ldap client login
by Lane
I'm trying to log into an LDAP client. Below I show a login from the ldap
server to the ldap client, and another from a normal workstation on the
same subnet to the ldap client. The workstation is able to login, but am
not able to login from the ldap server.
server: OpenLDAP 2.4.43
clients: nss-pam-ldapd 0.9.6
Any help much appreciated.
--- from ldap server to ldap client (fails)
$ ssh -l james 10.0.1.2
Enter passphrase for key '/home/james/.ssh/id_rsa':
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
New password:
Retype new password:
password change failed: Server is unwilling to perform
passwd: password updated successfully
Connection to 10.0.1.2 closed.
--- from worstation to ldap client (succeeds)
$ ssh node-2
Password:
You are required to change your password immediately (root enforced)
need a new password
New password:
Retype new password:
password change failed: Insufficient access
node-2(james):~$
$ ldapsearch -x -b 'dc=my,dc=example,dc=com' '(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=my,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# my.example.com
dn: dc=my,dc=example,dc=com
dc: cem
objectClass: dcObject
objectClass: organization
o: CEM
# manager, my.example.com
dn: cn=manager,dc=my,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Admin
# groups, my.example.com
dn: ou=groups,dc=my,dc=example,dc=com
ou: groups
description: Groups
objectClass: organizationalUnit
# users, my.example.com
dn: ou=users,dc=my,dc=example,dc=com
ou: users
description: Users
objectClass: organizationalUnit
# james, groups, my.example.com
dn: cn=james,ou=groups,dc=my,dc=example,dc=com
cn: james
objectClass: top
objectClass: posixGroup
gidNumber: 1000
# james, users, my.example.com
dn: uid=james,ou=users,dc=my,dc=example,dc=com
cn: James
uid: james
uidNumber: 1000
gidNumber: 1000
sn: James
homeDirectory: /home/james
mail: james(a)example.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
gecos: james
shadowLastChange: 0
userPassword:: e1NTSEF9ZjhRMGwwaDk1ek9mMUViaDhreDNlUEsvdFhFb29wV3I=
shadowMax: 9999
shadowWarning: 14
# search result
search: 2
result: 0 Success
# numResponses: 7
# numEntries: 6
/etc/pam.d/system-auth
---
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account optional pam_permit.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 retry=3
password sufficient pam_unix.so try_first_pass use_authtok
nullok sha512 shadow
password sufficient pam_ldap.so use_authtok use_first_pass
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session optional pam_ldap.so
session required pam_unix.so
session optional pam_permit.so
7 years, 8 months
OCSP for LDAP Client
by Jason Talley
I've been asked to enable OCSP checking in our client (connecting to any
LDAP server) . The client uses OpenLdap api's for managing the connection
to the server. From my recent birth-by-fire education on certs and
security, OCSP checking appears more or less to be a manual process rather
than having OpenSSL do all the work auto-magically as part of the handshake
(ignoring ocsp stapling which I'm avoiding). I don't see any options in
openssl s_client (for testing) to enable OCSP -- only a separate utility to
manually check based on captured client certs.
Storing the CRL in the LDAP DB isn't an option. For whatever reason, OCSP
is required.
Is there any way to enable OCSP checking via the current LDAP API?
Assuming the answer is no, then would a reasonable approach be to manually
query the server URL from time to time, and verify the certificate in the
background? Traffic from our client should be relatively minimal, so even
at a rate of one verification an hour should have a minimal risk window of
the cert being expired. Using this method I can more or less follow the
same logic as the openssl utilities (s_client and ocsp).
TIA.
7 years, 8 months
simple question
by Aleksandar Karalejić
Hi OpenLDAP team,
I have a question, simple I hope, for you - I need to send client certificate to the server openldap server (by using openldap api and openSSL).
For completing this job, first I initalized ldap with url containing ldaps in the url scheme (ldaps://fqdn_of_ldap_server:636).
I have set
LDAP_OPT_PROTOCOL_VERSION -> LDAP_VERSION3
LDAP_OPT_X_TLS_PROTOCOL_MIN -> LDAP_OPT_X_TLS_PROTOCOL_TLS1_2
LDAP_OPT_X_TLS_REQUIRE_CERT -> LDAP_OPT_X_TLS_DEMAND
LDAP_OPT_X_TLS_CONNECT_ARG -> fqdn_of_ldap_server
LDAP_OPT_X_TLS_CONNECT_CB -> my_tsl_verify_callback
and then I called ldap_sasl_bind:
ldap_sasl_bind(mLdapObj, NULL, "EXTERNAL", NULL, NULL, NULL, &msgid);
What I saw is that certficate from the server was received, but how to send client certifikate. I played arround with LDAP_OPT_X_TLS_CERTFILE (sending the abs path to the .pem file) but nothing. Also, I saw that this parameter was not taken into account - it looks like ssl_ctx object used for ssl_connect does not include path to the file (like two global structures used for setting up ctx know nothing about each other.)
