openldap-technical October 2011

openldap-technical@openldap.org

85 participants
99 discussions

OATH HOTP authentication with OpenLDAP
by Dimitri 06 Oct '11

06 Oct '11

Hi, For a long time our company has been planning to implement one-time password authentication as a LDAP SIMPLE auth mechanism. The goal behind that is to enable unified OTP authentication for a wide range of server applications that are capable of LDAP SIMPLE auth. The list of most important applications includes (but is not limited too): a Dovecot IMAP + RoundCube tandem; third-party JavaEE applications, like Atlassian Confluence and JIRA; in-house web-applications; etc. OATH HOTP [1] has been chosen as the actual OTP mechanism, due to its openness and wide availability of cheap hardware HOTP-compliant tokens, as well as software "tokens" for mobile phones. Implementing OTP on a LDAP server side will not only provide unified OTP auth, but also will allow to centralize authentication-related information (user database + token database) and will let us benefit from OpenLDAP out-of-the box features like replication. Right now we are entering the actual implementation phase, and I will be very glad to hear general architectural considerations as well as answers to my questions that already arose. 1. We have chosen to use SLAPI, not overlay API, to make our authentication plugin portable to other LDAP servers; but still our main target is OpenLDAP and we're not going to migrate to any other LDAP server (but our clients might). In terms of SLAPI, this will be a "preoperation bind plugin". If somebody thinks our choice is awfully bad, please don't hesitate to share your considerations. 2. Another reason for choosing SLAPI was much clearer API and, most importantly, availability of simple, synchronous functions for performing internal operations (searches, modifications). It seemed to me that overlay API provides only complex, callback-based functions for internal operations. Please let me know if I've overlooked that in the documentation (or, better say, source code, since overlay API is actually undocumented, opposite to SLAPI [2]). 3. Current state of SLAPI support in OpenLDAP completely lacks functions like slapi_is_root_suffix(), slapi_dn_isroot(), as well as the whole slapi_be_* function family. This makes impossible to determine root DN for authenticating principal. If we decide to actually implement those functions, what is the preferred way to submit the code to mainstream? To open an ITS issue and attach a patch to it? 4. For SLAPI plugins, is there a preferred way of obtaining plugin configuration, other than parsing ARGV? I know that in RedHat Directory server plugins often use their corresponding cn=plugins,cn=config entries to store config, but what about OpenLDAP? 5. HOTP algorithm uses SHA1 cryptographic hash. We clearly understand that if using SLAPI we won't be able to use OpenLDAP SHA1 implementation available via lutil_sha1.h. In order not to implement SHA1 ourselves, is it okay to introduce a dependency on OpenSSL/GnuTLS/NSS? For example, two RedHat plugins from their distribution (namely "http" and "pwdstorage" [3]) do use NSS and hence include ssl.h. 6. We decided to store token information in its dedicated subtree, like "ou=Tokens,dc=example,dc=com" (configurable). Each token will have its own entry that will store its serial number, seed, counter, PIN and its current owner (a single DN of user that this token has been assigned to), thus introducing a many-to-one relationship between tokens and users. Entries with absent "owner" attribute will form a pool of tokens available for assignment. Token synchronization (computing actual counter value from two successive passwords) will be implemented as an extended operation. A preliminary version of schema is available and we can publish it right now for review. Again, if there are any considerations and/or critical remarks, don't hesitate to share them. That's all for the first post; I beg my pardon for a long and verbose text. We will be very thankful for any feedback on the topic. Thanks! Dimitri CargoSoft LLC, Russia [1] OATH HOTP: http://tools.ietf.org/html/rfc4226 [2] RedHat Directory Server Plugin Guide: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Plug-in… [3] http://git.fedorahosted.org/git/?p=389/ds.git;a=tree;f=ldap/servers/plugins…

