openldap-technical December 2019

openldap-technical@openldap.org

18 participants
23 discussions

OATH TOTP LDAP schema?
by Côme Chilliet 04 Dec '19

04 Dec '19

Hello, We are working on implementing TOTP support in our application based on LDAP, and are looking for an LDAP schema for this. I found https://oath-ldap.stroeder.com but I can’t seem to find out the LDAP schema for this, allowing to store user tokens. Does anyone knows if there is a publicly accessible schema for this? -- Côme Chilliet FusionDirectory - https://www.fusiondirectory.org

3 2

Adding ACL to an Attribute
by Drukpa Kunley 03 Dec '19

03 Dec '19

Hi all, SYSTEM: NethServer-7.6.1810, a distro using Centos7.6.1810 OpenLDAP: openldap-2.4.44-21.el7_6.x86_64 Extra package: Self Service Password I am using Self Service Password with question/answer method to change the password. I store the answer in an attibute named: info. $answer_objectClass = "extensibleObject"; $answer_attribute = "info"; The original Account provider is LDAP which I want to replace with Active Directory. All the user have to choose a question/answer before I replace LDAP with AD as the Account provider. While LDAP is still the Account provider, anybody with console access to the server can see the question/answer using the command: # ldapsearch -D cn=libuser,dc=directory,dc=nh -w `cat /var/lib/nethserver/secrets/libuser` -h 127.0.0.1 # toto, People, directory.nh dn: uid=toto,ou=People,dc=directory,dc=nh ... objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: extensibleObject shadowLastChange: 18220 userPassword:: cm9ibTEyMDQ0OQ== info: {car}Honda I created a Virtual Machine to test the scenario with 3 users. In NethServer, the original Account provider is LDAP. I did a script to extract the users and their answers to file.ldif I remove LDAP. I install Active Directory module. I import the users/groups to AD. In the importation, AD creates new passwords for the imported users. I add a section to Self Service Password for AD. I modify AD with info.ldip to include the answer. # /usr/bin/systemd-run -M nsdc -q -t /usr/bin/ldbmodify -H /var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif Modified 3 records successfully # The users can then modify their password responding to the same question/answer they had with LDAP. All is working perfectly. PROBLEM: I cannot encrypt the answer in LDAP because when I import the users to Active Directory, it cannot reads the encrypted answer. I think that AD is using another way to encrypt/decypt? If I don't encrypt the answer, the importation to AD is working correctly. While still using LDAP as Account provider and before I change it to Active Directory, I would like to add an additional ACL so nobody can read the answer stored in "info". After googling a lot I found a way to describe the ACL. I hope it is the right way. access to attrs=info by self write by anonymous auth by group="cn=domain admins,ou=Groups,dc=directory,dc=nh" write by * none How can I create the content of newacl.ldif file to be able to add that ACL to OpenLDAP (ldapmodify -Y EXTERNAL -H ldapi:/// -f /temp/newacl.ldif) Thank you, Drukpa

2 1

Is there a way to set a preference on entries with multiple userPassword attributes?
by Jeremy Diaz 03 Dec '19

03 Dec '19

Hello, Currently I have ldap entries with 2 userPassword attributes. One is a regular SHA password which the other one delegates to sasl. However this results in all entries binding through sasl rather than locally. I need some entries to default to sasl and other entries to default to SHA but still failover to the other password entry. Is this possible through openldap? Thanks, Jeremy -- Jeremy Diaz Rex Consulting, Inc 5652 Florence Terrace, Oakland, CA 94611 email: jeremy.diaz(a)rexconsulting.net web: [ http://www.rexconsulting.net/ | http://www.rexconsulting.net ] phone, toll-free: +1 (888) 403-8996 EXT: 5 The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. Rex Consulting, Inc. has been a California Corporation since 2001.

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2019