openldap-technical

openldap-technical@openldap.org

21 participants
9802 discussions

ppolicy pwdMinLenght, pwdAccountLockedTime and pwdLockoutDuration don't work as supposed
by Theo Alves 18 Mar '11

18 Mar '11

Hello there, We have 40 machines on an educational informatics lab authenticating with LDAP. I am using python ldap module as management tool. I am experiencing two problems at now. The first one is when an user access ldap by python the ppolicy pwdMinLenght doesn't work. The user can freely put a password too short. That doesn't happen when using passwd. Check out the python code snip: import ldap dn = 'uid=%s,ou=People,dc=example,dc=com' % 'user1' con = ldap.initialize('ldapi:///') con.bind_s(dn, raw_input('Password: ')) #getting the present password con.passwd_s(dn, None, '1') The to default_ppolicy entry pwdMinLenght is setted to 5, even so the code above works to regular users and they can put passwords too short. The second thing is in the lab sometimes users should be disabled for time periods (2 weeks for instance). I guessed I could set pwdAccountLockedTime to now and pwdLockoutDuration to the duration and the user would be automatically unlocked after that time, but it doesn't look to work. I guess this directives are only valid when pwdFailureTime is setted by the authentication methods. Can someone confirm that I can't set manually pwdAccountLockedTime and pwdLockoutDuration to block user access to a determined period? What would be the alternatives? I hope I haven't missed the answers because a lack of English skills. I have "googled" a lot about that, but nothing useful came up. The mail list archives search in openldap-technical doesn't return anything even when I try ldap, or ppolicy. I browsed some month archives but got nothing by the e-mail subjects. Thanks in advance for any help and answers. I hope I have been understood and sorry about any mistakes I've made concerning the language. Theo -- O Pensamento Governa o Universo http://www.999thnight.com http://www.unreversed.com

2 1

(no subject)
by Juan José Aragonés 18 Mar '11

18 Mar '11

Hello After installing and configuring openLDAP in Linux I’m trying to do the same in Windows 7. No, it’s not my idea but what my boss wants me to do. So I downloaded openLDAP from http://www.userbooster.de/en/download/openldap-for-windows.aspx and installed. Configured my slapd.conf as follows: include ./schema/core.schema include ./schema/cosine.schema include ./schema/inetorgperson.schema pidfile ./run/slapd.pid argsfile ./run/slapd.args ## server permits anonymous binds allow bind_anon_dn ## Misc security settings password-hash {SSHA} ####################################################################### # Database Section ####################################################################### ## Define the beggining of example database database bdb ## Define the root suffix you serve suffix "dc=example,dc=com" ## Define a root DN for superuser privilege (Not necessary) rootdn "cn=Manager,dc=example,dc=com" ## Define the password used with roodn. For this example it will be "secret" rootpw {SSHA}E7ptTQ3Z6DdkPacF6sO3qXrueUKoM8Kq ## Directory containing the database files directory ./data/example ## Indexes to maintain index ObjectClass eq index cn,sn,mail eq,sub index departmentNumber eq ## db tunning parameters: cache 2000 entries in memory cachesize 2000 I started it (slapd -h ldap://) and it works ok. But now I'm trying to connect using ldaps, but I don't find how to create a self-signed certificate in a way as easy as it was in Linux. If you know where there's a good guide I would be really grateful. Thank you Joe Aragones

1 0

Schema Design :: ACL on Groups by Group Members only
by sim123 18 Mar '11

18 Mar '11

Hi There, I want "n" number of groups (or similar structure which keeps member information) to be created and only group members have access to those groups. Members are defined in separate user branch so my DIT look like dc=example,dc=com +--ou=people,dc=example,dc=com +----uid=bjanson,ou=users,dc=example,dc=com +----uid=matt,ou=users,dc=example,dc=com +--cn=group1,dc=example,dc=com (groupOfNames) +----cn=subgroup1,dc=example,dc=com (groupOfNames) now users bjanson and matt are member of group1, only bjanson is member of subgroup1. I would like to have ACL defined so only members can access their group. I don't need any ACL on subgroup as long as only all members of parent group can access it. Is it possible to do that in generic form because basic ACL syntax needs dn/filter in "access to " clause. In my example if I have n groups I will end up having n access control syntax in slapd.conf, which doesn't sound a good idea. Also, I don't need to use groups as such but groupOfNames/ groupOd UniqueNames are the only classes which support member attribute. Please let me know if there is any other objectClass I should use. Thanks for all the help and support, I appreciate it very much.

3 2

OpenLDAP 2.4.23 hangs when creating new group objects
by Mark Cave-Ayland 17 Mar '11

17 Mar '11

Hi all, Having just upgraded our internal LDAP server from Debian Lenny (2.4.16 internal build) to Debian Squeeze (2.4.23), we have started to see instances where the slapd process hangs and stops responding to all requests until we kill -9 and restart the process. Bizarrely enough, we can reproduce this pretty much every time when we try and create a new LDAP group using the GOsa web administration tool. Is this a known issue at all? Next time it happens, I'm happy to post a backtrace if you let me know what output you need from gdb to debug this. Many thanks, Mark. -- Mark Cave-Ayland - Senior Technical Architect PostgreSQL - PostGIS Sirius Corporation plc - control through freedom http://www.siriusit.co.uk t: +44 870 608 0063 Sirius Labs: http://www.siriusit.co.uk/labs -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

3 6

Any consideration while designing schema
by sim123 17 Mar '11

17 Mar '11

Hi, I am in process of designing schema for my recent project with really basic skill set and found this article really interesting : http://www.skills-1st.co.uk/papers/ldap-schema-design-feb-2005/ldap-schema-… I am wondering what all things one should really keep in mind before putting LDAP schema together and in general what could cause potential overhead or considered BAD design ? Also would love to know if there is any other article/ book addressing my concerns. Thanks for the help and support.

