Using ldap_opt_x_tls_require_cert
by Thiyagu Rajendran
Hi all,
I have few question on proper usage of
ldap_opt_x_tls_require_cert option.
when ldap_opt_x_tls_require_cert is set to LDAP_OPT_X_TLS_ALLOW on ldap
handle after ldap_initialize, it was not working. It failed with
certificate verify error. But according to the ldap.conf man page, setting
LDAP_OPT_X_TLS_ALLOW option should not verify the server certificate
After googling around found that LDAP_OPT_X_TLS_ALLOW should be set on
global handle. Then got rid of certificate verify error.
But I faced a new problem ,changing LDAP_OPT_X_TLS_ALLOW to
LDAP_OPT_X_TLS_TRY in the same process doesnt verify the certificate. When
i kill the process and restart it, it verifies the certificate properly.
Somehow i managed to solve the problem by setting clearing the context
using *LDAP_OPT_X_TLS_NEWCTX
int tls=**LDAP_OPT_X_TLS_ALLOW*
*ldap_set_option(NULL,**LDAP_OPT_X_TLS_REQUIRE_CERT,*&tls)
*j=0
ldap_set_option(NULL,**LDAP_OPT_X_TLS_NEWCTX,&j)
*But when i try to set *LDAP_OPT_X_TLS_REQUIRE_CERT *after clearing
context, it is not working.
Can someone explain the correct usage of *LDAP_OPT_X_TLS_REQUIRE_CERT *
option*
*Regards,
Thiyagu
9 years, 3 months
password-policy configuration problems: cannot change passwords
by Marco Weber
Hello,
I'm running openldap with password policy overlay. after the overlay installation and configuration, we cannot change the passwords anymore.
Michael Ströder told that an LDAP modify request should resolve this issue, but it didn't help.
[root@ldapsrv ~]# ldappasswd -e ppolicy -D cn=username,dc=domain,dc=tld -S -W
New password:
Re-enter new password:
Enter LDAP Password:
Result: Constraint violation (19)
Additional info: Password policy only allows one password value
control: 1.3.6.1.4.1.42.2.27.8.5.1 false MAA=
ppolicy:
This is the log:
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 ACCEPT from IP=192.168.41.41:48899 (IP=0.0.0.0:636)
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 TLS established tls_ssf=256 ssf=256
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 BIND dn="cn= username,dc=domain,dc=tld" method=128
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 BIND dn="cn= username,dc=domain,dc=tld" mech=SIMPLE ssf=0
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=0 RESULT tag=97 err=0 text=
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 EXT oid=1.3.6.1.4.1.4203.1.11.1
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 PASSMOD new
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=1 RESULT oid= err=19 text=Password policy only allows one password value
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 op=2 UNBIND
Dec 22 11:15:31 ldapsrv slapd[5056]: conn=4431 fd=39 closed
this is my default password policy:
dn: cn=password-policy,dc=policies,dc=domain,dc=tld
objectClass: person
objectClass: pwdPolicy
objectClass: top
cn: password-policy
pwdAttribute: userPassword
sn: Default Password Policy
pwdAllowUserChange: TRUE
pwdExpireWarning: 604800
pwdInHistory: 3
pwdLockout: TRUE
pwdLockoutDuration: 7200
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 180
pwdMinLength: 8
pwdMustChange: TRUE
this is my password policy configuration:
dn: olcOverlay=ppolicy,dc=policies,dc=domain,dc=tld
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
objectClass: top
olcOverlay: ppolicy
olcPPolicyDefault: cn=password-policy,dc=policies,dc=domain,dc=tld
olcPPolicyUseLockout: TRUE
Thanks in advance for any reply,
Marco
9 years, 3 months
Re: ACL Problem
by Selcuk Yazar
Hi,
Ok
my rule is
access to
dn.regex="^mail=([^,]+),ou=([^,]+),jvd=([^,]+),o=hosting,dc=myhosting,dc=example$"
attrs=userPassword
by
dn.exact="mail=$1,ou=$2,jvd=$3,o=hosting,dc=myhosting,dc=example" write
by
dn.exact,expand="mail=$1,ou=$2,jvd=$3,o=hosting,dc=myhosting,dc=example"
read
by dn="cn=Manager,dc=myhosting,dc=example" write
by users none
by * none
this doesn't work , users can't change their own password.
Also try this;
access to attrs=userpassword
by self write
by anonymous auth
by dn="cn=Manager,dc=myhosting,dc=example" write
by users none
by * none
doesn't work again.
open ldap have another parameter for these things ???
??