3 2

Installation Problem with BDB 4.8
by Rajeshwar Bharathi 06 Oct '11

06 Oct '11

All, I am trying to install Open LDAP 2.4.23 with Berkley DB v4.8. I am getting errors with the BDB version etc My Server is a: *CentOS release 5.6 (Final)* *2.6.18-238.19.1.el5 x86_64 GNU/Linux* The system already has older versions od BDB installed already on it. [root@myserver]# rpm -qa|grep db4 db4-4.3.29-10.el5_5.2 db4-4.3.29-10.el5_5.2 db4-devel-4.3.29-10.el5_5.2 db4-devel-4.3.29-10.el5_5.2 To use the newly installed/supported BDB 4.8 version I use the environment flags with my consfigure and make commands Step 1: $env CPPFLAGS="-I/usr/local/BerkeleyDB.4.8/include/"LDFLAGS="-L/usr/local/BerkeleyDB.4.8/lib" ./configure Step 2: $make depend Step 3: $make Step 1-3 goes thru fine At Step 4: when I run make install $make install I get the fol erros towards the end. make[3]: Entering directory `/u001/projects/cyrusIMAP/openldap-2.4.23/servers/slapd/back-bdb' /bin/sh ../../../libtool --tag=disable-shared --mode=compile cc -g -O2 -I../../../include -I../../../include -I.. -I./.. -I/usr/local/BerkeleyDB.4.8/include/LDFLAGS=-L/usr/local/BerkeleyDB.4.8/lib -c init.c cc -g -O2 -I../../../include -I../../../include -I.. -I./.. -I/usr/local/BerkeleyDB.4.8/include/LDFLAGS=-L/usr/local/BerkeleyDB.4.8/lib -c init.c -o init.o init.c: In function 'bdb_db_open': init.c:532: error: 'DB_READ_COMMITTED' undeclared (first use in this function) init.c:532: error: (Each undeclared identifier is reported only once init.c:532: error: for each function it appears in.) make[3]: *** [init.lo] Error 1 make[3]: Leaving directory `/u001/projects/cyrusIMAP/openldap-2.4.23/servers/slapd/back-bdb' make[2]: *** [.backend] Error 1 make[2]: Leaving directory `/u001/projects/cyrusIMAP/openldap-2.4.23/servers/slapd' make[1]: *** [all-common] Error 1 make[1]: Leaving directory `/u001/projects/cyrusIMAP/openldap-2.4.23/servers' make: *** [all-common] Error 1 Can anyone please let me know why the init.c program is unable to open the bdb. Any help would be appreciated. -- Rajeshwar BM Bangalore INDIA

2 1

Ldap logs accounting
by Hugo Deprez 06 Oct '11

06 Oct '11

Dear community, I am currently using openldap 2.4.23-3 on Debian Lenny. I need to be able to log all the change made on the directory. For exemple if a account is delete I would like to log who did it and at what time. I want to do some accounting. Do you know how I could do that ? I didn't found anything on google. Regards, Hugo

2 1

Anonymous access
by jm130794 06 Oct '11

06 Oct '11

Hello, I have a little question. I've installed a kerberized openldap server. All works fine with kerberos tickets :) My problem : is it possible to get a ldap awser with a anonymous access ? I can't ! When I try a resquest, I get that : ldapsearch -x -h 192.168.1.1 # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 I certainely made a mistake, but where ? Thanks, JM

2 1

Microsoft Windows Terminal Service integration with OpenLDAP
by pradyumna dash 05 Oct '11

05 Oct '11

Hi, I would like to know, how to integrate Microsoft windows terminal service with OpenLDAP, can pGINA will help me to achieve this ? or i have to look for something else. Please suggest. Regards, Neo

3 3

Compare-Request on hashed userPassword
by Michael Ströder 05 Oct '11

05 Oct '11

HI! We have {SSHA}-hashed passwords in attribute userPassword. One application sends CompareRequests with the clear-text password instead of a BindRequest to validate the password which obviously fails. The application vendor claims it is too much effort to change that behaviour in the application. I guess this can only be solved in slapd by a custom overlay intercepting the CompareRequest (which is effort too). Or is there any other solution I don't know of? Ciao, Michael.