3 4

nested dyn groups (planed?)
by Christoph Kaminski 17 Mar '11

17 Mar '11

Hi all... I know it is not possible to use nested dynamic groups (dyn group inside dyn group via labeledURI attribute) but it is planed for a release in the future? -- Greetz

1 0

How to turn on LDAP_DEVEL flag?
by Коновалов Андрей Але ксандрович 17 Mar '11

17 Mar '11

I want to test component matching support in OpenLDAP 2.4.24, but it is masked by LDAP_DEVEL flag, which is turned on only when LDAP_VENDOR_VERSION=0. So... could you tell me please, how to turn on LDAP_DEVEL directly in a proper way?

3 3

OpenLDAP reports busy and hangs
by Frank Budde 17 Mar '11

17 Mar '11

Hi, with OpenLDAP 2.4.22 on Solaris 10 we discovered following situation: from time to time the slapd log file contains message "daemon: select: listen=7 busy" while ldap continues to operate normally. After 7 days of operation suddenly ldap does not respond any more and keeps printing "daemon: select: listen=7 busy". Log file shows: daemon: select: listen=7 busy daemon: listen=7, new connection on 30 daemon: activity on 1 descriptor daemon: waked daemon: added 30r (active) listener=0 conn=5656 fd=30 ACCEPT from IP=192.168.200.131:40993 (IP=192.168.200.16:9929) daemon: select: listen=7 active_threads=1 tvp=zero daemon: activity on 2 descriptors daemon: waked daemon: select: listen=7 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 30r daemon: read activity on 30 daemon: select: listen=7 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: waked conn=5656 op=0 BIND dn="cn=ldapadmin,dc=abc,dc=com" method=128 daemon: select: listen=7 active_threads=1 tvp=zero conn=5656 op=0 BIND dn="cn=ldapadmin,dc=abc,dc=com" mech=SIMPLE ssf=0 conn=5656 op=0 RESULT tag=97 err=0 text= daemon: activity on 1 descriptor daemon: activity on: 30r daemon: read activity on 30 daemon: select: listen=7 active_threads=1 tvp=zero daemon: activity on 1 descriptor daemon: waked daemon: select: listen=7 active_threads=1 tvp=zero conn=5656 op=1 SRCH base="ou=users,dc=abc,dc=com" scope=1 deref=3 filter="(uid=abcservice-prd)" daemon: activity on 1 descriptor daemon: select: listen=7 busy daemon: select: listen=7 busy daemon: select: listen=7 busy daemon: select: listen=7 busy slapd.conf contains gentlehup on idletimeout 15 conn_max_pending 10 conn_max_pending_auth 30 My question: How can the problem be solved or reproduced? The problem comes up in production environment and I need to reproduce it in test environment. How can this be done? (If the problem can be reproduced with 2.4.22 I will try it with ldap 2.4.24.) Thanks for any help, /Frank -- Schon gehört? GMX hat einen genialen Phishing-Filter in die Toolbar eingebaut! http://www.gmx.net/de/go/toolbar

2 1

"hidden" attributes in openldap?
by George Mamalakis 17 Mar '11

17 Mar '11

Hi everybody, I hope I am sending this email to the correct mailing list, if not please excuse me. I am trying to find a way to hide/unhide attributes on my DIT (openldap-2.4.21) and I cannot find a way to do this. What I mean by hide/unhide is that I want specific attributes to be listed with ldapsearch only if the owner of the records agrees. I did not find any feature that does this "automatically", so I tried to implement it through acls. I created a group called i.e. "cn=publish mail,ou=Groups,dc=example,dc=com" where people wishing to disclose their emails are members of this group. On the acl statement I couldn't find a way to restrict my acl based on "conditional attributes". Is there a way to support such a behavior (maybe through an additional overlay, or oclAccess, etc)? If someone knows an answer I would be delighted to know so. Thank you all for your time in advance, mamalos PS. I have submitted a similar question to an "ldap programmers" forum, because I thought that openldap lists don't support such questions. Nevertheless, I found analogous questions being asked on this list by googling, so I thought I should give it a try. -- George Mamalakis IT Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379

3 6

Undefined reference to ber_* with 2.4.24
by frank.offermanns＠caseris.de 17 Mar '11

17 Mar '11

Hello, I am able to compile OpenLDAP 2.4.23 with Berkeley DB 4.8.30 with MSYS and windows with configure params: configure --prefix=/mingw --enable-acceslog --with-tls But if I try to compile OpenLDAP 2.4.24 I get several undefined references to ber_* functions when liblutil is build. Did I miss a change in the way to build OpenLDAP 2.4.24? Best regards, Frank Offermanns

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical