openldap-technical April 2013

openldap-technical@openldap.org

69 participants
74 discussions

Re: What can I use for pwdCheckModule?
by D C 10 Apr '13

10 Apr '13

Here are my results.. Any thoughts as to why this is not working? As for my ldap version, I'm using the version provided in CentOS 6. I would prefer to use these prepacked builds whenever possible. If there is an issue where this will not work on that version, then I'll go ahead and upgrade. TESTS: RESULT: pwdSafeModify: FALSE PASS: Message: LDAP password information update failed: Insufficient access. Must supply old password to be changed as well as new one pwdAllowUserChange: FALSE PASS: Message: LDAP password information update failed: Insufficient access. User alteration of password is not allowed pwdMaxAge: 300 FAIL: Login still allowed after 300 seconds. pwdExpireWarning: 10 FAIL: No warning message pwdInHistory: 3 FAIL: I can still flip between 2 passwords pwdMinLength: 12 FAIL: I can still set a 6 char password pwdMustChange: FAIL: I am not forced to change passwd. pwdMaxFailure: 2 FAIL: Still allowed in after 6 failures Other Info: pwdLockout: TRUE pwdLockoutDuration: 600 Thanks, Dan On Wed, Apr 10, 2013 at 10:41 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Wednesday, April 10, 2013 9:30 AM -0400 D C <dc12078(a)gmail.com> > wrote: > > >> Server is openldap 2.4.23 >> > > > Seriously? You're using a version of OpenLDAP that is nearly 3 years old? > Why would you do that to yourself? > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

3 5

What can I use for pwdCheckModule?
by D C 10 Apr '13

10 Apr '13

After nearly two weeks of going nuts trying to setup a password policy, I finally found part of the documentation that I was missing. Apparently "ppolicy" does not actualy enforce the policy you create. If I'm understanding the documentation correctly, it really only provides more of a transport to something else which can do it. In particular the attribute pwdCheckModule, needs to point to a module which can enforce the policy. However no module seems to be provided. What modules are other people using? I stumbled around and found password_check.so, which I am trying to setup now with partial success. http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password Anyone else have something better? One thing I need to do which I don't think this will help with, is storing the last x passwords. Thanks, Dan

3 5

issue with the ftp server
by Claude Brisson 10 Apr '13

10 Apr '13

Hi, while trying to submit a (small) patch on ftp.openldap.org, I got "No space left on device". I guess there is some cleanup to do somewhere... Claude

1 0

rfc2307bis.schema woes (OpenIndiana 151a7 client)
by Tobias Verbeke 10 Apr '13

10 Apr '13

Dear list, I am trying to add an OpenIndiana 151a7 machine as an LDAP client of an Ubuntu 12.04.1 server with slapd version as shipped with it: # slapd -V @(#) $OpenLDAP: slapd (Oct 17 2012 19:48:41) $ buildd@komainu:/build/buildd/openldap-2.4.28/debian/build/servers/slapd On the OI client I get # ldapclient init machine.openanalytics.eu Can not find the nisDomainObject for domain Google found out for me that the OpenIndiana LDAP client assumes the rfc2307bis.schema to be used instead of the nis.schema that is used by default and grep confirms the nisDomainObject can be found there: # grep -nr nisDomain* /etc/ldap/schema. ./rfc2307bis.schema:158:attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' ./rfc2307bis.schema:269:objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY ./rfc2307bis.schema:271: MUST nisDomain ) To make it a little bit simpler for the newbie I am, I made sure static configuration is used (by removing /etc/ldap/slapd.d) The relevant part of the slapd.conf now reads # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/rfc2307bis.schema include /etc/ldap/schema/ldapns.schema include /etc/ldap/schema/inetorgperson.schema When running slaptest, I get # slaptest 51655577 /etc/ldap/schema/rfc2307bis.schema: line 5 attributetype: Duplicate attributeType: "1.3.6.1.1.1.1.0" slaptest: bad configuration file! However, when grepping on "1.3.6.1.1.1.1.0", I only get the rfc2307bis.schema file: # grep -rn 1.3.6.1.1.1.1.0 /etc/ldap/schema /etc/ldap/schema/rfc2307bis.schema:1:attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' Where else can this attributeType live? Can I provide more information? I am a bit puzzled, so many thanks in advance for any pointer! Best, Tobias

1 0

Re: How to improve performance with MDB backend?
by Saša-Stjepan Bakša 09 Apr '13

09 Apr '13

I am sorry replaying directly. I didn't check who was in TO field. OK I will try Re24. Tnx again. Sasa On Tue, Apr 9, 2013 at 4:15 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Tuesday, April 09, 2013 2:07 PM +0200 Saša-Stjepan Bakša < > ssbaksa(a)gmail.com> wrote: > > >> >> Tnx. I will add what you suggest and try to run modify test with that. I >> didn't done that already because my mdb database is overflowed. I have >> set it to 100GB but it wasn't enough. I am not sure why. Are there logs >> inside? I have 1 mil users but they didn't use all data storage. Hmmm, >> maybe indexes, I have 8 of them. I know how to look for hdb/bdb problems >> but mdb is a puzzle for me (for now). >> > > Please keep replies to the list. I would suggest you try current OpenLDAP > RE24, there was a growth issue fixed since the 2.4.35 release (ITS#7565). > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

