openldap-technical June 2011

openldap-technical@openldap.org

80 participants
92 discussions

access
by Friedrich Locke 28 Jun '11

28 Jun '11

Dear list members, i would like to use openldap for unix users and group of my local network. I started studying openldap access mechanism yesterday; and i am a little confused. I am writing in order to get some help for a single scenario i would like to share with you. My users will be below ou=users,dc=ufv,dc=br. I would like to write an access rule for the following. User X had complete access to his/her entry: cn=X,dc=ufv,dc=br but only read access for the others entry below dc=ufv,dc=br. How could this access be implemente? Is it possible? Thanks a lot for your time and support. Fried.

2 1

LDAP-Proxy: backend inaccessible via ldaps (w/o proxy no errors)
by Jahnke-Zumbusch, Dirk 27 Jun '11

27 Jun '11

Hi all, I would like to use the proxy features (and as soon as this works for me also some kind of rewriting / mapping) with openldap 2.4.25: ./configure --prefix=/scratch/openldap \ --with-tls=openssl \ --enable-meta \ --enable-ldap \ --enable-rewrite \ --enable-rwm \ --enable-bdb \ --enable-overlays \ --enable-perl \ --enable-shell make install... I may access one LDAP backend via ldap: but not the other (Active Directory) via ldaps: What works fine is 1. ldapsearch for LDAP-Tree-1 / Server-1: ========================================= Direct access to LDAP server: ----------------------------- ldapsearch -x -H ldap://ldap-server-1 -b 'ou=OU1,o=desy,c=de' '(mail=*)' | fgrep num # numResponses: 7 # numEntries: 6 and using the proxy: ----------------------------- ldapsearch -x -H ldap://ldap-proxy -b 'ou=OU1,o=desy,c=de' '(mail=*)' | fgrep num # numResponses: 7 # numEntries: 6 (This tree is rather small.) what is not working is 2. ldapsearch for Active-Directory / Server-2: ============================================== Direct Access to AD-Server ----------------------------- ldapsearch -x -H ldaps://domain-controller \ -D CN=accountname,OU=...,OU=...,OU=...,DC=desy,DC=de \ -W \ -b 'ou=ou1,...,dc=desy,dc=de' \ '(samaccountname=testuser)' | fgrep num Enter LDAP Password: # numResponses: 2 # numEntries: 1 Doing the same via the proxy fails: ----------------------------------- ldapsearch -x -H ldap://ldap-proxy -b 'ou=...,...,dc=desy,dc=de' # extended LDIF # # LDAPv3 # base <ou=...,...,dc=desy,dc=de> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 48 Inappropriate authentication # numResponses: 1 I would like to understand why this fails. slapd.conf is like this ---------- include /scratch/openldap/etc/openldap/schema/core.schema include /scratch/openldap/etc/openldap/schema/cosine.schema include /scratch/openldap/etc/openldap/schema/inetorgperson.schema idletimeout 120 pidfile /scratch/openldap/var/run/slapd.pid argsfile /scratch/openldap/var/run/slapd.args # -- 1st LDAP-backend, the one which works, see 1. above database ldap uri ldap://ldap-server-1:portnumber/ suffix "ou=ouA,o=desy,c=de" # -- 2nd LDAP-/Active-Driectory-backend, that one, which fails database ldap suffix "ou=OU1,...,dc=desy,dc=de" uri ldaps://domain-controller/ acl-bind bindmethod=simple binddn="CN=...,DC=desy,DC=de" credentials=TopSecret idassert-bind bindmethod=simple binddn="CN=...,DC=desy,DC=de" credentials=TopSecret mode=none tls_cacertdir=/etc/pki/tls/certs tls_reqcert=never tls_crlcheck=none idle-timeout 1800 rebind-as-user yes # -- just to make sure for now that I will see everything access to * by * read # === END OF SLAPD.CONF === When I am strace'ing slapd with "-e trace=file -f" I cannot see that any file in tls_cacertdir is read. But I would have expected that. Any directions what I should looking for, now? Kind regards, Dirk -- Dirk Jahnke-Zumbusch Deutsches Elektronen-Synchrotron DESY IT Information Fabrics Member of the Helmholtz Association D-22603 Hamburg Notkestrasse 85 / 22607 Hamburg T: +49-40-899.81760 F: +49-40-899.41760 dirk.jahnke-zumbusch(a)desy.de

1 0

How to perform windows domain authentication with openldap
by Jintao Fang 27 Jun '11

27 Jun '11

I am trying to develop a ldap client with openldap and cyrus-sasl, there is one feature that user can directly sign to the ldap server if he is in a domain. Does anyone have used openldap like this? Thanks a lot.

