The contents of the LDAP db were built via a slapcat dump from an OpenLDAP 2.2 installation, with no ppolicy. As you can see from the LDIF of the chrisjtest 'account' - there's no pwdPolicySubEntry currently. Apache's directory studio and slapcat agree. - chris ________________________________________ From: Howard Chu [hyc(a)symas.com] Sent: Saturday, March 20, 2010 2:49 AM To: Tyler Gates Cc: Chris Jacobs; openldap-technical(a)openldap.org Subject: Re: attribute 'pwdPolicySubentry' cannot have multiple values Tyler Gates wrote: > I'm pretty sure pwdPolicySubEntry requires the pwdPolicy objectClass > in the target dn No. The pwdPolicy class is for the entry that contains the policy attributes, not the entry being controlled by the policy. > although that wouldn't explain the error message... The error message is quite clear - the pwdPolicySubentry attribute is single-valued, you can't set multiple values for it. > Are you sure the attribute doesn't already exist? It is a system > attribute so depending on the browser you are using at may not appear. That's most likely what's going on here. > On Mar 19, 2010, at 6:59 PM, Chris Jacobs<Chris.Jacobs(a)apollogrp.edu> > wrote: > >> Hello, >> >> I've got my ldap infrastructure (mirrormode masters, 2 slaves per >> datacenter) working fantastic (I can clear a db on a remote slave >> and in less than 30 seconds after startup, it'll reacquire the >> entire db!). >> >> I'm now having an issue with one of the very last things: getting a >> password policy into effect. >> >> When I attempt to add the 'pwdPolicySubentry' attribute to a user >> account, I get the error: >> >> Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry >> (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute >> 'pwdPolicySubentry' cannot have multiple values >> Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: >> attribute 'pwdPolicySubentry' cannot have multiple values >> >> I get that error in the logs whether I try to add it by hand via >> Apache Directory Studio, or an ldif import/modify: >> >> dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net >> changetype: modify >> add: pwdPolicySubentry >> pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net >> >> Here are the related slapd.conf overlay directives: >> >> overlay ppolicy >> ppolicy_hash_cleartext >> ppolicy_use_lockout >> >> (Notice there's no ppolicy_default set - I'm still testing this >> feature out before I roll it out.) >> >> And for completeness, here's the entry that I'm attempting to add >> this attribute to: >> >> dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net >> objectClass: top >> objectClass: inetOrgPerson >> objectClass: posixAccount >> objectClass: shadowAccount >> cn: ChrisJ Test >> gidNumber: 200 >> homeDirectory: /home/chrisjtest >> sn: chrisjtest >> uid: chrisjtest >> uidNumber: 583 >> description: ChrisJ Test >> gecos: ChrisJ Test >> loginShell: /bin/bash >> shadowLastChange: 14657 >> userPassword::<<snipped>> >> >> And here's the password policy ldif: >> >> dn: ou=policies,dc=unix,dc=aptimus,dc=net >> objectClass: organizationalUnit >> objectClass: top >> ou: policies >> >> dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net >> objectClass: top >> objectClass: device >> objectClass: pwdPolicy >> cn: default >> pwdAttribute: userPassword >> pwdAllowUserChange: TRUE >> pwdExpireWarning: 172800 >> pwdFailureCountInterval: 0 >> pwdGraceAuthNLimit: 0 >> pwdInHistory: 10 >> pwdLockout: TRUE >> pwdLockoutDuration: 1200 >> pwdMaxAge: 15897600 >> pwdMaxFailure: 3 >> pwdMinLength: 8 >> pwdMustChange: FALSE >> pwdSafeModify: TRUE >> >> When I built openldap, I enabled all overlays (I know, not the most >> efficient), and when I attempt to add moduleload ppolicy.la or >> ppolicy.so I get in the logs: >> >> line 18 (moduleload ppolicy.la) >> module_load: (ppolicy.la) already present (static) >> >> Which I'm pretty sure means it's already loaded... >> >> Any idea as to what I'm doing wrong? >> >> Thanks, >> - chris >> >> Chris Jacobs, Jr. Linux Administrator, Information Technology& >> Operations >> Apollo Group | Apollo Marketing | Aptimus, Inc. >> 2001 6th Ave | Ste 3200 | Seattle, WA 98121 >> phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 >> email: chris.jacobs(a)apollogrp.edu >> >> >> This message is private and confidential. If you have received it in >> error, please notify the sender and remove it from your system. >> >> > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

