Problem with "force user to password reset at first login
by Rajagopal Rc
Hi,
I am trying to force users to change their password at first login or
after
password reset by administrator.
Tried following:
1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non
of the
users get prompt to change their password at first login.
2) used the 'pwdReset TRUE' attribute in users attributes, and it won't
prompt
to change the password and didn't allow to login
i observe below messages in log
"slapd[12684]: connection restricted to password changing only
slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are
restricted to bind/unbind/abandon/StartTLS/modify password"
slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0
text=Operations are restricted to bind/unbind/abandon/StartTLS/modify
password"
Please help me configure the option to force all users to change their
password
at first login or after pwd reset by administrator.
Thanks & Regards
Raj
Tata Consultancy Services
Mailto: rajagopal.rc(a)tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
1 month, 1 week
Re: Syncrepl and multipe values
by Quanah Gibson-Mount
--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio
Morais <matheus_morais(a)sicredi.com.br> wrote:
>
>
>
> Issue 8559 opened.
>
>
>
> I'm trying to work on a patch but I'm not sure if the best solution is to
> fix accesslog to avoid duplicated values or if the sample LDIF (in its
> description) should result in a constraint violation. What do you think?
The accesslog should never write an operation that can't be replicated. If
the MOD is a valid LDAP operation (which I think it is), then it should be
accepted at the frontend. The issue may be more in delta-syncrepl's
handling of the write op than anything else.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 9 months
Re: uidNumber for Service Accounts?
by Douglas Duckworth
Thanks John and everyone else. It's only performing binds for Apache, and
sssd, as I do not allow anon binds to the LDAP server. This particular
account does not perform any interactive logins on *Nix boxes.
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
On Wed, Oct 25, 2017 at 9:18 PM, John Lewis <jl(a)hyperbolicinnovation.com>
wrote:
> On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote:
> > Hi
> >
> > Do I need uidNumber for Service Accounts used for application /
> > server binding if this user won't actually be resolved by sssd or
> > nslcd?
> >
> > I set a very high uidNumber but eventually this will conflict with
> > users as in my ignorance I didn't put this in a lower range.
> >
> > Thanks,
> >
> > Douglas Duckworth, MSc, LFCS
> > HPC System Administrator
> > Scientific Computing Unit
> > Physiology and Biophysics
> > Weill Cornell Medicine
> > E: doug(a)med.cornell.edu
> > O: 212-746-6305
> > F: 212-746-8690
>
> It depends on weather your service account needs to login to a UNIX
> compliant system or not. If the account doesn't have a uid, it will
> most likely not be able to login as a standard UNIX account via LDAP.
>
> If the binds go directly to an application without going through an OS
> authentication layer, for example a web user login, it probably doesn't
> matter either way whether the account has a uidNumber set or not. If
> you have an interaction with sssd or nslcd in the middle, you are going
> to need the uidNumber attribute set.
>
5 years, 11 months
uidNumber for Service Accounts?
by Douglas Duckworth
Hi
Do I need uidNumber for Service Accounts used for application / server
binding if this user won't actually be resolved by sssd or nslcd?
I set a very high uidNumber but eventually this will conflict with users as
in my ignorance I didn't put this in a lower range.
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
6 years, 1 month
Help wanted - LDAP deployment for NTP and Network Time Foundation
by Harlan Stenn
Hi folks,
The NTP Project has an ancient LDAP deployment that needs to be upgraded.
We've started a re-deployment that includes both ntp.org and nwtime.org,
and have the server side of that mostly finished.
The volunteers who have been doing this don't have the time to get it
done soon enough.
We could really use some more help to get the deployment finished and
installed.
This includes a reality check on our replicated server setup, the
schema, and then getting various "services" (login/ssh, some web apps,
etc) hooked in.
If you're up for lending a hand on this, please let me know.
--
Harlan Stenn <stenn(a)nwtime.org>
http://networktimefoundation.org - be a member!
6 years, 1 month
Re: uidNumber for Service Accounts?
by Douglas Duckworth
Thanks Michael!
No, we do not have uidNumber-based ACLs only DN based.
I will remove the uidNumber.
Thanks
Doug
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
On Wed, Oct 25, 2017 at 9:55 AM, Michael Ströder <michael(a)stroeder.com>
wrote:
> Douglas Duckworth wrote:
> > Do I need uidNumber for Service Accounts used for application / server
> > binding if this user won't actually be resolved by sssd or nslcd?
>
> In general if your client only binds to the LDAP server it doesn't need
> 'uidNumber' attribute. It just needs a bind-DN and a password in its
> config. I assume though that your LDAP server does not have ACLs based
> uidNumber-based filter affecting your client.
>
> And I don't know whether something else in your deployment needs it.
> This only you can find out.
>
> Ciao, Michael.
>
>
6 years, 1 month
Re: [EXTERNAL] pwdPolicySubentry: value #0 already exists
by Douglas Duckworth
Thanks so much, Jon!
I can see it clearly now!
# Service Accounts, domain
dn: ou=Service Accounts,domain
# g14classified, Service Accounts, domain
dn: uid=g14classified,ou=Service Accounts,domain
pwdPolicySubentry: cn=CustomBindAccountPolicy,ou=Policies,domain
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
On Wed, Oct 25, 2017 at 9:34 AM, Jon C Kidder <jckidder(a)aep.com> wrote:
> pwdPolicySubentry is an operational attribute. It will not be returned in
> search results unless you explicitly request it or use + in your requested
> attribute list.
>
>
>
> If you change the add to a replace in your ldif file your modify operation
> should succeed.