5 4

back-sql modified queries
by Mark Nienberg 25 Jun '11

25 Jun '11

1 0

ACL caused uidNumber=4294967295 ?
by niko 24 Jun '11

24 Jun '11

Hi,I got weird problem with ldap & samba &sssd。 pdbedit -L showed all users having the same uid (4294967295) ACL : [root@rhel6 slapd.d]# grep -ir "olcAccess" . ./cn=config/olcDatabase={2}monitor.ldif:olcAccess: {0}to * by dn.base="cn=manager,dc=my-domain,dc=com" read by * none ./cn=config/olcDatabase={0}config.ldif:olcAccess: {0}to * by * none ./cn=config/olcDatabase={1}bdb.ldif:olcAccess: to * by * read by self write More specification below： -------------------------------------------------------------------------------------------------------------------------------------------------------- [root@rhel6 cn=config]# pdbedit -L testsmb:4294967295:testsmb *<sometimes, the user testsmb has correct uid 503, I don't know why> *test2:4294967295:test2 test3:4294967295:test3 [root@rhel6 ~]# getent -s sss passwd example:*:9999:9999::/home/example:/bin/sh *<sometimes,we can get user testsmb here>* [root@rhel6 cn=config]# ldapsearch -x -D "cn=root,dc=rhel6,dc=ldaptest,dc=com" -W ........ # testsmb, rhel6.ldaptest.com dn: uid=testsmb,dc=rhel6,dc=ldaptest,dc=com cn: testsmb uid: testsmb uidNumber: 503 loginShell: /bin/bash homeDirectory: /home/testsmb gidNumber: 500 userPassword:: e2NyeXB0fUFPblQvYkJsbEJTWFk= objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: sambaSamAccount sambaPwdLastSet: 1308553125 sambaPwdCanChange: 1308553125 sambaNTPassword: 1D82374AB98BB16761B9A4F90441E201 sambaLMPassword: 67E272A0267766A117306D272A9441BB sambaPrimaryGroupSID: 2001 sambaAcctFlags: [U ] shadowLastChange: 15145 gecos: testsmb sn: testsmb sambaSID: S-1-5-21-423381952-115127825-699677302-1004 # test2, rhel6.ldaptest.com Dn: uid=test2,dc=rhel6,dc=ldaptest,dc=com cn: test2 uid: test2 uidNumber: 504 loginShell: /bin/bash homeDirectory: /home/test2 gidNumber: 500 userPassword:: e2NyeXB0fVhSbXVGQUd2cHMublE= objectClass: posixAccount objectClass: shadowAccount objectClass: person objectClass: sambaSamAccount sambaPwdLastSet: 1308557836 sambaPwdCanChange: 1308557836 sambaNTPassword: 1D82374AB98BB16761B9A4F90441E201 sambaLMPassword: 67E272A0267766A117306D272A9441BB sambaPrimaryGroupSID: 2001 sambaAcctFlags: [U ] shadowLastChange: 15145 gecos: test2 sn: test2 sambaSID: S-1-5-21-423381952-115127825-699677302-1005 # example, rhel6.ldaptest.com dn: uid=example,dc=rhel6,dc=ldaptest,dc=com cn: Example user sn: Example user uid: example uidNumber: 9999 gidNumber: 9999 loginShell: /bin/sh homeDirectory: /home/example objectClass: posixAccount objectClass: person userPassword:: KkxLKg== smb.conf security = user passdb backend = ldapsam:ldap://rhel6.ldaptest.com ldap admin dn = "cn=root,dc=rhel6,dc=ldaptest,dc=com" ldap suffix = dc=rhel6,dc=ldaptest,dc=com ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap ldap ssl = start tls ldap passwd sync = yes Debug info show below slapd debug acl ------------------------------------------------------------------------------------------------------------------------------------ [root@rhel6 ~]# service slapd start Starting slapd: @(#) $OpenLDAP: slapd 2.4.19 (Jun 30 2010 03:56:07) $ mockbuild@x86-003.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.4.19/openldap-2.4.19/build-servers/servers/slapd => access_allowed: search access to "cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={0}corba,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={1}core,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={2}cosine,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={3}duaconf,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={4}dyngroup,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={5}inetorgperson,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={6}java,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={7}misc,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={8}nis,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={9}openldap,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={10}ppolicy,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={11}collective,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "cn={12}samba,cn=schema,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "olcDatabase={-1}frontend,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) => access_allowed: search access to "olcDatabase={0}config,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to * by * none /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context => access_allowed: search access to "olcDatabase={1}bdb,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to * by * read by self write /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context => access_allowed: search access to "olcDatabase={2}monitor,cn=config" "objectClass" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to * by dn.base="cn=manager,dc=my-domain,dc=com" read by * none /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context slapd starting * * *debug info for " su - test2"* sssd debug info ------------------------------------------------------------------------------------------------------------------------------------------------------------- (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_parse_entry] (9): OriginalDN: [uid=test2,dc=rhel6,dc=ldaptest,dc=com]. (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8): Trace: sh[0x9e08488], connected[1], ops[0x9ea1b10], ldap[0x9e08540] (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_users_process] (6): Search for users, returned 1 results. (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8): Trace: sh[0x9e08488], connected[1], ops[(nil)], ldap[0x9e08540] (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [ldb] (9): start