openldap-technical July 2010

openldap-technical@openldap.org

103 participants
126 discussions

ACL to allow an attribute to be cleared, but not changed to something else?
by Tim Gustafson 01 Jul '10

01 Jul '10

Hi, I'd like to let my account managers to clear the passwords of their managees in the event that an employee is no longer active. So, I've got an ACL like this: access to attrs=userPassword,sambaNTPassword by set="this/manager & user" write by * break But I realized that the ACL also allows the manager to -change- a user's password, which I don't really want. Is there some ACL that I can grant that would let a manager remove an attribute from another user's account, but not otherwise change the value of that attribute? Tim Gustafson Baskin School of Engineering UC Santa Cruz tjg(a)soe.ucsc.edu 831-459-5354

5 10

Openldap client can't see users
by murat can tuna 01 Jul '10

01 Jul '10

Hi all, I have a running openldap server on ubuntu and as a client my localcomputer on Fedora. I have mounted /home directory from my client. Everything works fine so far but client can't solve user names but just Id numbers and I can't login with openldap users from my client computer. I can use ldapsearch and so on without any problem but somehow only users can' be resolved. Do you have any idea what could be the problem? Or do you need more information like smb.conf Thanks in advance Murat Can Tuna _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969

3 2

Re: intent of pwdGraceAuthNLimit when using ppolicy overlay
by Buchan Milne 01 Jul '10

01 Jul '10

On Wednesday, 30 June 2010 20:15:50 Licause, Al wrote: > I have been attempting to use the ppolicy overlay on an openldap server > running on a Red Hat V5.4 platform with the following components: > > openldap-servers-2.3.43-3.el5 > checkpassword-ldap-0.01-1.2.el5.rf > mozldap-6.0.5-1.el5 > openldap-2.3.43-3.el5 > openldap-debuginfo-2.3.43-3.el5 > nss_ldap-253-22.el5_4 > openldap-clients-2.3.43-3.el5 > openldap-servers-overlays-2.3.43-3.el5 > > I was unable to get the users password to expire by simply setting a value > for pwdMaxAge without the use of the pwdReset parameter. > > I finally turned on all debugging in the slapd.conf file (value -1) and > noticed that the value of pwdGraceAuthNLimit in the default policy, was > set to 3, which allowed the ldap user access without changing the > password. Of course, after the grace authentications, binds would fail. > The disturbing thing about this was the fact that the user is not notifed > that their password has expired. I would have thought that if the intent > was to allow an expired password, then the user should be notified of not > only the fact that their password has expired but how many more grace > logins they would be allowed before either having to change the password > or having the account disabled. This is most likely as result of PAM misconfiguration. You didn't specify how you were testing. However, with almost identical software, my environment works correctly. Please include your full client-side configuration when posting to openldap- technical (e.g. all PAM files included by the service with which you were testing). Note that the openldap-bugs list is for tracking bugs logged on the ITS bug tracker. Questions should be posted to the openldap-technical list. Regards, Buchan

1 0

PASSMOD and slapo-chain
by Christian Manal 01 Jul '10

01 Jul '10

Hi list, I have noticed a problem regarding ExOp PASSMOD and chaining in my OpenLDAP environment. Maybe some of the other overlays are doing their part in this as well. Password changes stopped behaving weird at some point and after some experimenting, I have the following picture: When a slave runs for a few days and some user tries to change his password, the change is done in the local database only (no chaining done or referral returned), resulting in an inconsistent database between the slave and all the other servers. That way, logging in to services which connect to the LDAP servers in a round-robin fashion sometimes works with the "new" password and sometimes with the old one. After I restart the slapd on the slaves, everything works again for a few days, before it goes bad again. Every other write gets chained just fine when a slave is in this condition. It's only the PASSMOD operations that are stuck. I have one master and four slaves running on Solaris 10. One of them SPARC, the others x86. Software Versions are: OpenLDAP 2.4.21 BDB 4.8.26 Cyrus SASL 2.1.23 Heimdal Kerberos 1.3.3 All the configs and the sourcecode of my self-made pwdCheckModule for ppolicy can be found here: http://www.informatik.uni-bremen.de/~moenoel/ldap/ Has someone experienced this before and knows how to fix this? Maybe something wrong with my ppolicy stuff? Regards, Christian Manal

2 1

Adding Schema
by Alexander Erameh 01 Jul '10

01 Jul '10

Hi, Just joined this list, so please pardon me for any mistakes. I have been trying to add "CourierMailAccount" object class and "qmailUser" object class for days without success. I created a schema file and defined the Attributetypes and Object classes and added the file in the Include statement in slapd.conf but SLAPD does not seem to recognize the new object classes. When I try to add users to the Database using LDAPADD, I get the error message below: "ldap_add: Invalid syntax (21) additional info: objectClass:value #2 invalid per syntax" The #2 objectClass is "qmailuser". Suggestions and advice will be appreciated. Alexander <file:///C:\Program%20Files\Common%20Files\Microsoft%20Shared\Stationery\fie ruled.gif>

2 5

LDAP proxy with local database
by Tunguskin Petr 01 Jul '10

01 Jul '10

Hello. I have one program which can authenticate with LDAP server and Active Directory with read access. I need to authenticate extra users, but I can't add them to Active Directory for security reasons. Program can work with only one LDAP source. I have tryed to use openldap chain overlay to join local and remote LDAP databases with refferals. Search works fine, but bind operation doesn't work, openldap writes error: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989) Is it possible to bind to remote LDAP records with chain overlay? ------------------------------------------ database bdb suffix "dc=local" rootdn "cn=ldapadmin,dc=local" rootpw 12345678 directory /var/lib/ldap overlay chain chain-uri "ldap://10.1.1.1/" chain-rebind-as-user TRUE chain-cache-uri true chain-chaining resolve=chainingRequired continuation=chainingRequired chain-idassert-bind bindmethod="simple" binddn="cn=ldapuser,cn=Users,dc=test,dc=local" credentials="123" mode="none" ---------------------------------------- Could you recommend another solution? Thank you --

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2010