>
>
>
>
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.aep.com_&d=DwMGaQ...>
>
> *JON C KIDDER* | *MIDDLEWARE ADMINISTRATOR LEAD*
> JCKIDDER(a)AEP.COM | D:614.716.4970 <(614)%20716-4970>
> 1 RIVERSIDE PLAZA, COLUMBUS, OH 43215
> <https://maps.google.com/?q=1+RIVERSIDE+PLAZA,+COLUMBUS,+OH+43215&entry=gm...>
>
>
>
> *From:* openldap-technical [mailto:openldap-technical-bounces@openldap.org]
> *On Behalf Of *Douglas Duckworth
> *Sent:* Wednesday, October 25, 2017 9:24 AM
> *To:* Openldap Technical
> *Subject:* [EXTERNAL] pwdPolicySubentry: value #0 already exists
>
>
>
> This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN
> attachments. If suspicious please forward to incidents(a)aep.com for review.
> ------------------------------
>
> Hi
>
>
>
> I am trying to make sure my bind Service Account's password does not
> expire. I set this in ou=Policies with the intention that the policy would
> only be applied to this user:
>
>
>
> # Policies, domain
>
> dn: ou=Policies,domain
>
> ou: Policies
>
> objectClass: organizationalUnit
>
>
>
> # CustomBindAccountPolicy, Policies, domain
>
> dn: cn=CustomBindAccountPolicy,ou=Policies,domain
>
> objectClass: person
>
> objectClass: top
>
> cn: passwordDefault
>
> cn: CustomBindAccountPolicy
>
> sn: passwordDefault
>
> pwdAttribute: userPassword
>
> pwdMinAge: 0
>
> pwdMaxAge: 0
>
> pwdLockout: FALSE
>
>
>
> However, I do not see this dn referenced on the user:
>
>
>
> # importantuser, Service Accounts, domain
>
> dn: uid=importantuser,ou=Service Accounts,domain
>
> objectClass: top
>
> objectClass: account
>
> objectClass: posixAccount
>
> objectClass: extensibleObject
>
> uid: binduser
>
> cn: bind
>
> sn: user
>
> givenName: binduser
>
> title: Account
>
> loginShell: /dev/null
>
> uidNumber: 123
>
> gidNumber: 456
>
> homeDirectory: /dev/null
>
> description: Service Account
>
> userPassword:: password123
>
>
>
> When I try to add using ldapadd and this ldif:
>
>
>
> dn: uid=importantuser,ou=Service Accounts,domain
>
> changetype: modify
>
> add: pwdPolicySubentry
>
> pwdPolicySubentry: cn=CustomBindAccountPolicy,ou=
> Policies,dc=davinci,dc=med,dc=cornell,dc=edu
>
>
>
> I get this error:
>
> me@nsa[~/ldap]$ ladd server.ldif
>
>
>
> Enter LDAP Password:
>
> modifying entry "uid=importantuser,ou=Service Accounts,domain"
>
> ldap_modify: Type or value exists (20)
>
> additional info: modify/add: pwdPolicySubentry: value #0 already
> exists
>
>
>
> Do you have any idea what could be happening? My ACL's allow the binduser
> to see everything so I don't understand what's happening.
>
>
>
> Thank you very much!
>
>
>
>
> Thanks,
>
>
> Douglas Duckworth, MSc, LFCS
> HPC System Administrator
> Scientific Computing Unit
>
> Physiology and Biophysics
>
> Weill Cornell Medicine
>
> E: doug(a)med.cornell.edu
> O: 212-746-6305 <(212)%20746-6305>
> F: 212-746-8690 <(212)%20746-8690>
>
6 years, 1 month
pwdPolicySubentry: value #0 already exists
by Douglas Duckworth
Hi
I am trying to make sure my bind Service Account's password does not
expire. I set this in ou=Policies with the intention that the policy would
only be applied to this user:
# Policies, domain
dn: ou=Policies,domain
ou: Policies
objectClass: organizationalUnit
# CustomBindAccountPolicy, Policies, domain
dn: cn=CustomBindAccountPolicy,ou=Policies,domain
objectClass: person
objectClass: top
cn: passwordDefault
cn: CustomBindAccountPolicy
sn: passwordDefault
pwdAttribute: userPassword
pwdMinAge: 0
pwdMaxAge: 0
pwdLockout: FALSE
However, I do not see this dn referenced on the user:
# importantuser, Service Accounts, domain
dn: uid=importantuser,ou=Service Accounts,domain
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: extensibleObject
uid: binduser
cn: bind
sn: user
givenName: binduser
title: Account
loginShell: /dev/null
uidNumber: 123
gidNumber: 456
homeDirectory: /dev/null
description: Service Account
userPassword:: password123
When I try to add using ldapadd and this ldif:
dn: uid=importantuser,ou=Service Accounts,domain
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry:
cn=CustomBindAccountPolicy,ou=Policies,dc=davinci,dc=med,dc=cornell,dc=edu
I get this error:
me@nsa[~/ldap]$ ladd server.ldif
Enter LDAP Password:
modifying entry "uid=importantuser,ou=Service Accounts,domain"
ldap_modify: Type or value exists (20)
additional info: modify/add: pwdPolicySubentry: value #0 already
exists
Do you have any idea what could be happening? My ACL's allow the binduser
to see everything so I don't understand what's happening.
Thank you very much!
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
6 years, 1 month
Re: Antw: Re: [Q] amendments to schemes existent
by Zeus Panchenko
Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
> But you are basically changing the semantics of attribute authorizedService:
> Before "*" was literal, after it is magic (substring match).
>
> The discussion on which variant is more useful is a different issue ;-)
for *my* flow, the variant of original schema is unusable since I have
pleny of values and to hardcode all of them for all available searches
is not good idea, to my mind ...
if to return to the starting question:
is there other way to get originally SUBSTR-less attributes to be
matchable by substring, except hacking the scheme?
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
6 years, 1 month