openldap-technical October 2017

openldap-technical@openldap.org

28 participants
75 discussions

Problem with "force user to password reset at first login
by Rajagopal Rc 30 Oct '23

30 Oct '23

Hi, I am trying to force users to change their password at first login or after password reset by administrator. Tried following: 1)Password policy 'pwdMustChange TRUE' doesn't seems to be working as non of the users get prompt to change their password at first login. 2) used the 'pwdReset TRUE' attribute in users attributes, and it won't prompt to change the password and didn't allow to login i observe below messages in log "slapd[12684]: connection restricted to password changing only slapd[12684]: send_ldap_result: err=50 matched="" text="Operations are restricted to bind/unbind/abandon/StartTLS/modify password" slapd[12684]: conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password" Please help me configure the option to force all users to change their password at first login or after pwd reset by administrator. Thanks & Regards Raj Tata Consultancy Services Mailto: rajagopal.rc(a)tcs.com Website: http://www.tcs.com ____________________________________________ Experience certainty. IT Services Business Solutions Consulting ____________________________________________ =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you

5 9

Re: Syncrepl and multipe values
by Quanah Gibson-Mount 24 Feb '18

24 Feb '18

--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio Morais <matheus_morais(a)sicredi.com.br> wrote: > > > > Issue 8559 opened. > > > > I'm trying to work on a patch but I'm not sure if the best solution is to > fix accesslog to avoid duplicated values or if the sample LDIF (in its > description) should result in a constraint violation. What do you think? The accesslog should never write an operation that can't be replicated. If the MOD is a valid LDAP operation (which I think it is), then it should be accepted at the frontend. The issue may be more in delta-syncrepl's handling of the write op than anything else. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 3

Re: uidNumber for Service Accounts?
by Douglas Duckworth 19 Dec '17

19 Dec '17

Thanks John and everyone else. It's only performing binds for Apache, and sssd, as I do not allow anon binds to the LDAP server. This particular account does not perform any interactive logins on *Nix boxes. Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690 On Wed, Oct 25, 2017 at 9:18 PM, John Lewis <jl(a)hyperbolicinnovation.com> wrote: > On Wed, 2017-10-25 at 09:32 -0400, Douglas Duckworth wrote: > > Hi > > > > Do I need uidNumber for Service Accounts used for application / > > server binding if this user won't actually be resolved by sssd or > > nslcd? > > > > I set a very high uidNumber but eventually this will conflict with > > users as in my ignorance I didn't put this in a lower range. > > > > Thanks, > > > > Douglas Duckworth, MSc, LFCS > > HPC System Administrator > > Scientific Computing Unit > > Physiology and Biophysics > > Weill Cornell Medicine > > E: doug(a)med.cornell.edu > > O: 212-746-6305 > > F: 212-746-8690 > > It depends on weather your service account needs to login to a UNIX > compliant system or not. If the account doesn't have a uid, it will > most likely not be able to login as a standard UNIX account via LDAP. > > If the binds go directly to an application without going through an OS > authentication layer, for example a web user login, it probably doesn't > matter either way whether the account has a uidNumber set or not. If > you have an interaction with sssd or nslcd in the middle, you are going > to need the uidNumber attribute set. >

3 4

uidNumber for Service Accounts?
by Douglas Duckworth 25 Oct '17

25 Oct '17

Hi Do I need uidNumber for Service Accounts used for application / server binding if this user won't actually be resolved by sssd or nslcd? I set a very high uidNumber but eventually this will conflict with users as in my ignorance I didn't put this in a lower range. Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690

3 2

Help wanted - LDAP deployment for NTP and Network Time Foundation
by Harlan Stenn 25 Oct '17

25 Oct '17

Hi folks, The NTP Project has an ancient LDAP deployment that needs to be upgraded. We've started a re-deployment that includes both ntp.org and nwtime.org, and have the server side of that mostly finished. The volunteers who have been doing this don't have the time to get it done soon enough. We could really use some more help to get the deployment finished and installed. This includes a reality check on our replicated server setup, the schema, and then getting various "services" (login/ssh, some web apps, etc) hooked in. If you're up for lending a hand on this, please let me know. -- Harlan Stenn <stenn(a)nwtime.org> http://networktimefoundation.org - be a member!

