Re: What can I use for pwdCheckModule?
by D C
Here are my results.. Any thoughts as to why this is not working?
As for my ldap version, I'm using the version provided in CentOS 6. I
would prefer to use these prepacked builds whenever possible. If there is
an issue where this will not work on that version, then I'll go ahead and
upgrade.
TESTS: RESULT:
pwdSafeModify: FALSE PASS: Message: LDAP password information
update failed: Insufficient access. Must supply old password to be
changed as well as new one
pwdAllowUserChange: FALSE PASS: Message: LDAP password information
update failed: Insufficient access. User alteration of password is not
allowed
pwdMaxAge: 300 FAIL: Login still allowed after 300 seconds.
pwdExpireWarning: 10 FAIL: No warning message
pwdInHistory: 3 FAIL: I can still flip between 2 passwords
pwdMinLength: 12 FAIL: I can still set a 6 char password
pwdMustChange: FAIL: I am not forced to change passwd.
pwdMaxFailure: 2 FAIL: Still allowed in after 6 failures
Other Info:
pwdLockout: TRUE
pwdLockoutDuration: 600
Thanks,
Dan
On Wed, Apr 10, 2013 at 10:41 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Wednesday, April 10, 2013 9:30 AM -0400 D C <dc12078(a)gmail.com>
> wrote:
>
>
>> Server is openldap 2.4.23
>>
>
>
> Seriously? You're using a version of OpenLDAP that is nearly 3 years old?
> Why would you do that to yourself?
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
10 years, 7 months
What can I use for pwdCheckModule?
by D C
After nearly two weeks of going nuts trying to setup a password policy, I
finally found part of the documentation that I was missing. Apparently
"ppolicy" does not actualy enforce the policy you create. If I'm
understanding the documentation correctly, it really only provides more of
a transport to something else which can do it.
In particular the attribute pwdCheckModule, needs to point to a module
which can enforce the policy. However no module seems to be provided.
What modules are other people using? I stumbled around and found
password_check.so, which I am trying to setup now with partial success.
http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password
Anyone else have something better? One thing I need to do which I don't
think this will help with, is storing the last x passwords.
Thanks,
Dan
10 years, 7 months
rfc2307bis.schema woes (OpenIndiana 151a7 client)
by Tobias Verbeke
Dear list,
I am trying to add an OpenIndiana 151a7 machine as an LDAP client
of an Ubuntu 12.04.1 server with slapd version as shipped with it:
# slapd -V
@(#) $OpenLDAP: slapd (Oct 17 2012 19:48:41) $
buildd@komainu:/build/buildd/openldap-2.4.28/debian/build/servers/slapd
On the OI client I get
# ldapclient init machine.openanalytics.eu
Can not find the nisDomainObject for domain
Google found out for me that the OpenIndiana LDAP client assumes
the rfc2307bis.schema to be used instead of the nis.schema that
is used by default and grep confirms the nisDomainObject can
be found there:
# grep -nr nisDomain* /etc/ldap/schema.
./rfc2307bis.schema:158:attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
./rfc2307bis.schema:269:objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
./rfc2307bis.schema:271: MUST nisDomain )
To make it a little bit simpler for the newbie I am, I made sure static configuration
is used (by removing /etc/ldap/slapd.d)
The relevant part of the slapd.conf now reads
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/rfc2307bis.schema
include /etc/ldap/schema/ldapns.schema
include /etc/ldap/schema/inetorgperson.schema
When running slaptest, I get
# slaptest
51655577 /etc/ldap/schema/rfc2307bis.schema: line 5 attributetype: Duplicate attributeType: "1.3.6.1.1.1.1.0"
slaptest: bad configuration file!
However, when grepping on "1.3.6.1.1.1.1.0", I only get the rfc2307bis.schema file:
# grep -rn 1.3.6.1.1.1.1.0 /etc/ldap/schema
/etc/ldap/schema/rfc2307bis.schema:1:attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
Where else can this attributeType live? Can I provide more information?
I am a bit puzzled, so many thanks in advance for any pointer!
Best,
Tobias
10 years, 7 months
Re: How to improve performance with MDB backend?
by Saša-Stjepan Bakša
I am sorry replaying directly. I didn't check who was in TO field.
OK I will try Re24. Tnx again.
Sasa
On Tue, Apr 9, 2013 at 4:15 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Tuesday, April 09, 2013 2:07 PM +0200 Saša-Stjepan Bakša <
> ssbaksa(a)gmail.com> wrote:
>
>
>>
>> Tnx. I will add what you suggest and try to run modify test with that. I
>> didn't done that already because my mdb database is overflowed. I have
>> set it to 100GB but it wasn't enough. I am not sure why. Are there logs
>> inside? I have 1 mil users but they didn't use all data storage. Hmmm,
>> maybe indexes, I have 8 of them. I know how to look for hdb/bdb problems
>> but mdb is a puzzle for me (for now).
>>
>
> Please keep replies to the list. I would suggest you try current OpenLDAP
> RE24, there was a growth issue fixed since the 2.4.35 release (ITS#7565).