openLDAP storing passwords in plain text
by Derryl Varghese 09 Apr '13

09 Apr '13

I am setting up openLDAP for one of my Java applications. Usernames and passwords are stored in openLDAP and users are able to update their passwords via the application (using the javax.naming.directory API'). I imported our users from our existing Sun Directory Server into openLDAP. Import was successfull and passwords were encrypted in SSHA format. I noticed that when i update a password from the application, it stores it in 'Plain Text' format. I can unhide the password when i view it via Apache Directory Studio. A lot of googling later, i tried setting the "password-hash {SSHA}" in the slapd.conf file and that didn't help me either. I am on a windows environment. I am passing the password to openLDAP in plain text format. There is no encryption going on in the code. I know i can encrypt it in the application but i would prefer openLDAP to do it for me. Please let me know if i can do anything on the openLDAP side. This is the JAVA code i use today to modify passwords. This has been working fine in our existing environment for the past 7 years. ModificationItem[] newAttribs = new ModificationItem[1]; Attribute passwordAttrib = new BasicAttribute(DirectoryConstants.USER_PASSWORD, password); ModificationItem passwordItem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, passwordAttrib); newAttribs[0] = passwordItem; ..... DirContext ctx = this.getContext(); ctx.modifyAttributes( DirectoryConstants.USER_UID + "=" + userId + "," + ou, newAttribs);

4 4

Trouble getting ppolicy overlay to work
by D C 09 Apr '13

09 Apr '13

I'm really banging my head trying to get the ppolicy overlay to work properly. My only indication that I am partially on the right track is that if I set pwdSafeModify=TRUE in my default policy, then I get the following error from pam_ldap when changing my password. If I set it back to false, then I can change my password. LDAP password information update failed: Insufficient access Must supply old password to be changed as well as new one passwd: Authentication token manipulation error However, everything else in the policy is being ignored. any help would be greatly appreciated. Thanks! * I am assuming that the password policy is going to be enforced by ldap, so testing with pam_ldap is not necessary at this point. I should be able to use any client such as apache directory studio to test password policy. Version Info: CentOS 6.4 CentOS packaged openldap-servers-2.4.23 slapd.conf: # ( I am aware that I have * write. this is just for desperate testing on a test box ) include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/sudo.schema include /etc/openldap/schema/pwm.schema include /etc/openldap/schema/ppolicy.schema moduleload ppolicy.la moduleload syncprov.la # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args ####################################################################### # ACL ####################################################################### access to attrs=userPassword,pwmResponseSet,pwmToken by dn="uid=root,ou=People,dc=example,dc=net" write by dn="cn=svc_pam,ou=SVC_Accounts,dc=example,dc=net" write by dn="cn=svc_pwm,ou=SVC_Accounts,dc=example,dc=net" write by dn="cn=replica,dc=example,dc=net" read by anonymous auth by self write by * none access to * by self write by * write ####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=example,dc=net" rootdn "cn=admin,dc=example,dc=net" rootpw {SMD5}********* overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=example,dc=net" ppolicy_use_lockout overlay syncprov syncprov-checkpoint 100 10 directory /var/lib/ldap loglevel 65535 # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index contextCSN eq index sudoUser eq index entryCSN eq index entryUUID eq # default, policies, example.net dn: cn=default,ou=policies,dc=example,dc=net objectClass: top objectClass: person objectClass: pwdPolicy cn: default sn: default policy pwdAttribute: userPassword pwdMaxAge: 7776002 pwdExpireWarning: 432000 pwdInHistory: 3 pwdLockout: TRUE pwdGraceAuthNLimit: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdLockoutDuration: 45 pwdMaxFailure: 2 pwdFailureCountInterval: 1 pwdMinLength: 12 pwdCheckQuality: 1 pwdSafeModify: TRUE

1 0

Re: How to improve performance with MDB backend?
by Quanah Gibson-Mount 09 Apr '13

09 Apr '13

--On Tuesday, April 09, 2013 2:07 PM +0200 Saša-Stjepan Bakša <ssbaksa(a)gmail.com> wrote: > > > Tnx. I will add what you suggest and try to run modify test with that. I > didn't done that already because my mdb database is overflowed. I have > set it to 100GB but it wasn't enough. I am not sure why. Are there logs > inside? I have 1 mil users but they didn't use all data storage. Hmmm, > maybe indexes, I have 8 of them. I know how to look for hdb/bdb problems > but mdb is a puzzle for me (for now). Please keep replies to the list. I would suggest you try current OpenLDAP RE24, there was a growth issue fixed since the 2.4.35 release (ITS#7565). --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Remote access to the directory schema
by Rick van Rein (OpenFortress) 08 Apr '13

08 Apr '13

Hello, Do I understand correctly, is the schema of a directory always accessible to its remote users? Because when I request | ldapsearch -x -h ldap.example.com -b dc=example,dc=com subschemaSubentry I get entries like | dn: dc=example,dc=com | subschemaSubentry: cn=Subschema | | dn: cn=someone,dc=example,dc=com | subschemaSubentry: cn=Subschema but when I then try things like | ldapsearch -x -h ldap.example.com -b dc=example,dc=com -E subentries=true cn=Subschema I get no results. How should this work? Do schema entries have to be explicitly enabled in the ACL as though they were normal entries, or is the schema always visible? Thanks, -Rick

3 4

~Bob Fitch~
by Bob Fitch 08 Apr '13

08 Apr '13

http://www.rouviere-bat.com/htteopa/5875137920578718644.8901773532214087666… Bob Fitch

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2013