1 0

Re: uidNumber for Service Accounts?
by Douglas Duckworth 25 Oct '17

25 Oct '17

Thanks Michael! No, we do not have uidNumber-based ACLs only DN based. I will remove the uidNumber. Thanks Doug Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690 On Wed, Oct 25, 2017 at 9:55 AM, Michael Ströder <michael(a)stroeder.com> wrote: > Douglas Duckworth wrote: > > Do I need uidNumber for Service Accounts used for application / server > > binding if this user won't actually be resolved by sssd or nslcd? > > In general if your client only binds to the LDAP server it doesn't need > 'uidNumber' attribute. It just needs a bind-DN and a password in its > config. I assume though that your LDAP server does not have ACLs based > uidNumber-based filter affecting your client. > > And I don't know whether something else in your deployment needs it. > This only you can find out. > > Ciao, Michael. > >

1 0

Re: [EXTERNAL] pwdPolicySubentry: value #0 already exists
by Douglas Duckworth 25 Oct '17

25 Oct '17

Thanks so much, Jon! I can see it clearly now! # Service Accounts, domain dn: ou=Service Accounts,domain # g14classified, Service Accounts, domain dn: uid=g14classified,ou=Service Accounts,domain pwdPolicySubentry: cn=CustomBindAccountPolicy,ou=Policies,domain Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690 On Wed, Oct 25, 2017 at 9:34 AM, Jon C Kidder <jckidder(a)aep.com> wrote: > pwdPolicySubentry is an operational attribute. It will not be returned in > search results unless you explicitly request it or use + in your requested > attribute list. > > > > If you change the add to a replace in your ldif file your modify operation > should succeed. > > > > > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.aep.com_&d=DwMGaQ&c…> > > *JON C KIDDER* | *MIDDLEWARE ADMINISTRATOR LEAD* > JCKIDDER(a)AEP.COM | D:614.716.4970 <(614)%20716-4970> > 1 RIVERSIDE PLAZA, COLUMBUS, OH 43215 > <https://maps.google.com/?q=1+RIVERSIDE+PLAZA,+COLUMBUS,+OH+43215&entry=gmai…> > > > > *From:* openldap-technical [mailto:openldap-technical-bounces@openldap.org] > *On Behalf Of *Douglas Duckworth > *Sent:* Wednesday, October 25, 2017 9:24 AM > *To:* Openldap Technical > *Subject:* [EXTERNAL] pwdPolicySubentry: value #0 already exists > > > > This is an EXTERNAL email. STOP. THINK before you CLICK links or OPEN > attachments. If suspicious please forward to incidents(a)aep.com for review. > ------------------------------ > > Hi > > > > I am trying to make sure my bind Service Account's password does not > expire. I set this in ou=Policies with the intention that the policy would > only be applied to this user: > > > > # Policies, domain > > dn: ou=Policies,domain > > ou: Policies > > objectClass: organizationalUnit > > > > # CustomBindAccountPolicy, Policies, domain > > dn: cn=CustomBindAccountPolicy,ou=Policies,domain > > objectClass: person > > objectClass: top > > cn: passwordDefault > > cn: CustomBindAccountPolicy > > sn: passwordDefault > > pwdAttribute: userPassword > > pwdMinAge: 0 > > pwdMaxAge: 0 > > pwdLockout: FALSE > > > > However, I do not see this dn referenced on the user: > > > > # importantuser, Service Accounts, domain > > dn: uid=importantuser,ou=Service Accounts,domain > > objectClass: top > > objectClass: account > > objectClass: posixAccount > > objectClass: extensibleObject > > uid: binduser > > cn: bind > > sn: user > > givenName: binduser > > title: Account > > loginShell: /dev/null > > uidNumber: 123 > > gidNumber: 456 > > homeDirectory: /dev/null > > description: Service Account > > userPassword:: password123 > > > > When I try to add using ldapadd and this ldif: > > > > dn: uid=importantuser,ou=Service Accounts,domain > > changetype: modify > > add: pwdPolicySubentry > > pwdPolicySubentry: cn=CustomBindAccountPolicy,ou= > Policies,dc=davinci,dc=med,dc=cornell,dc=edu > > > > I get this error: > > me@nsa[~/ldap]$ ladd server.ldif > > > > Enter LDAP Password: > > modifying entry "uid=importantuser,ou=Service Accounts,domain" > > ldap_modify: Type or value exists (20) > > additional info: modify/add: pwdPolicySubentry: value #0 already > exists > > > > Do you have any idea what could be happening? My ACL's allow the binduser > to see everything so I don't understand what's happening. > > > > Thank you very much! > > > > > Thanks, > > > Douglas Duckworth, MSc, LFCS > HPC System Administrator > Scientific Computing Unit > > Physiology and Biophysics > > Weill Cornell Medicine > > E: doug(a)med.cornell.edu > O: 212-746-6305 <(212)%20746-6305> > F: 212-746-8690 <(212)%20746-8690> >