>
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
10 years, 7 months
openLDAP storing passwords in plain text
by Derryl Varghese
I am setting up openLDAP for one of my Java applications. Usernames and
passwords are stored in openLDAP and users are able to update their
passwords via the application (using the javax.naming.directory API'). I
imported our users from our existing Sun Directory Server into openLDAP.
Import was successfull and passwords were encrypted in SSHA format. I
noticed that when i update a password from the application, it stores it in
'Plain Text' format. I can unhide the password when i view it via Apache
Directory Studio. A lot of googling later, i tried setting the
"password-hash {SSHA}" in the slapd.conf file and that didn't help me
either. I am on a windows environment. I am passing the password to
openLDAP in plain text format. There is no encryption going on in the code.
I know i can encrypt it in the application but i would prefer openLDAP to
do it for me. Please let me know if i can do anything on the openLDAP side.
This is the JAVA code i use today to modify passwords. This has been
working fine in our existing environment for the past 7 years.
ModificationItem[] newAttribs = new ModificationItem[1];
Attribute passwordAttrib = new
BasicAttribute(DirectoryConstants.USER_PASSWORD, password);
ModificationItem passwordItem = new
ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib);
newAttribs[0] = passwordItem;
.....
DirContext ctx = this.getContext();
ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + ","
+ ou, newAttribs);
10 years, 7 months
Trouble getting ppolicy overlay to work
by D C
I'm really banging my head trying to get the ppolicy overlay to work
properly.
My only indication that I am partially on the right track is that if I set
pwdSafeModify=TRUE in my default policy, then I get the following error
from pam_ldap when changing my password. If I set it back to false, then I
can change my password.
LDAP password information update failed: Insufficient access
Must supply old password to be changed as well as new one
passwd: Authentication token manipulation error
However, everything else in the policy is being ignored. any help would
be greatly appreciated.
Thanks!
* I am assuming that the password policy is going to be enforced by ldap,
so testing with pam_ldap is not necessary at this point. I should be able
to use any client such as apache directory studio to test password policy.
Version Info:
CentOS 6.4
CentOS packaged openldap-servers-2.4.23
slapd.conf: # ( I am aware that I have * write. this is just for
desperate testing on a test box )
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sudo.schema
include /etc/openldap/schema/pwm.schema
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
moduleload syncprov.la
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#######################################################################
# ACL
#######################################################################
access to attrs=userPassword,pwmResponseSet,pwmToken
by dn="uid=root,ou=People,dc=example,dc=net" write
by dn="cn=svc_pam,ou=SVC_Accounts,dc=example,dc=net" write
by dn="cn=svc_pwm,ou=SVC_Accounts,dc=example,dc=net" write
by dn="cn=replica,dc=example,dc=net" read
by anonymous auth
by self write
by * none
access to *
by self write
by * write
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database bdb
suffix "dc=example,dc=net"
rootdn "cn=admin,dc=example,dc=net"
rootpw {SMD5}*********
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=example,dc=net"
ppolicy_use_lockout
overlay syncprov
syncprov-checkpoint 100 10
directory /var/lib/ldap
loglevel 65535
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index contextCSN eq
index sudoUser eq
index entryCSN eq
index entryUUID eq
# default, policies, example.net
dn: cn=default,ou=policies,dc=example,dc=net
objectClass: top
objectClass: person
objectClass: pwdPolicy
cn: default
sn: default policy
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdLockout: TRUE
pwdGraceAuthNLimit: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdLockoutDuration: 45
pwdMaxFailure: 2
pwdFailureCountInterval: 1
pwdMinLength: 12
pwdCheckQuality: 1
pwdSafeModify: TRUE
10 years, 7 months
Re: How to improve performance with MDB backend?
by Quanah Gibson-Mount
--On Tuesday, April 09, 2013 2:07 PM +0200 Saša-Stjepan Bakša
<ssbaksa(a)gmail.com> wrote:
>
>
> Tnx. I will add what you suggest and try to run modify test with that. I
> didn't done that already because my mdb database is overflowed. I have
> set it to 100GB but it wasn't enough. I am not sure why. Are there logs
> inside? I have 1 mil users but they didn't use all data storage. Hmmm,
> maybe indexes, I have 8 of them. I know how to look for hdb/bdb problems
> but mdb is a puzzle for me (for now).
Please keep replies to the list. I would suggest you try current OpenLDAP
RE24, there was a growth issue fixed since the 2.4.35 release (ITS#7565).
--Quanah
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
10 years, 7 months
Remote access to the directory schema
by Rick van Rein (OpenFortress)
Hello,
Do I understand correctly, is the schema of a directory always accessible to its remote users?
Because when I request
| ldapsearch -x -h ldap.example.com -b dc=example,dc=com subschemaSubentry
I get entries like
| dn: dc=example,dc=com
| subschemaSubentry: cn=Subschema
|
| dn: cn=someone,dc=example,dc=com
| subschemaSubentry: cn=Subschema
but when I then try things like
| ldapsearch -x -h ldap.example.com -b dc=example,dc=com -E subentries=true cn=Subschema
I get no results. How should this work? Do schema entries have to be explicitly enabled in the ACL as though they were normal entries, or is the schema always visible?
Thanks,
-Rick
10 years, 7 months