On Tue, Dec 20, 2011 at 8:56 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Tuesday, December 20, 2011 4:28 PM +0200 Selcuk Yazar <
> selcuk.yazar(a)gmail.com> wrote:
>
> access to
>> dn.regex="(.*,ou=(.+),jvd=([^,**]+),o=hosting,dc=myhosting,dc=**example)"
>> attrs=userPassword
>> by self write
>> by users write
>>
>
> "by users write" will allow any authenticated user to overwrite anyone's
> password. I'm guessing you really do *not* want this rule.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
--
Selçuk YAZAR
http://www.selcukyazar.blogspot.com
9 years, 3 months
userCertificate, wrong attribute type?
by Nicolas KOWALSKI
Hello,
Using OpenLDAP 2.4.12 (SLES 2011 SP1), I am trying to add a
userCertificate attribute to an existing user (inetOrgPerson object).
I converted the PEM file containing the certificate to DER format, then
created this ldif:
dn: cn=Nicolas.Kowalski,ou=people,dc=home,dc=lan
changetype: modify
add: userCertificate
userCertificate;binary:< file:///root/ssl/Nicolas.Kowalski-crt.der
But when I try to update the entry, I always get this error:
# ldapmodify -x -W-D "cn=Manager,dc=home,dc=lan" -f the-ldif-above
ldapmodify: wrong attributeType at line 4, entry "cn=Nicolas.Kowalski,ou=people,dc=home,dc=lan"
What am I doing wrong?
Thanks,
--
Nicolas
9 years, 3 months
Ldap problems in paradise, working with suse 12.1 miles stone 5
by John Tobin
Dear Ralf,
Hi, I hope you are still here before the holidays, I would appreciate your
advice and counsel.
I have Suse 12.1 up, mile stone 5. It works well.
I have installed and used ldap 2.4.26.
It is also working with nss_ldap code.
I am having some trouble on 2 counts.
First I tried to get start_tls, and / or ldaps to work in that environment.
I have not gotten tls to work. Was this tested at all in SUSE?
TLS is critical to some success in the university lab I am running over
here.
I have posted the problem to the open ldap crew, and have heard nothing from
anyone for solving the problem, or even assistance in how to debug it, or
understand the failure I get.....[this is from nss_ldap]
>> Oct 28 11:29:01 nightmare slapd[11118]: conn=1217 op=0 STARTTLS
>> Oct 28 11:29:01 nightmare worker_nscd: nss-ldap: do_open: do_start_tls
>> failed:stat=-1
>> Oct 28 11:29:01 nightmare slapd[11118]: connection_read(14): TLS accept
>> failure error=-1 id=1217, closing
>> Oct 28 11:29:01 nightmare slapd[11118]: conn=1217 fd=14 closed (TLS
>> negotiation failure)
>> Oct 28 11:29:01 nightmare slapd[11118]: conn=1218 op=0 STARTTLS
>> Oct 28 11:29:01 nightmare worker_nscd: nss-ldap: do_open: do_start_tls
>> failed:stat=-1
In the middle of this mess Chris wood mentioned this would be easier, and
may well work under nslcd.
OK.
I installed nslcd.... I have the lastest I believe:
0.7.13-7.3
I setup nslcd.conf to the best of my ability.
With just a :
Uri ldap://192.168.0.10/
Base dc=dark,dc=net
Scope sub
It works fine. For user jtobin [is only in ldap server] I get a login
But in a similar fashion to nss_ldap, when I turn on ssl start_tls
And add to the nslcd.conf above:
Ssl start_tls
Tls_reqcert allow
Tls_cacertfile /var/lib/ldap/cacert.pem
Tls_cert /var/lib/ldap/server.crt
Tls_key /var/lib/ldap/server.key
It fails.... I get: user jtobin does not exist
But worse... I get nothing in the /var/log/localmessages file for debugging.
Certificates were created using www.opeldap.org/faq/data/cache/185.html
Which to my knowledge is the referenced site for openldap
The certificate is a self signed cert.
Most of my testing at the moment is local.... Client and slapd server are on
the same machine, so same certificate file for tls_cacertfile, tls_cert,
tls_key, though I have tested on remote clients with the same results.
I see your name on a number of the nslcd doc and email.
Help me out here.... How can I get this working / debugged?
Who would have some of the information I need?
Who would be interested in helping me to get this working.
So far all I have gotten is a number of messages from interested parties
asking me if I have gotten to work yet...
Drop me aline with some advice as to how to get this resolved, or if it is
probably not a short term
Priority for anyone, tell me that. I will find a different strategy for
securing my lab ldap client and server machines.
[is getting this to work a priority at SUSE? Is there someone I can work
with?]
Sincerely
tob
There are a number of comments but the real statements are:
Uri ldap://192.168.0.10/
Base dc=dark,dc=net
Scope sub
Ssl start_tls
9 years, 3 months
Auto increment (uidNext and uidNumber)
by Pablo
Hello,
Based on this article:
http://www.rexconsulting.net/ldap-protocol-uidNumber.html.