ldb transaction (nesting: 0) (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_user_send] (9): Save user (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_user_send] (2): User [test2] filtered out! (id out of range) (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_save_users_process] (2): Failed to store user 0. Ignoring. (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [ldb] (9): commit ldb transaction (nesting: 0) (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [sdap_get_users_done] (9): Saving 1 Users - Done (Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_remove_timeout] (8): 0x9dcde28 (Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_dispatch] (9): dbus conn: 9DCDF38 (Tue Jun 21 11:02:48 2011) [sssd[nss]] [sbus_dispatch] (9): Dispatching. (Tue Jun 21 11:02:48 2011) [sssd[nss]] [sss_dp_get_reply] (4): Got reply (0, 0, Success) from Data Provider (Tue Jun 21 11:02:48 2011) [sssd[nss]] [nss_cmd_getpwnam_callback] (2): No matching domain found for [test2], fail! (Tue Jun 21 11:02:48 2011) [sssd[nss]] [nss_cmd_getpwnam_callback] (2): No results for getpwnam call (Tue Jun 21 11:02:48 2011) [sssd[be[default]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success slapd debug info ----------------------------------------------------------------------------------------------------------------------------------------------------------------- => acl_mask: access to entry "dc=rhel6,dc=ldaptest,dc=com", attr "entry" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: search access granted by read(=rscxd) => access_allowed: search access granted by read(=rscxd) => access_allowed: search access to "dc=rhel6,dc=ldaptest,dc=com" "entry" requested => acl_get: [1] attr entry => acl_mask: access to entry "dc=rhel6,dc=ldaptest,dc=com", attr "entry" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: search access granted by read(=rscxd) => access_allowed: search access granted by read(=rscxd) => access_allowed: search access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "uid" requested => acl_get: [1] attr uid => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "uid" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: search access granted by read(=rscxd) => access_allowed: search access granted by read(=rscxd) => access_allowed: search access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "objectClass" requested => acl_get: [1] attr objectClass => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "objectClass" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: search access granted by read(=rscxd) => access_allowed: search access granted by read(=rscxd) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "entry" requested => acl_get: [1] attr entry => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "entry" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (cn) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "cn" requested => acl_get: [1] attr cn => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "cn" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (uid) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "uid" requested => acl_get: [1] attr uid => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "uid" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (uidNumber) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "uidNumber" requested => acl_get: [1] attr uidNumber => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "uidNumber" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (loginShell) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "loginShell" requested => acl_get: [1] attr loginShell => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "loginShell" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (homeDirectory) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "homeDirectory" requested => acl_get: [1] attr homeDirectory => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "homeDirectory" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (gidNumber) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "gidNumber" requested => acl_get: [1] attr gidNumber => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "gidNumber" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (userPassword) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "userPassword" requested => acl_get: [1] attr userPassword => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (objectClass) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "objectClass" requested => acl_get: [1] attr objectClass => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "objectClass" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result was in cache (objectClass) => access_allowed: result was in cache (objectClass) => access_allowed: result was in cache (objectClass) => access_allowed: result not in cache (shadowLastChange) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "shadowLastChange" requested => acl_get: [1] attr shadowLastChange => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "shadowLastChange" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (gecos) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "gecos" requested => acl_get: [1] attr gecos => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "gecos" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: result not in cache (modifyTimestamp) => access_allowed: read access to "uid=test2,dc=rhel6,dc=ldaptest,dc=com" "modifyTimestamp" requested => acl_get: [1] attr modifyTimestamp => acl_mask: access to entry "uid=test2,dc=rhel6,dc=ldaptest,dc=com", attr "modifyTimestamp" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: read access granted by read(=rscxd) => access_allowed: read access granted by read(=rscxd)

