Hi all,
SYSTEM: NethServer-7.6.1810, a distro using Centos7.6.1810
OpenLDAP: openldap-2.4.44-21.el7_6.x86_64
Extra package: Self Service Password
I am using Self Service Password with question/answer method to change
the password.
I store the answer in an attibute named: info.
$answer_objectClass = "extensibleObject";
$answer_attribute = "info";
The original Account provider is LDAP which I want to replace with
Active Directory.
All the user have to choose a question/answer before I replace LDAP with
AD as the Account provider.
While LDAP is still the Account provider, anybody with console access to
the server can see the question/answer using the command:
# ldapsearch -D cn=libuser,dc=directory,dc=nh -w `cat
/var/lib/nethserver/secrets/libuser` -h 127.0.0.1
# toto, People, directory.nh
dn: uid=toto,ou=People,dc=directory,dc=nh
...
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: extensibleObject
shadowLastChange: 18220
userPassword:: cm9ibTEyMDQ0OQ==
info: {car}Honda
I created a Virtual Machine to test the scenario with 3 users.
In NethServer, the original Account provider is LDAP.
I did a script to extract the users and their answers to file.ldif
I remove LDAP.
I install Active Directory module.
I import the users/groups to AD. In the importation, AD creates new
passwords for the imported users.
I add a section to Self Service Password for AD.
I modify AD with info.ldip to include the answer.
# /usr/bin/systemd-run -M nsdc -q -t /usr/bin/ldbmodify -H
/var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif
Modified 3 records successfully
#
The users can then modify their password responding to the same
question/answer they had with LDAP.
All is working perfectly.
PROBLEM:
I cannot encrypt the answer in LDAP because when I import the users to
Active Directory, it cannot reads the encrypted answer. I think that AD
is using another way to encrypt/decypt?
If I don't encrypt the answer, the importation to AD is working correctly.
While still using LDAP as Account provider and before I change it to
Active Directory, I would like to add an additional ACL so nobody can
read the answer stored in "info".
After googling a lot I found a way to describe the ACL. I hope it is the
right way.
access to attrs=info
by self write
by anonymous auth
by group="cn=domain admins,ou=Groups,dc=directory,dc=nh" write
by * none
How can I create the content of newacl.ldif file to be able to add that
ACL to OpenLDAP (ldapmodify -Y EXTERNAL -H ldapi:/// -f /temp/newacl.ldif)
Thank you,
Drukpa
