openldap-technical February 2013

openldap-technical@openldap.org

68 participants
72 discussions

slapd ACL to allow Password Modify exop by ldappasswd - but deny direct modification via ldapmodify
by Tim Watts 22 Feb '13

22 Feb '13

Hi, I've been through google and the man pages - no avail. If anyone can help, I'd be very grateful :) slapd.conf acl: access to attrs=userPassword by peername.path="/var/run/slapd/ldapi" manage by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" manage by self write by * auth This allows ldappasswd to work, but of course, it also allows anybody to issue an ldapmodify against their own record and store a weak hash (eg {crypt} ) or worse, bypass my check_password plugin policy enforcer. Removing the "self write" line kills ldapmodify, but also seems to break the password modify exop issues by ldappasswd. So - how do I allow ldappasswd to work (which respects the policies and allows the server to hash the password using its default hash - SSHA1 in my case) whilst disallowing *direct* modify access to the userPassword: entry? Answers on a postcard, or a wet herring as appropriate :-| Many thanks! Tim -- Tim Watts Personal Blog: http://squiddy.blog.dionic.net/ http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage

1 1

ppolicy pwdCheckModule failure and still calling other overlays
by Tim Watts 21 Feb '13

21 Feb '13

I realise this is a long shot, but if pwdCheckModule is enabled in ppolicy AND the module it calls FAILS a prospective password (for being too weak) - should slapd actually be calling the next overlay in the stack?? Common sense says ppolicy should bomb out? Here are the overlay configs in slapd.conf: <backend hdb database stuff> overlay smbkrb5pwd smbkrb5pwd-enable krb5 smbkrb5pwd-krb5realm DIGHUM.KCL.AC.UK smbkrb5pwd-requiredclass posixAccount # # Password Policy - this runs check_password.so compiled from # /vol/source/ldap_check_password/1.0/check_password.c # # overlay ppolicy ppolicy_default "cn=default,ou=pwpolicies,dc=dighum,dc=kcl,dc=ac,dc=uk" ppolicy_use_lockout ppolicy_hash_cleartext The idea is: ppolicy is configured to call my own password_check.so and that works nicely - that exits with EXIT_FAILURE if it fails. smbkrb5pwd is OpinSys.fi's modification to smbk5pwd to work with MIT kerberos. That works too (after I fixed something). It will set the principle's password and create the principle is it doesn't exist. The failure scenario is: 1) No principle for the UID in question; 2) The UID in question has a DN in slapd; 3) Set password for UID - choose one that will fail the ppolicy checks; 4) do an ldappasswd change for UID Result: ldappasswd says it fails and the user password hash in slapd is not changed. However, smbkrb5pwd was still called and managed to create a principle for UID with the weak password - bypassing the policy. The best answer to my mind is: Fix smbkrb5pwd to be able to add a default kerberos policy to any created principles. Such a policy can replace ppolicy for password strength checking. I think I can do this. However, it bothers me - is there no way to make the failure of one overlay bomb the stack out (rather like PAM)? Or perhaps ppolicy is not actually "failing" as such?? Any ideas? Cheers! Tim -- Tim Watts Personal Blog: http://squiddy.blog.dionic.net/ http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage

1 0

Indices is missing?
by Vit Dua 21 Feb '13

21 Feb '13

Hi, I have indexed my mdb by: slapcat -f slapd.conf -q After that, I can find entries quickly with the filter: mail=viet...(a)example.com But I cannot find the entry: mail=viet2000000(a)example.com,dc=example,dc=com with that filter. However, I can search that entry with other filter: mail=viet200000*(a)example.com My slapd.conf: index mail eq Thanks, Viet

3 4

openLDAP is not working with MySQL cluster
by SHEKHAR PODICHETI 21 Feb '13

21 Feb '13

Hi, I tried connecting openLDAP server with MySQL cluster through NDB APIs. I made configuration changes in slapd.conf so that it connect to NDB. However it is throwing Unrecongnized NDB. I request tou to help me. It will be great if u share me sample slapd.conf file that has the NDB configuration. Thanks. -- Regards, Shekhar Podicheti