6 10

Re: V 2.4.x schema extensions
by Bryce Powell 05 Oct '11

05 Oct '11

Hi, Thanks to both responders. The final working version of local.schema now looks like this: attributeType ( 1.3.6.1.4.1.22280.1021.3.1 NAME 'x-sdids-passwordExpirationTime' DESC 'TELUS defined password policy attribute type used by enPortal.' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE userApplications ) objectclass ( 1.3.6.1.4.1.22280.1021.4.1 NAME 'x-sdids-enPortal' DESC 'Indicates that this entry has additional attributes used by enPortal.' AUXILIARY MAY x-sdids-passwordExpirationTime ) After restarting slapd, and adding the 'x-sdids-enPortal' objectClass to an existing entry, I was able to add a 'x-sdids-passwordExpirationTime' attribute value. Nice. Thanks, Bryce Powell

1 0

Unable to create home directory (LDAP Authentication)
by vijay s sheelavantar 05 Oct '11

05 Oct '11

Hi,I am trying to create the home directories for the users automatically(using pam_mkhomedir.so) when they login using SSH.I have added the below line to /etc/pam.d/system-auth file.PHP Code:session     optional        pam_mkhomedir.so skel=/etc/skel umask=0022   user authentication is done by a LDAP server, and the machine is running Fedora OS.I am getting the below errors.PHP Code:Creating directory '/home/vijay'. Unable to create directory /home/vijay: Permission denied Last login: Wed Oct  5 16:03:53 2011 from 10.254.194.148 Could not chdir to home directory /home/vijay: No such file or directory   Kindly help me to solve this problem.Warm Regards,Vijay S.

2 1

V 2.4.x schema extensions
by Bryce Powell 05 Oct '11

05 Oct '11

Hi, I need an attribute to store password expiry date for the inetOrgPerson objectClass entries in my directory. Since I could not find this or similar attribute in the existing set of schemas (including the ppolicy schema), I have tried to implemented an extension in a custom local.schema: objectclass ( 1.3.6.1.4.1.22280.1021.4.1 NAME 'x-sdids-enPortal' DESC 'Indicates that this entry has additional attributes used by enPortal.' AUXILIARY ) # The "MAY" directive below prevents slapd form starting, and is therefore commented out. # MAY 1.3.6.1.4.1.22280.1021.3.1 ) attributeType ( 1.3.6.1.4.1.22280.1021.3.1 NAME 'x-sdids-passwordExpirationTime' DESC 'TELUS defined password policy attribute type used by enPortal.' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE userApplications ) I figured the best bet would be an auxiliary objectClass. After including the new local.schema file in the slapd.conf, and restarting slapd, I get an error when trying to add the new attribute value to an existing or new inetOrgPerson entry: Oct 4 10:37:43 vmsdildap04 slapd[31176]: conn=1 op=22 MOD dn="uid=john(a)abc.com,ou=CUSTOMER,ou=Users,dc=private,dc=sdi" Oct 4 10:37:43 vmsdildap04 slapd[31176]: conn=1 op=22 MOD attr=x-sdids-passwordExpirationTime Oct 4 10:37:43 vmsdildap04 slapd[31176]: Entry (uid= john(a)abc.com,ou=CUSTOMER,ou=Users,dc=private,dc=sdi), attribute 'x-sdids-passwordExpirationTime' not allowed Oct 4 10:37:43 vmsdildap04 slapd[31176]: entry failed schema check: attribute 'x-sdids-passwordExpirationTime' not allowed Oct 4 10:37:43 vmsdildap04 slapd[31176]: conn=1 op=22 RESULT tag=103 err=65 text=attribute 'x-sdids-passwordExpirationTime' not allowed I believe this error 65, as per the OpenLDAP docs, is: H.35. objectClassViolation (65) Indicates that the entry violates object class restrictions. The value I am specifying for the attribute is 20111004164129Z I have also tried to first add an objectClass attribute value to an existing entry with value 'x-sdids-enPortal', and then add the 'x-sdids-passwordExpirationTime' attribute value, with the same outcome. Thanks, Bryce Powell

3 2

connection problem with ldapmodify -Y EXTERNAL -H ldapi:///
by Andreas Rudat 05 Oct '11

05 Oct '11

Hello, everytime I try *ldapmodify -Y EXTERNAL -H ldapi:///* * I get the following SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 and thats all, same with password (-W), it stopped at all and no log messages. Thanks Andreas *

4 11

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2011