Hi Dennis/All,
I figured out that why password policies are not working. Th reason is that it did not got loaded successfully in ldap db. I am getting below error..
adding new entry "ou=Policies,dc=j,dc=example=,dc=com" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge
What i read is that The error no global superior knowledge means that slapd doesn't know where to put your new entry. Not getting what it means and how to fix it. Please help!!
Regards Sam
On Thursday, 27 February 2014 10:22 AM, saurabh ohri sam_ohri@yahoo.co.in wrote:
Hi Denis,
I did following steps in order to get the password policy work, still nothing is working.
1) In my slapd.conf file added below lines: # Password Policy Configuration overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=j,dc=example,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext
# ACL Entry for Password Policies access to attrs=userPassword by self write by anonymous auth by * none access to * by self write by * read 2) Loaded the password policy .ldif file into ldap by ldapadd. O/t of password policy .ldif files is: # Creates a Policies OU (Organizational Unit) dn: ou=Policies,dc=j,dc=cinglevue=,dc=com objectClass: organizationalUnit ou: Policies
# Creates a Policy object in Policies OU (Organizational Unit) dn: cn=default,ou=Policies,dc=j,dc=cinglevue,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMaxAge: 3888000 pwdExpireWarning: 604800 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 5 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE
Regards Sam
On Wednesday, 26 February 2014 8:02 PM, Dennis Leeuw D.Leeuw@umcutrecht.nl wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Have a look at the shadow* attributes from the shadowAccount class. Those should help you enforcing password related stuff. For self changes of passwords use an ACL like: access to attrs=userPassword by self write by anonymous auth by * none
Greetings,
Dennis
On 02/26/2014 11:50 AM, Saurabh Ohri wrote:
Thanks Dennis. You ate right the problem is not related to ldap but was looking for help against it.
I am able to have successful authentication from ldap on both mac and windows after trying 50 combinations of configuration 😄
But finally it worked and it our effort paid.
Thanks again and will share the information/ document soon.
Also it would be of great help if you could share some details on enforcing password policies like self user password change, force passed change after first login etc. I did some config but it is not working even for Linux.
Thanks Sam
Sent from my iPhone
On 26 Feb 2014, at 4:40 pm, Dennis Leeuw D.Leeuw@umcutrecht.nl wrote:
On 02/26/2014 05:26 AM, saurabh ohri wrote: Hi all,
I am new to openldap and i manage dto install and configure the same. My linux client is working well but not able to authenticate windows and mac clients.
Have been trying since past 2 days by google and other posts but still facing issue. Any help would be highly appreciated.
Details: using openldap-2.4.23-34 on RHEL6.5 *Client details:* Mac 10.8.5 -- tried configuring the network account server but it is showing RED. Error This server is not responding. Windows 7 – tried installing GINA but it is giving me invalid credentials
error.
Configuration file on server: Password: # extended LDIF # # LDAPv3 # base <dc=j,dc=example,dc=com> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL #
# j.example.com dn: dc=j,dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: example Organization description: example Inc DIT dc: j
# Users, j.example.com dn: ou=Users,dc=j,dc=example,dc=com objectClass: organizationalUnit ou: Users
# Groups, j.example.com dn: ou=Groups,dc=j,dc=example,dc=com objectClass: organizationalUnit ou: Groups
# Admins, j.example.com dn: ou=Admins,dc=j,dc=example,dc=com objectClass: organizationalUnit ou: Admins
# sohri, Users, j.example.com dn: uid=sohri,ou=Users,dc=j,dc=example,dc=com uid: sohri cn: sohri sn: 1 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/sohri uidNumber: 15000 gidNumber: 10000 userPassword:: e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkcg mail: sam.ohri@example.com gecos: Local User
# tpearce, Users, j.example.com dn: uid=tpearce,ou=Users,dc=j,dc=example,dc=com uid: tpearce cn: tpearce sn: 2 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/tpearce uidNumber: 15001 gidNumber: 10000 userPassword:: e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkc= mail: tony.pearce@example.com gecos: local User
# ldapusers, Groups, j.example.com dn: cn=ldapusers,ou=Groups,dc=j,dc=example,dc=com objectClass: posixGroup objectClass: top cn: ldapusers userPassword:: e2NyeXB0fXg= gidNumber: 10000 memberUid: uid=sohri memberUid: uid=tpearce
# search result search: 2 result: 0 Success
# numResponses: 8 # numEntries: 7
Regards Sam
Windows is created to work against an Active Directory system, meaning you have an LDAP authorization and Kerberos authentication. Connecting Windows to a
LDAP for both is
problematic to say the least. The easiest solution is using SAMBA against LDAP and make the Windows systems login against the SAMBA server. If you like to make it work with GINA, contact them, and to understand what is going on you might want to read: http://pig.made-it.com/win-boot-test.html No guarantees, I did my best to document what is happening. Hope I did it right.
Mac OS X did once work against LDAP, I have no idea what the current state is. On 10.6.5 go to Preferences, Accounts. Click Login Options go to Account Server and click Join. Select OpenDirectory utility. Click LDAPv3 and click the edit button. Click show options, click New, type the address of your ldap server. Give your account credentias, pick template RFC 2307, set search base. And your done...
And finaly: None of your problems is OpenLDAP related since it works on your Linux machine.
Greetings,
Dennis
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
gebruiken
en de afzender direct te informeren door het bericht te retourneren. Het Universitair Medisch Centrum Utrecht is een publiekrechtelijke rechtspersoon in de zin van de W.H.W. (Wet Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat geregistreerd bij de Kamer van Koophandel voor Midden-Nederland onder nr. 30244197.
Denk s.v.p aan het milieu voor u deze e-mail afdrukt.
This message may contain confidential information and is intended exclusively
for the
addressee. If you receive this message unintentionally,
please do not use the contents but notify the sender immediately by return e-mail. University Medical Center Utrecht is a legal person by public law and is registered at the Chamber of Commerce for Midden-Nederland under no. 30244197.
Please consider the environment before printing this e-mail.
- -- ICT Medewerker Divisie Biomedische Genetica UMC Utrecht Heidelberglaan 100 STR2.126 3584 CX Utrecht The Netherlands 06 27744048 intern: 64048