2 1

Difficulty configuring a shared addressbook
by Jonathan 21 Mar '10

21 Mar '10

Despite following 2 tutorials, seems we're not able to get openldap configured correctly. Since this had to be done yesterday, is there anyone on this list who is available for an hour or 2 of consulting to get this running? Ideally tonight (Pacific time). Server is running fine, and no problem logged in as manager, but can't add the schema or a new user (dies with "Server is unwilling to perform (53) -- additional info: no global superior knowledge" or "ldapadd: No such object (32)"). Also TLS dies with "TLS: peer cert untrusted or revoked (0x42)" even though we are using a good, working SSL certificate. Also concerned about any unexpected issues trying to get a shared addressbook working across Thunderbird, Outlook, and others. Many thanks.

1 0

attribute 'pwdPolicySubentry' cannot have multiple values
by Chris Jacobs 21 Mar '10

21 Mar '10

Hello, I've got my ldap infrastructure (mirrormode masters, 2 slaves per datacenter) working fantastic (I can clear a db on a remote slave and in less than 30 seconds after startup, it'll reacquire the entire db!). I'm now having an issue with one of the very last things: getting a password policy into effect. When I attempt to add the 'pwdPolicySubentry' attribute to a user account, I get the error: Mar 19 22:51:24 ldapmaster1 slapd[8731]: Entry (uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net), attribute 'pwdPolicySubentry' cannot have multiple values Mar 19 22:51:24 ldapmaster1 slapd[8731]: entry failed schema check: attribute 'pwdPolicySubentry' cannot have multiple values I get that error in the logs whether I try to add it by hand via Apache Directory Studio, or an ldif import/modify: dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net Here are the related slapd.conf overlay directives: overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout (Notice there's no ppolicy_default set - I'm still testing this feature out before I roll it out.) And for completeness, here's the entry that I'm attempting to add this attribute to: dn: uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: ChrisJ Test gidNumber: 200 homeDirectory: /home/chrisjtest sn: chrisjtest uid: chrisjtest uidNumber: 583 description: ChrisJ Test gecos: ChrisJ Test loginShell: /bin/bash shadowLastChange: 14657 userPassword:: <<snipped>> And here's the password policy ldif: dn: ou=policies,dc=unix,dc=aptimus,dc=net objectClass: organizationalUnit objectClass: top ou: policies dn: cn=default,ou=policies,dc=unix,dc=aptimus,dc=net objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdExpireWarning: 172800 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 10 pwdLockout: TRUE pwdLockoutDuration: 1200 pwdMaxAge: 15897600 pwdMaxFailure: 3 pwdMinLength: 8 pwdMustChange: FALSE pwdSafeModify: TRUE When I built openldap, I enabled all overlays (I know, not the most efficient), and when I attempt to add moduleload ppolicy.la or ppolicy.so I get in the logs: line 18 (moduleload ppolicy.la) module_load: (ppolicy.la) already present (static) Which I'm pretty sure means it's already loaded... Any idea as to what I'm doing wrong? Thanks, - chris Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs(a)apollogrp.edu This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

5 4

Re: ldap_sasl_bind vs. ldap_sasl_interactive_bind_s
by masarati＠aero.polimi.it 20 Mar '10

20 Mar '10

> On Fri, Mar 19, 2010 at 1:27 PM, <masarati(a)aero.polimi.it> wrote: >>> Hi, >>> >>> I am still trying to make an sasl bind. Now I use ldap_sasl_bind_s >>> with 'CRAM-MD5'. The server sends a 'LDAP_SASL_BIND_IN_PROGRESS' back, >>> but as far as I can see the server cred are empty. How do I make the >>> next call with ldap_sasl_bind_s? >>> >>> In the documentation I have seen that the use of ldap_sasl_bind is not >>> recommended as client use, instead the ldap_sasl_interactive_bind_s >>> should be preferred. Has anyone a working example of how to use this >>> method, or some api doc? I have no clue how to set 'flags' the >>> LDAP_SASL_INTERACT_PROC, an the 'defaults' params.. >> >> You first say that you're using ldap_sasl_bind_s(), and then you note >> that >> ldap_sasl_bind() is not recommended. Do you realize that despite some >> similarities in the name, the two functions are profoundly different? >> By >> no means ldap_sasl_bind_s() can return LDAP_SASL_BIND_IN_PROGRESS. > > Yes, I know that those methods behave differently - as I have read in > the docs, I just search for the simplest alternative as possible for > ldap_simple_bind, since I have seen that the ldap_simple_bind methods > are deprecated. > > Nevertheless ldap_sasl_bind_s returns LDAP_SASL_BIND_IN_PROGRESS which > I understand as a challenge which should be returned back to the > server. This one seems to had a similiar issue: http://bit.ly/awT4D4 > > But I think I have to look at the examples for better understanding - > thx for the tip! ldap_sasl_bind_s() can be used, passing LDAP_SASL_SIMPLE, in lieu of ldap_simple_bind_s(). ldap_sasl_interactive_bind_s(), only need to be used for those methods that require multiple steps; LDAP_SASL_BIND_IN_PROGRESS indicates that a further step is expected, which never happens when performing a simple bind. See the code snippet in slap_client_connect(), in servers/slapd/config.c for a complete example of how both functions can be used in the most complete form. p.

