openldap-technical October 2015

openldap-technical@openldap.org

50 participants
44 discussions

pwdHistory, encrypted passwords and selfservice application
by Bogdan Rudas 30 Oct '15

30 Oct '15

Hello all, I'm working on Self-service application and want to prevent user from re-using old passwords. What is correct way to chage password takin in mind password history? I guess it is: 1. Bind with special user and check if specified uid exists 2. Bind using user-supplied uid and password 3. Get password policy, history etc. and validate on selfservice-side 4. Execute LDAP modifyRequest with single item: userPassword and value of new hashed password. In my case same password gives same hash. Are there any way to force encrypted password history validation on server side? Thank you. -- Bogdan Rudas Head of Minsk IT Support Department Exadel Inc. http://www.exadel.com/ E-mail: brudas(a)exadel.com <mandrushkevich(a)exadel.com> Skype ID: bogdan.rudas -- CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email.

4 3

Millions of users linked into a single group
by Alessandro Lasmar Mourão 28 Oct '15

28 Oct '15

Hello, I wonder if there is any limitation on the number of users linked to a group groupOfUniqueNames type? We will provide an application on the Internet for more than 10 million users, and all these users belong (uniqueMember) to a single group. Our support reported that it is recommended that the user group should not have more than 16,000 members, this information accurate? Regards, Alessandro Lasmar Mourão

6 6

syncrepl without cleartext password.
by Prakash Padadune 27 Oct '15

27 Oct '15

I want to implement syncrepl without having cleartext password in the slapd.conf. How this can be achieved? ~~~ *Prakash*

3 2

I don't want to use GSSAPI !?
by Olivier 26 Oct '15

26 Oct '15

Hello everyone, authentication over ldap doesn't work on one of my linux box. Trying to query the ldap server from this machine with ldapsearch, I get this : $ ldapsearch -ZZZ -h ldap1.example:389 -D uid=olivier,dc=example,dc=fr -b dc=example,dc=fr -W Enter LDAP Password: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials cache found) Do you know why ldapsearch tries to authenticate using GSSAPI ? I don'use such a mechanism (nor kerberos) and I don't remember that I configured any such a thing. Any idea to desactivate the attempt to use GSSAPI to authenticate ? (note: the ldap client is a linux redhat5) Thanks, --- Olivier

3 8

Exclude ppolicy attributes from accesslog
by Angel L. Mateo 26 Oct '15

26 Oct '15

Hello, I have an openldap server as an authentication backend for my organization. I have a database with my users information. Is this database, I'm using the ppolicy overlay to control my users passwords. I'm also using the acceslog overlay (with its related cn=log database) to keep a log of modifications. With the ppolicy overlay every mistake of a user in an authentication process triggers a modification in the user entry (for the pwdFailureTime attribute) and this modification triggers a new entry the accesslog database. My problem is that this accesslog database is storing a huge amount of this entries and I would like to not store these kind of updates. So my question is if there is any way to exclude some attributes from the accesslog tracking. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información y las Comunicaciones Aplicadas (ATICA) http://www.um.es/atica Tfo: 868887590 Fax: 868888337

1 0

sets: user and this during bind
by Michael Ströder 25 Oct '15

25 Oct '15

HI! Does "user" or "this" have any meaning during simple bind operation? E.g. when using a back-sock listener the BIND operation contains the bind-DN in 'dn' (let's call it request DN). Is "this" in a set-clause also the bind-DN during the bind operation? Background: I'd like to restrict access to userPassword during processing simple bind operation to peername (IP or path) found in the user's entry (referenced by the bind-DN). Or is there a non-set solution (besides implementing a dynacl module)? Ciao, Michael.