3 3

ppolicy on consumers
by Andrei BĂNARU 21 Feb '13

21 Feb '13

Hi, Did anyone manage to get the *ppolicy overlay* to work on the *consumers *? The user gets the *pwdAccountLockedTime *attribute on the provider and the consumers. To validate this I use: /[root@opennms ~]# //*ldapwhoami -x -e ppolicy -D "uid=user1,ou=People,ou=Country1,dc=example,dc=com" -w'password' -h ldap-master.example.com*//* *//*ldap_bind: Invalid credentials (49); Account locked*/ where *ldap-master.example.com* is the *provider*. /[root@opennms ~]# //*ldapwhoami -x -e ppolicy -D "uid=user1,ou=People,ou=Country1,dc=example,dc=com" -w'password' -h ldap.example.ro*//* *//*dn:uid=user1,ou=People,ou=Country1,dc=example,dc=com*/ where *ldap.example.ro* is one of the *consumers*. The same issue occurs also on expired passwords. On the consumer I've used *ppolicy_forward_updates* and that works like a charm. Did I miss something vital in the configuration ? Thx! -- Andrei BĂNARU Internal Support CCNA Security, CCIP StreamWIDE Romania

1 0

enabling logs in openLDAP
by Jignesh Patel 21 Feb '13

21 Feb '13

How to enable logs to capture authentication information in openLDAP 2.4.33

2 1

Append `git log -p COMMIT~..COMMIT` to an OpenLDAP commit message
by SATOH Fumiyasu 21 Feb '13

21 Feb '13

FYI. https://github.com/fumiyas/mail-filters/blob/master/openldap-commitmail-adj… -- -- Name: SATOH Fumiyasu @ OSS Technology Corp. (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- GitHub Home: https://GitHub.com/fumiyas/ -- PGP Fingerprint: BBE1 A1C9 525A 292E 6729 CDEC ADC2 9DCA 5E1C CBCA

1 0

meta backend subtree directive ignored by conversion to cn=config
by francesco.policastro＠selex-es.com 20 Feb '13

20 Feb '13

Hi all, I realized that the subtree-include directives I use in my meta backend are not converted at all to cn=config. I cannot find them in cn=config tree. The slapd version is 2.4.33 as patched after ITS#7525 (openldap-648d28f.tar.gz) Here is my slapd.conf: ==================================================== # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/dyngroup.schema attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) attributetype ( 1.2.840.113556.1.4.35 NAME 'employeeID' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) attributetype ( 1.2.840.113556.1.4.8 NAME 'userAccountControl' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) attributetype ( 1.2.840.113556.1.4.656 NAME 'userPrincipalName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 pidfile /var/run/slapd.pid # ---------------------- backend meta backend hdb # ---------------------- # ---------------------- database meta # ---------------------- suffix "dc=newco,dc=com" readonly on rootdn "cn=LdapBindUser,dc=newco,dc=com" rootpw secret1 # no anonymous bind require authc conn-ttl 25m dncache-ttl disabled access to * by * none # first domain uri "ldap://server1.it.domain1.com/dc=first,dc=newco,dc=com" idassert-bind bindmethod=simple binddn="cn=LDAP User,ou=ITStaff,dc=it,dc=domain1,dc=com" credentials=secret2 chase-referrals no rebind-as-user true map objectclass groupOfNames * map objectclass person * suffixmassage "dc=first,dc=newco,dc=com" "dc=it,dc=domain1,dc=com" subtree-include "ou=Applications,ou=Groups Shared,dc=first,dc=newco,dc=com" subtree-include "ou=Users,ou=1st-location,dc=first,dc=newco,dc=com" subtree-include "ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com" subtree-include "ou=Users,ou=3rd-location,dc=first,dc=newco,dc=com" # map visible attributes to matching attributes on backend map attribute distinguishedName * map attribute givenName * map attribute description * map attribute sn * map attribute cn * map attribute mail * map attribute samAccountName * map attribute userAccountControl * map attribute employeeID * map attribute userPrincipalName * # map everything else to null map attribute * # second domain uri "ldap://server2.domain2.net/ou=organizationalUnit,dc=second,dc=newco,dc=com" idassert-bind bindmethod=simple binddn="cn=ldap-2,cn=Users,dc=domain2,dc=net" credentials=secret3 chase-referrals no rebind-as-user true map objectclass groupOfNames * map objectclass person * suffixmassage "dc=second,dc=newco,dc=com" "dc=domain2,dc=net" subtree-include "ou=Users,ou=1st-location,ou=organizationalUnit,dc=second,dc=newco,dc=com" subtree-include "ou=My-ou,ou=1st-location,ou=organizationalUnit,dc=second,dc=newco,dc=com" subtree-include "ou=Remote Sites,ou=organizationalUnit,dc=second,dc=newco,dc=com" # map visible attributes to matching attributes on backend map attribute distinguishedName * map attribute givenName * map attribute description * map attribute sn * map attribute cn * map attribute mail * map attribute samAccountName * map attribute userAccountControl * map attribute employeeID pager map attribute userPrincipalName * # map everything else to null map attribute * # ---------------------- database hdb # ---------------------- suffix dc=domain-groups,dc=com" rootdn "cn=groupsRoot,dc=domain-groups,dc=com" rootpw secret4 overlay dynlist dynlist-attrset groupOfURLs memberURL member directory /usr/local/var/openldap-data ============================================= Did anyone successfully use subtrees with cn=config? Thanks, Francesco Policastro