I am trying to increment 'uidNumber'. For doing that, I am using this
LDIF file:
--------------- autoinc.ldif ---------------------------
dn: cn=uidNext,dc=example,dc=com
changetype: modify
delete:uidNumber
uidNumber: 610
-
add: uidNumber
uidNumber: 611
------------------- EOF --------------------------------
And this command; but produce an error:
$ ldapadd -x -D "cn=Admin,dc=example,dc=com" -wsecret -f ./autoinc.ldif
adding new entry "cn=uidNext,dc=example,dc=com"
ldapadd: Undefined attribute type (17)
additional info: add: attribute type undefined
$
This is the definition of the uidNext objectClass:
----------------------------------------------
objectClass ( 1.3.6.1.4.1.4203.666.599
NAME 'uidNext'
SUP top STRUCTURAL
MUST ( cn $ uidNumber ) )
----------------------------------------------
Any idea of what I am doing wrong here?
Thanks in advance.
Pablo.
9 years, 3 months
(no subject)
by Molo CoC
hi all, i hope i am in the correct list :(
for lpic train iam using ldap 2.3.43 mit BerkleyDB 4.2 and libdb4.2 + libdb4.2-dev on latest Debian (64B)
unfortunatly i am facing 2 Errors during installation of openLDAP:
first is:
getpeereid.c:52: error: storage size of ‘peercred’ isn’t known (during executing command: make)
and a lot of:
missing binary operator befor "("
i hope you can give ma an advice
thanks a lot!
___________________________________________________________
SMS schreiben mit WEB.DE FreeMail - einfach, schnell und
kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192
9 years, 3 months
problem with openldap identity assertion to AD server
by John Uhlig
Hello.
I am new to this list so please forgive any protocol violations :)
I am starting with simple steps towards our goal to use the openldap server translucent overlay config to merge AD authentication for people at our company with local ldap account authentication for
non-company people.
I am using openldap 2.4.23 on RHEL6 server.
At this point, the ldap server can access our AD servers with anonymous bind but I need authenticated access to get more information.
I have been using variations of the "Identity Assertion" steps from the openldap FAQ page (http://www.openldap.org/faq/data/cache/532.html) without success.
I am initially trying the simplest config e.g. bindmethod=simple with a valid AD account/password for this access.
I have included my current minimalist slapd.conf file if of any help.
If anyone can point me to sample working configuration file(s) or provide any recommendations, I would appreciate it.
thanks,
John.
------------------------------------------
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
###TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSCACertificateFile /usr/var/openldap-data/cacert.pem
###TLSCertificateFile /etc/openldap/cacerts/parcldscert.pem
###TLSCertificateKeyFile /etc/openldap/cacerts/parclds.pem
###TLSVerifyClient allow
TLSVerifyClient never
### Will use TLS after I get authenticated bind working
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=corp,dc=ad,dc=parc,dc=com"
rootdn "cn=Manager,dc=corp,dc=ad,dc=parc,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}EwrR01/GdI4+sdOVzZcK6Y94QbIXIw0j
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
sizelimit unlimited
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
### debug logging
loglevel -1
# try transl overlay config here
moduleload translucent
overlay translucent
translucent_local carLicense
uri ldap://ADserver.corp.ad.parc.com
lastmod off
#
idassert-bind bindmethod=simple
binddn=cn=ldapacct,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com
credentials="password"
authzID=dn:cn=ldapacct,OU=Pseudo_User_Accounts,OU=PARC_Users,DC=corp,DC=ad,DC=parc,DC=com
[root@virtuosity-vm84 configs]#
9 years, 3 months
ACL Problem
by Selcuk Yazar
Hi,
I want to ldap users to change their password.
sample user dn is
mail=edergi@.....mail......edu.tr<http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&se...>
,ou=<http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&se...>
SOME_UNIT,jvd=.....mail.......edu.tr<http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&se...>
,o=hosting<http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&se...>
and we have acl rules in slapd.conf
access to dn.regex=".*,ou=.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example"
attrs=userPassword
by self write
by
group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example"
write
by * auth
by * none
access to dn.regex=".*jvd=([^,]+),o=hosting,dc=myhosting,dc=example"
by self write
by
group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example"
write
by * read
access to *
by * read
i apply various rules from openldap documentation, but no one works. why
users can't chage their password ?
thanks in advance
--
Selçuk YAZAR
9 years, 3 months
ppolicy overlay
by Selcuk Yazar
Hi
i've installed succefully, ppolicy overlay and ldap password policy
objects my directroy.
So what do i expected for now ?
because nothing happened. we are using jamm mail account schemas and sample
accounts very old, and i expected expire all of them but nothing happened.
what is the correct settigns of ppolicy_default_dn ?
thanks inadvance.
9 years, 3 months