2 2

ldap_sasl_bind vs. ldap_sasl_interactive_bind_s
by Thilko Richter 19 Mar '10

19 Mar '10

Hi, I am still trying to make an sasl bind. Now I use ldap_sasl_bind_s with 'CRAM-MD5'. The server sends a 'LDAP_SASL_BIND_IN_PROGRESS' back, but as far as I can see the server cred are empty. How do I make the next call with ldap_sasl_bind_s? In the documentation I have seen that the use of ldap_sasl_bind is not recommended as client use, instead the ldap_sasl_interactive_bind_s should be preferred. Has anyone a working example of how to use this method, or some api doc? I have no clue how to set 'flags' the LDAP_SASL_INTERACT_PROC, an the 'defaults' params.. Thx, Thilko

2 1

replication
by Frank Bonnet 19 Mar '10

19 Mar '10

Hello I wanted to start a "replicant/backup" server at our site. Actually we only have one openldap server that serve our LAN and I want to start a slave server in case of master's crash. I've read documentaion here http://www.openldap.org/doc/admin24/replication.html But I need some help to choose the best config for our site ( a backup server , that's all ) Thank you

4 5

Can't get password passthrough to work with openldap
by k pur 16 Mar '10

16 Mar '10

Hi, I am trying to get Pass-Through authentication to work for password verification. Following the 'Pass-Through authentication' (14.5) in the openldap 2.4 admin guide, I hve configured saslauthd and slapd.conf (sasl) and managed to successfully authenticate with Active Directory (AD) using the 'testsaslauthd' utility. Setting a user password in my openldap database in the form dn: uid=user,ou=org,dc=org.com userPassword: {SASL}joe(a)ad.example.com <SASL%7Duser(a)ad.example.com> where joe(a)ad.example.com <user(a)ad.example.com> is the userPrincipalName defined for this user in AD. I can't authenticate, when using the ldapsearch command $ ldapsearch -x -v -D 'uid=joe,ou=people,dc=myorg.com' -W -h ldaphost Comes up with error (49) I have enabled --enable-spasswd --with-cyrus-sasl when compiling openldap Has anybody configured this type of setup successfully? My question is - how do I configure my openldap server to talk to 'saslauthd' - which openldap's passthrough delegates password authentication to, when the userpassword is in the form userPassword: {SASL}joe(a)ad.example.com <SASL%7Duser(a)ad.example.com> Do I need to have some extra configurations in my openldap slapd.conf file? Currently I only have sasl-host and sasl-secprops defined, as:- sasl-host 127.0.0.1 # (where my openldap server runs as well) sasl-secprops none Do I need to do any auth-regex for any translation? This is my openldap entry for user joe dn: uid=joe,ou=people,dc=myorg.com objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Joe sn: Bloggs telephoneNumber: 3333 userPassword: {SASL}joe(a)ad.example.com <SASL%7Djoe(a)ad.example.com> physicalDeliveryOfficeName: J2B/1 givenName: joe uid: joe Below is my /usr/lib/sasl2/slapd.conf file mech_list: plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux Below is my /etc/saslauthd.conf file ldap_servers: ldap://ad.example.com:389 ldap_search_base: ou=People,dc=ad,dc=example,dc=com ldap_filter: (userPrincipalName=%u) ldap_bind_dn: cn=admin,cn=Users,dc=ad,dc=example,dc=com ldap_password: mypassword Any help will be greatly appreciated. Many Thanks krishan

2 1

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2010