1 0

Openldap Chaining
by jeevan kc 20 Feb '13

20 Feb '13

Hello guys here is my proceudre that I wrote for OpenLDAP chaining. My question is since I have a master and two slaves on the replication, where do these overlay go? On the slaves only or both master and slaves. Please respond. Thanks · Create /usr/local/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend · Create /usr/local/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend/olcOverlay={0}chain · Add olcOverlay={0}chain.ldif to /usr/local/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend dn: olcOverlay={0}chain objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain olcChainCacheURI: FALSE olcChainMaxReferralDepth: 1 olcChainReturnError: TRUE structuralObjectClass: olcChainConfig · Add olcDatabase={0}ldap.ldif to /usr/local/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend/olcOverlay={0}chain dn: olcDatabase={0}ldap objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbStartTLS: none starttls=no olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE structuralObjectClass: olcLDAPConfig · Add olcDatabase={1}ldap.ldif to /usr/local/etc/openldap/slapd.d/cn=config/olcDatabase={-1}frontend/olcOverlay={0}chain dn: olcDatabase={1}ldap objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {1}ldap olcDbURI: "ldap://master.dc.us" olcDbStartTLS: none starttls=no olcDbIDAssertBind: mode=self flags=prescriptive,proxy-authz-non-critical bindm ethod=simple timeout=0 network-timeout=0 binddn="cn=manager,o=dc,c=us” credentials="l4s3rj3t" keepalive=0:0:0 olcDbRebindAsUser: FALSE olcDbChaseReferrals: TRUE olcDbTFSupport: no olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 16 olcDbSessionTrackingRequest: FALSE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE structuralObjectClass: olcLDAPConfig · Restart slapd

2 3

Listing linux users
by Thiago Parolin 20 Feb '13

20 Feb '13

Hi all. My scenario is: openldap/samba pdc server for authenticating Windows and Linux. I need to know when a user, from Linux clients, logs in and out from the system. If some problem occurs, i need to know who was logged, in particular computer, in that time. With windows computers, the "last" bash command (in server) gave me the information needed, but with linux clients i don't know what i have to do. They are not listed with "last" command. I don't want to redirect all auth logs from clients to my server. It probably will overload my server. There are some way to do this?

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2013