1 0

Q: Requesting parent OU doesn't seem to work right with Meta-Backend OU as child
by Zalewski, Marvyn-Stephano 22 Oct '15

22 Oct '15

Hey guys, I got a huge problem here. I’ve been trying to merge users from a local LDAP (ou=local-users,ou=accounts,dc=domain: which authenticates against a remote active directory (which is not ldap://remote.site) with sasl) with local users who use a local stored password and with users from a remote active directory without storing them locally. Let’s say i have the following structure: Local-LDAP (ldap://localhost): * dc=domain * ou=accounts * ou=local-users (with sasl) * ou=remote-users (Meta-Backend Proxy to ldap://remote.site – ou=accounts,dc=remote-domain) * ou=users (without sasl; password is stored locally) Remote-AD (ldap://remote.site): * dc=remote-domain * ou=accounts * <All Users are stored in this OU> The local LDAP structure works as expected. When i request ou=accounts,dc=domain i get all users located in ou=local-users and ou=users. And now i point out the problem: I only get the object ou=remote-users without the users from ou=accounts,dc=remote-domain so the ou=remote-users seems to be empty. But when i explicit request the full DN of ou=remote-users (ou=remote-user,ou=accounts,dc=domain) i get the full list of all users located in ou=accounts,dc=remote-domain. Here’s my slapd.conf: ####################################################################### # Global Directives: ####################################################################### # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values logfile /etc/ldap/slapd.log loglevel 1 sasl-host localhost sasl-secprops none ####################################################################### # Dynamic Module Directives ####################################################################### # Base Path and individual modules. modulepath /usr/lib/ldap moduleload back_hdb.so moduleload refint.so moduleload memberof.so moduleload back_meta.so moduleload rwm.so # Defining referral integrity module to make sure the group relations are automatically updated. NOTE: Only when a 'delete' or 'edit' command has been issued. overlay refint refint_attributes member uniqueMember seeAlso refint_nothing cn=EMPTY # Defining memberof module which make sure to update the group affiliation for each user. NOTE: Added an own attribute to all users named: 'memberOf' which contains all groups. overlay memberof ####################################################################### # Database Directives: ####################################################################### database meta suffix "ou=remote-users,ou=accounts,dc=domain" readonly off lastmod off uri "ldap://remote.site/ou=remote-users,ou=accounts,dc=domain" suffixmassage "ou=remote-users,ou=accounts,dc=domain“ „ou=accounts,dc=remote-domain" idassert-bind bindmethod=simple binddn=„cn=root,dc=remote-domain" credentials=„root" mode=none flags=non-prescriptive idassert-authzFrom „dn.exact:cn=root,dc=remote-domain" database hdb directory /var/lib/ldap suffix „dc=domain" rootdn "cn=root,dc=domain" rootpw root index objectclass eq index uid eq,sub lastmod off readonly off My Search Results at parent OU: #### ldapsearch -M -a always -D "cn=root,dc=domain" -w root -b "ou=accounts,dc=domain“ dn # extended LDIF # # LDAPv3 # base <ou=accounts,dc=domain> with scope subtree # filter: (objectclass=*) # requesting: dn # with manageDSAit control # # accounts, domain dn: ou=accounts,dc=domain # local-users, accounts, domain dn: ou=local-users,ou=accounts,dc=domain # frank, local-users, accounts, domain dn: cn=frank,ou=local-users,ou=accounts,dc=domain # remote-users, accounts, domain dn: ou=remote-users,ou=accounts,dc=domain # users, accounts, domain dn: ou=users,ou=accounts,dc=domain # peter, users, accounts, domain dn: cn=peter,ou=users,ou=accounts,dc=domain My Search Results at child and proxied OU: #### ldapsearch -M -a always -D "cn=root,dc=domain" -w root -b „ou=remote-accounts,ou=accounts,dc=domain“ dn # extended LDIF # # LDAPv3 # base <ou=remote-users,ou=accounts,dc=domain> with scope subtree # filter: (objectclass=*) # requesting: dn # with manageDSAit control # # remote-users, accounts, domain dn: ou=remote-users,ou=accounts,dc=domain dn: cn=albert,ou=remote-users,ou=accounts,dc=domain I hope you guys can help me out. If you have further question, please leave a mail. Kind regards, Marvyn :)

