openldap-technical January 2016

openldap-technical@openldap.org

39 participants
44 discussions

Re: pass-through authentication
by Dan White 04 Jan '16

04 Jan '16

On 12/17/15 18:32 -0600, Timothy Keith wrote: >We are attempting to set up an LDAP server which will answer queries >from an application. The database will contain metadata on a set of >users in the application. The application will also query the server >to authenticate the user’s password, however, this server will not >house the password. That resides on another server, which our server >will query. We do not have administrative rights to the other >server. > > The difficulty we are having now is setting up the pass-through >authentication for the passwords. Any pointers in how to proceed with >this would be greatly appreciated. On 12/21/15 17:24 -0600, Timothy Keith wrote: >We have limited access to the servers. Same company, different IT >organization. Our LDAP requirement must be transparent to those servers. >We want to inherit the LDAP directory information from the Unix servers - >mostly the user Id and passwords, and add information that is needed by >applications that our servers will manage. On 12/31/15 09:51 -0600, Timothy Keith wrote: > On Wed, Dec 30, 2015 at 7:04 PM, Dan White <dwhite(a)cafedemocracy.org> wrote: >> On 12/30/15 18:51 -0600, Timothy Keith wrote: >> >>> This is tail of the latest saslauthd debug output : >>> >>> ldap_sasl_interactive_bind: user selected: DIGEST-MD5 >>> >> >> res_errno: 7, res_error: <SASL(-4): no mechanism available: >, res_matched: >>> <> >>> ldap_free_request (origid 1, msgid 1) >>> ldap_int_sasl_bind: DIGEST-MD5 >>> ldap_parse_sasl_bind_result >>> ldap_parse_result >>> ldap_msgfree >>> ldap_err2string >>> >> >> Is DIGEST-MD5 available on your ldap server? Try: >> >> ldapsearch -LLL -x -H ldap://1.2.3.4 -s "base" -b "" >> supportedSASLMechanisms >> Which should list the advertised sasl mechanisms. >> >> Verify the digest-md5 mechanism is installed with >> saslpluginviewer/pluginviewer. > >Dan, that ldapsearch returns : >dn: >supportedSASLMechanisms: PLAIN The server is only offering the PLAIN mechanism to you. It appears you're using saslauthd's ldap backend, and have explicitly configured 'ldap_mech: digest-md5' in your corresponding config. If that's correct, you could change that to PLAIN instead. Consider protecting the bind with tls if available. slapo-pbind may be a simpler alternative (to pass-through sasl authentication), depending on the specifics of your setup. -- Dan White