1 0

pwdPolicySubentry: value #0 already exists
by Douglas Duckworth 25 Oct '17

25 Oct '17

Hi I am trying to make sure my bind Service Account's password does not expire. I set this in ou=Policies with the intention that the policy would only be applied to this user: # Policies, domain dn: ou=Policies,domain ou: Policies objectClass: organizationalUnit # CustomBindAccountPolicy, Policies, domain dn: cn=CustomBindAccountPolicy,ou=Policies,domain objectClass: person objectClass: top cn: passwordDefault cn: CustomBindAccountPolicy sn: passwordDefault pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdLockout: FALSE However, I do not see this dn referenced on the user: # importantuser, Service Accounts, domain dn: uid=importantuser,ou=Service Accounts,domain objectClass: top objectClass: account objectClass: posixAccount objectClass: extensibleObject uid: binduser cn: bind sn: user givenName: binduser title: Account loginShell: /dev/null uidNumber: 123 gidNumber: 456 homeDirectory: /dev/null description: Service Account userPassword:: password123 When I try to add using ldapadd and this ldif: dn: uid=importantuser,ou=Service Accounts,domain changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=CustomBindAccountPolicy,ou=Policies,dc=davinci,dc=med,dc=cornell,dc=edu I get this error: me@nsa[~/ldap]$ ladd server.ldif Enter LDAP Password: modifying entry "uid=importantuser,ou=Service Accounts,domain" ldap_modify: Type or value exists (20) additional info: modify/add: pwdPolicySubentry: value #0 already exists Do you have any idea what could be happening? My ACL's allow the binduser to see everything so I don't understand what's happening. Thank you very much! Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690

2 1

How do internet-facing, multi-domain ldap servers handle TLS?
by John Lewis 20 Oct '17

20 Oct '17

How do internet-facing, multi-domain ldap servers handle TLS? Do they go multi-port or do they use one TLS certificate that covers all of the domains, or do they get more IP addresses that are all on different domains?

1 0

Re: Antw: Re: [Q] amendments to schemes existent
by Zeus Panchenko 20 Oct '17

20 Oct '17

Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> wrote: > But you are basically changing the semantics of attribute authorizedService: > Before "*" was literal, after it is magic (substring match). > > The discussion on which variant is more useful is a different issue ;-) for *my* flow, the variant of original schema is unusable since I have pleny of values and to hardcode all of them for all available searches is not good idea, to my mind ... if to return to the starting question: is there other way to get originally SUBSTR-less attributes to be matchable by substring, except hacking the scheme? -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)

2 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2017