1 0

Openldap - ldap user can't add entry: Insufficient access (no write access to parent)
by Ervin Hegedüs 22 Oct '15

22 Oct '15

Hello, (I'm not an LDAP guru - sorry for lame question(s)) I'ld like to make an addressbook in LDAP (for mailing clients, in first step for my RoundCube). Server is Debian 7.9, slapd 2.4.31 (OpenLDAP). After the successfully installation, I've created a subtree for the addressbook: dn: ou=rcabook,dc=mydomain,dc=com ou: rcabook objectClass: top objectClass: organizationalUnit dn: ou=public,ou=rcabook,dc=mydomain,dc=com ou: public objectClass: top objectClass: organizationalUnit dn: ou=private,ou=rcabook,dc=mydomain,dc=com ou: private objectClass: top objectClass: organizationalUnit and a regular user for RoundCube: dn: cn=rcuser,ou=rcabook,dc=mydomain,dc=com cn: rcuser objectClass: organizationalRole objectClass: simpleSecurityObject userPassword:: e1f2g3....x3y2z1 But when I want to make a new entry as rcuser, I've got this error: ldapadd -f entry.ldif -D cn=rcuser,ou=rcabook,dc=mydomain,dc=com -W Enter LDAP Password: adding new entry "cn=DOMAIN IT,ou=public,ou=rcabook,dc=mydomain,dc=com" ldap_add: Insufficient access (50) additional info: no write access to parent The ou=public,ou=rcabook subtree has a special access in config: # slapcat -n0 dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=mydomain,dc=com olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=mydomain,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=mydomain,dc=com" write by * read olcAccess: {3}to dn.subtree="ou=public,ou=rcabook,dc=mydomain,dc=com" by users writ e olcLastMod: TRUE ... Which privileges do I need to add, for all user would add the entries to subtree? Thanks, a. -- I � UTF-8

2 1

ldapcompare for booleans ?
by Croesus Kall 21 Oct '15

21 Oct '15

Hi, I am trying to use the ldapcompare command to evaluate a boolean value. Namely I want to check if the olcMirrorMode attribute is set to false. The command and result is: ldapcompare -Y EXTERNAL -H ldapi:/// olcDatabase={0}config,cn=config "olcMirrorMode:FALSE" SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 Compare Result: Inappropriate matching (18) Additional info: inappropriate matching request UNDEFINED Is there a way to tell the ldapcompare command that this is a boolean comparison ? The attribute itself: olcMirrorMode / 1.3.6.1.4.1.4203.1.12.2.3.2.0.16 has a "booleanMatch" matching rule, so I'm guessing this should be possible ?

2 2

configuring ldap-client to use TLS (Certificate not found in database)
by Sridhar Acharya Malkaram 21 Oct '15

