Hi there,
I noted that ppolicy is yet in development and because of that I would like to check how can I do some password history check. I mean, how can I apply same password policy defined in /etc/pam.d/system-auth, like history, size, new chars when changing password, and so on ?
I running OpenLDAP 2.2.13, because is the RHAS4 current version.
Is there any way to force LDAP Seerver to use /etc/pam.d/system-auth definitions ?
Thanks
--- Gustavo Mendes de Carvalho email: gmcarvalho@gmail.com
Gustavo Mendes de Carvalho wrote:
Hi there,
I noted that ppolicy is yet in development and because of that I would like to check how can I do some password history check. I mean, how can I apply same password policy defined in /etc/pam.d/system-auth, like history, size, new chars when changing password, and so on ?
I running OpenLDAP 2.2.13, because is the RHAS4 current version.
Is there any way to force LDAP Seerver to use /etc/pam.d/system-auth definitions ?
I don't know where to start...use a recent version of OpenLDAP, see the list archives why we don't recommend a RH OpenLDAP etc.
No ppolicy in 2.2. anyway.
On Friday 25 April 2008 01:23:52 Gustavo Mendes de Carvalho wrote:
Hi there,
I noted that ppolicy is yet in development and because of that I would like to check how can I do some password history check. I mean, how can I apply same password policy defined in /etc/pam.d/system-auth, like history, size, new chars when changing password, and so on ?
Here is one example: http://open.calivia.com/projects/openldap/ http://open.calivia.com/projects/openldap/browser/check_password
I running OpenLDAP 2.2.13,
Which doesn't have ppolicy at all.
because is the RHAS4 current version.
Poor excuse: http://staff.telkomsa.net/packages/rhel4/openldap/ , which has ppolicy. I will look at including the check_password.c plugin from above in the packages as well.
Is there any way to force LDAP Seerver to use /etc/pam.d/system-auth definitions ?
No.
Has anyone compiled this successfully on cygwin? I've never compiled anything via this before, but I need 2.4.x for the memberOf overlay, for which I can't find a windows binary.
My configure string is as follows: ./configure --sysconfdir=/etc/openldap --enable-proxycache --enable-translucent --enable-bdb --enable-overlays --enable-hdb --enable-meta --enable-ldap --enable-perl --enable-relay --enable-sql
I get the following error: cc -g -O2 -o apitest.exe apitest.o ./.libs/libldap.a /cygdrive/c/temp/openldap-2.4.8/libraries/liblber/.libs/liblber.a ../../libraries/liblber/.libs/liblber.a ../../libraries/liblutil/liblutil.a /usr/lib/libsasl2.dll.a -lresolv /usr/lib/gcc/i686-pc-cygwin/3.4.4/../../../../i686-pc-cygwin/bin/ld: cannot find -lresolv collect2: ld returned 1 exit status make[2]: *** [apitest] Error 1 make[2]: Leaving directory `/cygdrive/c/temp/openldap-2.4.8/libraries/libldap' make[1]: *** [all-common] Error 1 make[1]: Leaving directory `/cygdrive/c/temp/openldap-2.4.8/libraries' make: *** [all-common] Error 1
Has anyone seen this before? Thanks,
Chris
On Friday 25 April 2008 13:27:46 Clemson, Chris (IHG) wrote:
Has anyone compiled this successfully on cygwin?
Why?
http://www.openldap.org/faq/data/cache/145.html
"Due to various Winsock-specific bugs, building with Cygwin is discouraged. Use the MinGW port instead. See (Xref) Porting to MinGW"
http://www.openldap.org/faq/data/cache/300.html
Regards, Buchan
On Friday 25 April 2008 13:27:46 Clemson, Chris (IHG) wrote:
Has anyone compiled this successfully on cygwin?
Why?
http://www.openldap.org/faq/data/cache/145.html
"Due to various Winsock-specific bugs, building with Cygwin is discouraged. Use the MinGW port instead. See (Xref) Porting to MinGW"
Thanks for the reply. Anyone know of a decent dummies guide to compiling mingw exes? I've never done this before. Thanks,
Chris
Please ignore the question, I missed a link at the bottom of the page. Doh! Thanks,
Chris
-----Original Message----- From: openldap-technical-bounces+chris.clemson=ihg.com@OpenLDAP.org [mailto:openldap-technical-bounces+chris.clemson=ihg.com@OpenL DAP.org] On Behalf Of Clemson, Chris (IHG) Sent: 28 April 2008 12:18 To: openldap-technical@openldap.org Subject: RE: Compiling openldap-2.4.8 on cygwin
On Friday 25 April 2008 13:27:46 Clemson, Chris (IHG) wrote:
Has anyone compiled this successfully on cygwin?