1 0

ppolicy overlay and pwdreset attribute question
by Cyril GROSJEAN 24 Jun '11

24 Jun '11

I use OpenLDAP 2.4.24 with the following default password policy, because I want my users to change their password at first connection, or after a password reset by an administrator: dn: cn=default,ou=policies,dc=company cn: default description: Strategie de gestion des mots de passe par defaut objectClass: top objectClass: person objectClass: pwdPolicy pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 0 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 0 pwdMaxAge: 0 pwdMaxFailure: 0 pwdMinAge: 0 pwdMinLength: 8 pwdMustChange: TRUE pwdSafeModify: FALSE sn: policy When creating a user account (either as administrator or any user with sufficient rights), the pwdReset attribute is not set automatically, and thus, the newly created user can bind and search without being forced to change his password. I have to manually set the pwdReset attribute to TRUE in the user entry at creation time or after creation to force a password change. Is this normal behaviour ? I would have expected to see the pwdReset attribute automatically set (by the ppolicy overlay). Otherwise, setting pwdMustChange to TRUE in the password policy definition looks unuseful. On the contrary, when the user changes his password, the pwdReset attribute is automatically removed, which tends to mean the password policy overlay is called and does something in this case ..

3 5

olcDbCacheSize: no equality matching rule
by Gerard Ranke 24 Jun '11

24 Jun '11

Dear listmembers, After upgrading from openldap 2.4.21 to 2.4.25 my olcDbCacheSize entry seems to have gone awoll. I tried to fix that with the following ldif file: dn: olcDatabase={1}hdb,cn=config changetype:modify add: olcDbCachesize olcDbCachesize: 10000 but I got this errormessage: modifying entry "olcDatabase={1}hdb,cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcDbCacheSize: no equality matching rule Does anybody have any idea what is wrong? Many thanks in advance, Gerard Ranke

2 1

RE: ppolicy works, then doesn't
by Cyril GROSJEAN 24 Jun '11

24 Jun '11

Do you have any clue (from the access log for example), that this user’s password has been successfully changed after 20110606211056Z ? Or is there any chance that the password was changed while the policy overlay wasn’t loaded, which could occur if it was changed on a misconfigured replica for example.

2 1

N-Way replication
by Darouichi, Aziz 23 Jun '11

23 Jun '11

I setup N-Way replication openldap-2.4.23 in RHEL5. Config file is identical on both servers. In one server I get this error message in the log. send_search_entry: conn 1000 ber write failed. I run slapdindex, and turned off schemasearch. Error message still being generated. Thanks,

2 3

[SOLVED] olcDbCacheSize: no equality matching rule
by Gerard Ranke 23 Jun '11

23 Jun '11

>Dear listmembers, >After upgrading from openldap 2.4.21 to 2.4.25 my olcDbCacheSize entry seems to have gone awoll. I >tried to fix that with the following ldif file: >dn: olcDatabase={1}hdb,cn=config >changetype:modify >add: olcDbCachesize >olcDbCachesize: 10000 >but I got this errormessage: >modifying entry "olcDatabase={1}hdb,cn=config" >ldap_modify: Inappropriate matching (18) > additional info: modify/add: olcDbCacheSize: no equality matching rule Been staring at this for too long: The olcDbCacheSize was sitting right there... Sorry for the noise. Best, gerard

1 0

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2011