21 Oct '15

I am a novice to linux administration. Recently I had to configure a system to authenticate using LDAP with TLS. I have read guides from several websites. But I still could configure it. There seem to be several reasons for the failure. I tried many suggestions, but with no success. I don’t have access to the LDAP server. So I have been just playing with config on the client. The LDAP server is sso.abcdef.edu <http://sso.abcdef.edu/> My ldap.conf content is below BASE dc=abcdef,dc=edu TLS_REQCERT allow TLS_CACERT /etc/openldap/cacerts/sso.abcdef.edu.crt uri ldap://sso.abcdef.edu <ldap://sso.abcdef.edu> TLS_CACERTDIR /etc/openldap/cacerts I could issue a ldapsearch -x which returns several entries. However, when I couldn’t do using TLS. The following command shows some errors. Could you suggest me possible directions to resolve this. The directory /etc/openldap/cacerts/ contains the server certificate sso.abcdef.edu <http://sso.abcdef.edu/>.crt. I also made a copy of it with name sso.abcdef.edu <http://sso.abcdef.edu/>.pem. I am not sure whether this pem file should be that of the server or the client. Another question, should the client also have a ca (or self-signed ) certificate and it whether it should be uploaded onto the LDAP server? Could anyone please describe the basic essential steps in configuring LDAP client with TLS (without necessarily including the commands). (Several guides suggest changing configs at several places (like, pam_ldap.con, auth.conf) etc. But centOS documentation on LDAP describes configuration only for the ldap.conf (which I couldn’t follow completely).) /etc/openldap/cacerts root(a)wserver[0.5]5019 > ldapsearch -ZZZ -h sso.abcdef.edu <http://sso.abcdef.edu/> -d -1 ldap_create ldap_url_parse_ext(ldap://sso.abcdef.edu <ldap://sso.abcdef.edu>) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP sso.abcdef.edu <http://sso.abcdef.edu/>:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.71.31.15:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x15ea5b0 ptr=0x15ea5b0 end=0x15ea5cf len=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ber_scanf fmt ({) ber: ber_dump: buf=0x15ea5b0 ptr=0x15ea5b5 end=0x15ea5cf len=26 0000: 77 18 80 16 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e w...1.3.6.1.4.1. 0010: 31 34 36 36 2e 32 30 30 33 37 1466.20037 ber_flush2: 31 bytes to sd 3 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_write: want=31, written=31 0000: 30 1d 02 01 01 77 18 80 16 31 2e 33 2e 36 2e 31 0....w...1.3.6.1 0010: 2e 34 2e 31 2e 31 34 36 36 2e 32 30 30 33 37 .4.1.1466.20037 ldap_result ld 0x15e1090 msgid 1 wait4msg ld 0x15e1090 msgid 1 (infinite timeout) wait4msg continue ld 0x15e1090 msgid 1 all 1 ** ld 0x15e1090 Connections: * host: sso.abcdef.edu <http://sso.abcdef.edu/> port: 389 (default) refcnt: 2 status: Connected last used: Tue Oct 20 20:50:52 2015 ** ld 0x15e1090 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x15e1090 request count 1 (abandoned 0) ** ld 0x15e1090 Response Queue: Empty ld 0x15e1090 response count 0 ldap_chkResponseList ld 0x15e1090 msgid 1 all 1 ldap_chkResponseList returns ld 0x15e1090 NULL ldap_int_select read1msg: ld 0x15e1090 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 78 07 0a 0....x.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x15eba20 ptr=0x15eba20 end=0x15eba2c len=12 0000: 02 01 01 78 07 0a 01 00 04 00 04 00 ...x........ read1msg: ld 0x15e1090 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ read1msg: ld 0x15e1090 0 new referrals read1msg: mark request completed, ld 0x15e1090 msgid 1 request done: ld 0x15e1090 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x15eba20 ptr=0x15eba23 end=0x15eba2c len=9 0000: 78 07 0a 01 00 04 00 04 00 x........ ber_scanf fmt (}) ber: ber_dump: buf=0x15eba20 ptr=0x15eba2c end=0x15eba2c len=0 ldap_msgfree TLS: loaded CA certificate file /etc/openldap/cacerts/sso.abcdef.edu.crt. TLS: error: the certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' could not be found in the database - error -12285:Unable to find the certificate or key necessary for authentication.. TLS: certificate '/etc/openldap/cacerts/sso.abcdef.edu.pem' successfully loaded from PEM file. TLS: could not add the private key '/etc/openldap/cacerts/sso.abcdef.edu.pem' - error -8018:Unknown PKCS #11 error.. TLS: error: could not initialize moznss security context - error -8018:Unknown PKCS #11 error. TLS: can't create ssl handle. ldap_err2string ldap_start_tls: Connect error (-11) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 0000: 30 05 02 01 02 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 02 42 00 0....B. ldap_free_connection: actually freed

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2015