3 8

Re: openldap 2.4.43 keeps crashing
by Jephte Clain 04 Jan '16

04 Jan '16

2015-12-30 22:51 GMT+04:00 Quanah Gibson-Mount <quanah(a)zimbra.com>: > --On Wednesday, December 30, 2015 10:36 PM +0400 Jephte Clain > <jephte.clain(a)univ-reunion.fr> wrote: > >> 2015-12-29 20:47 GMT+04:00 Quanah Gibson-Mount <quanah(a)zimbra.com>: >>> >>> --On Monday, December 28, 2015 10:18 PM -0800 Quanah Gibson-Mount >>> <quanah(a)zimbra.com> wrote: >>> >>>> David, >>>> >>>> Why haven't you reported this to the ITS? >>> >>> >>> >>> Discussed with Howard. It isn't in 0.9 yet because it hasn't been >>> confirmed if the fix is good or not. David, if that fix has resolved >>> the issue, *please* follow up with the ITS noting that to be the case. >>> >> >> Hello, >> >> I can confirm this is the problem I have. Starting slapd in debug >> mode, it dies after some time: >> >> /tmp/buildd/openldap-2.4.43/servers/slapd/back-mdb/../../../libraries/lib >> lmdb/mdb.c:5276: Assertion 'NUMKEYS(mp) > 1' failed in >> mdb_page_search_root() >> /usr/local/slaptools/lib/functions: line 44: 30232 Abandon >> /usr/sbin/slapd -h "$SLAPD_SERVICES" -g "$SLAPD_GROUP" -u >> "$SLAPD_USER" -F "$SLAPDD" -d "$dlevel" "$@" >> >> I didn't notice it because it doesn't dump core. And somehow, the >> initscript I use eats the stderr output of slapd (I'll fix it for >> future errors) >> >> For now, I'll revert to the previous working version, but I'm willing >> to test any fix >> The funny part is only the replica dies regularly, not the master >> although it is the one to receive the writes > > > You can apply the patch that was made to mdb.master to the 2.4.43 source > tree, and see if it resolves the problem or not. ;) Hmmm... I really need some holidays... I couldn't manage to find the commit today (too tired?) and now I remember grep is my friend $ git checkout mdb.master $ git log --pretty=oneline | grep 8336 58d1fd4c73c96ef3097816e975b3d421ead4d86e ITS#8336 fix page_search_root assert on FreeDB I'll have a look tomorrow. Thanks. Regards, Jephté -- Jephté CLAIN | Développeur, Intégrateur d'applications Service Système d'Information Direction des Systèmes d'Information Tél: +262 262 93 86 31 || Gsm: +262 692 29 58 24

2 2

Re: users don't get prompt to change password (pwdMustChange attribute)
by Rajagopal Rc 31 Dec '15

31 Dec '15

Hi All, Can any one help me on this please Thanks From: Rajagopal Rc/BLR/TCS To: openldap-technical(a)openldap.org Date: 12/24/2015 12:07 PM Subject: users don't get prompt to change password (pwdMustChange attribute) Hello, I am trying to force user to change their password at first logon and on password reset. OS RHEL7 Openldap version 2.4.39-7.el7_1.x86_64 I have tried the following 1) I have set the pwdMustChange attribute to TRUE in ppolicy, but when user logon to client at first time or after resetting password, it just allow suer to logon without prompting to change the password, 2) I have set the pwdReset attribute to TRUE in user attribute for particular user, this doesn't allow user to login at all and keep prompting for password without allowing to login. Also i red in blogs this is not correct way, but couldn't find more information on this. is there any way to force users to change their password at first logon and after resetting password by admin. ? Current ppolicy Thanks & Regards Raj =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

1 0

LDAP ACL for restricting applications with same user dn
by Geo P.C. 31 Dec '15

31 Dec '15

Currently we need to configure Group based LDAP login for our custom applications. We have applications named app1, app2 etc. For restricting users to login for a particular application for eg app1 then for that user it should have attribute named *allowedService = app1*, for login to app2 that user need *allowedService = app2* So in that way we created users. Now for binding applications to ldap we created users like *cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com* Now we configured LDAP ACL as follows: olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by > anonymous auth by dn="cn=admin,dc=ds,dc=geo,dc=com" write by * none > olcAccess: {1}to dn.base="" by * read > olcAccess: {2}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" > filter="(allowedService=app1)" by > dn.exact="cn=app1,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by * > break > olcAccess: {3}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" > filter="(allowedService=app2)" by > dn.exact="cn=app2,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by * > break > olcAccess: {4}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" > attrs="entry" by dn.sub="ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read > by dn="cn=admin,dc=ds,dc=geo,dc=com" write by self read by * break > olcAccess: {5}to dn.subtree="ou=People,dc=prime,dc=ds,dc=geo,dc=com" > by dn.exact="cn=app3,ou=Applications,dc=prime,dc=ds,dc=geo,dc=com" read by > users read > olcAccess: {6}to dn.subtree="dc=prime,dc=ds,dc=geo,dc=com" by > anonymous write > But when any application that doesn't support filter (Like suiteCRM) we created rule *olcAccess: {5}* and bind it with *app3* user but then the whole ACL is not working and all users can login to all application. So can anyone please help us on it Thanks Geo

1 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2016