Can you, help me with this?
Regards,
Aleksandar
7 years, 8 months
OpenLdap + Cyrus SASL + MIT Kerberos credentials cache
by Petar Kovačević
Hi All,
I'm working on Windows application that uses libldap built with cyrus sasl and MIT Kerberos and I'm having issues with Kerberos authentication on AD.
I have tested with various applications and Kerberos is working properly on server.
In my app I'm using ldap_sasl_interactive_bind_s(mLdapObj, NULL, "GSSAPI", NULL, NULL, LDAP_SASL_INTERACTIVE, my_ldap_sasl_interact, defaults) in order to bind with server, but I get error -2 (Local error).
I have debugged the app and I have found that there is an issue with Keberos Credentials Cache. Because I haven't set credentials cache location, Kerberos reads this location from KRB5CCNAME environment variable.
So my first question is : Is there any API in libldap, so we can set our own contact cache location?
But even when I set this variable, I get same error when I try to bind. After some more debugging I found that Kerberos expects that I already have credentials cache file created, and that there is a ticket in it(as a I have called kinit before bind).
Is there an API in libldap, that will call Kerberos API for credentials cache and ticket obtaining operations, which we can call before bind, or we need to call Kerberos API directly ?
Thank you for your help.
Best Regards,
Petar Kovacevic
7 years, 8 months
Re: [OpenLDAP][Authentication] SASL
by Timothy Keith
I don't yet have access to the corporate LDAP service on the
production Unix servers. To serve that purpose for testing I am
using Apache Directory server on Windows. The test example I'm using
is for Active Directory, but I think the pass-through tutorial ought
to work basically the same for evaluation purposes.
Tim
7 years, 8 months
Re: acl bug?
by BÖSCH Christian
> On 26 Jan 2016, at 14:34 , julien soula <julien.soula(a)univ-lille2.fr> wrote:
>
> On Tue, Jan 26, 2016 at 11:43:59AM +0000, BÖSCH Christian wrote:
>>
>> Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "uid=user1,ou=people,o=abc.net"
>> Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=group,ou=groups,o=abc.net"
>
> are you sure that "uid=user1,ou=people,o=abc.net" is a member of
> "cn=group,ou=groups,o=abc.net” ?
yes i am.
to me it seems that filter= following with attrs= (tested with several filters and attributes) does not work.
if i omit attrs= it works to hide the whole entry. if i use a dn instead of filter i can use the attrs= to hide a single attribute.
christian
>
> cdt,
> --
> Julien
> << Vous n'avez rien a dire... Parlons-en! >>
7 years, 8 months
Problems with log entries order
by Dario Zanzico
Writing a script for parsing openldap logs I found that, for some of my
connections, the BIND log entry precedes the corresponding ACCEPT entry
(which as far as i understand must logically precede the BIND)
example:
2016-01-25T12:54:02.131094+01:00 HOSTNAME slapd[15258]: conn=91596 op=0
BIND dn="" method=128
2016-01-25T12:54:02.131099+01:00 HOSTNAME slapd[15258]: conn=91596 op=0
RESULT tag=97 err=0 text=
2016-01-25T12:54:02.131103+01:00 HOSTNAME slapd[15258]: conn=91596 fd=93
ACCEPT from [CUT]
slapd is started with the '-l local4' parameter, and rsyslogd is
configured to send local4.* to the openldap.log file
suspecting some rsyslogd problems i tried running slapd using the "-d
256" parameter, but in the output i found
56a6202b conn=1004 op=0 BIND dn="" method=128
56a6202b conn=1004 op=0 RESULT tag=97 err=0 text=
56a6202b conn=1004 fd=13 ACCEPT from [CUT]
Is there any way to guarantee openldap to generate ordered logs?
thanks,
dario
7 years, 8 months
acl bug?
by BÖSCH Christian
hi,
i’m using this acl:
{0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none
but members of the group can still access the attribute Hidden.
with any filter it does not work.
if i use a single dn it works.
seems to me filters do not work?
chris
7 years, 8 months
missing init script
by Chuck Theobald
I'm building OpenLDAP version 2.4.40 from source but am unable to locate
the init script. It does not install with 'make install'. Should this
script be part of the source distribution?
Thanks,
--
Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345
7 years, 8 months