Why?
http://www.openldap.org/faq/data/cache/145.html
"Due to various Winsock-specific bugs, building with Cygwin is discouraged. Use the MinGW port instead. See (Xref) Porting to MinGW"
Thanks for the reply. Anyone know of a decent dummies guide to compiling mingw exes? I've never done this before. Thanks,
Chris
Hi Buchan,r
I already installed version 2.3 but now I would like to know wher can I get some documentation about configuring back_passwd.la. Do you have any link describing it ?
Thanks for you tip. It was very usefull.
Gustavo
--- Gustavo Mendes de Carvalho e-mail: gmcarvalho@gmail.com
Sorry about my mistake.
I meant to say ppolicy.la
Thanks
2008/4/25 Gustavo Mendes de Carvalho gmcarvalho@gmail.com:
Hi Buchan,
I already installed version 2.3 but now I would like to know wher can I get some documentation about configuring back_passwd.la. Do you have any link describing it ?
Thanks for you tip. It was very usefull.
Gustavo
Gustavo Mendes de Carvalho e-mail: gmcarvalho@gmail.com
Gustavo Mendes de Carvalho wrote:
2008/4/25 Gustavo Mendes de Carvalho gmcarvalho@gmail.com:
I already installed version 2.3 but now I would like to know wher can I get some documentation about configuring back_passwd.la. Do you have any link describing it ?
Sorry about my mistake.
I meant to say ppolicy.la
man 5 slapo-ppolicy
For OpenLDAP 2.3: http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&a...
For OpenLDAP 2.4: http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&a...
Ciao, Michael.
Hi Michael
According with man 5 slapo-policy and OpenLDAP site docs, in attribute pwdAttribute I have to input value userPassword, but this attribute does not support strings (according with my tries), so I inserted correspondent userPassword OID (1.3.6.1.4.1.1466.115.121.1.40) and even number 1 or 0 (to enable or disable checking).
After that I defined in pwdMaxFailure to 2 and pwdLockout to TRUE, and then I tried twice wrong passwords and in the third shot I was able to connect in. Another test tah I did was defining pwdExpireWarning to few minutes (5) and pwdMaxAge to 10 minutes, but when I do login, I didn't receive warning message, and I can login after 10 minutes after first login.
Is there any missing parameter that I have to setup or do I am doing something wrong ?
Thanks
2008/4/26 Michael Ströder michael@stroeder.com:
Gustavo Mendes de Carvalho wrote:
2008/4/25 Gustavo Mendes de Carvalho gmcarvalho@gmail.com:
I already installed version 2.3 but now I would like to know wher can I get some documentation about configuring back_passwd.la. Do you have any link describing it ?
Sorry about my mistake.
I meant to say ppolicy.la
man 5 slapo-ppolicy
For OpenLDAP 2.3:
http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&a...
For OpenLDAP 2.4:
http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&a...
Ciao, Michael.
Gustavo Mendes de Carvalho wrote:
According with man 5 slapo-policy and OpenLDAP site docs, in attribute pwdAttribute I have to input value userPassword, but this attribute does not support strings (according with my tries), so I inserted correspondent userPassword OID (1.3.6.1.4.1.1466.115.121.1.40)
1.3.6.1.4.1.1466.115.121.1.40 is not the correct OID here. It identifies the LDAP syntax 'Octet String' which is used for attribute type 'userPassword'.
The correct OID for attribute type 'userPassword' to be put in 'pwdAttribute' is 2.5.4.35.
Ciao, Michael.
2008/4/28 Michael Ströder michael@stroeder.com:
Gustavo Mendes de Carvalho wrote:
According with man 5 slapo-policy and OpenLDAP site docs, in attribute pwdAttribute I have to input value userPassword, but this attribute does not support strings (according with my tries), so I inserted correspondent userPassword OID (1.3.6.1.4.1.1466.115.121.1.40)
1.3.6.1.4.1.1466.115.121.1.40 is not the correct OID here. It identifies the LDAP syntax 'Octet String' which is used for attribute type 'userPassword'.
The correct OID for attribute type 'userPassword' to be put in 'pwdAttribute' is 2.5.4.35.
Yes, you are right, but my main question is what value do I have to setup in pwdAttribute when configuring some user, if I choose to use Password policy ?
Gustavo
Ciao, Michael.
Michael,
T be sure about what error I got when I was using pwd policy, I was checking ldap.log file and I saw that when I define in slapd.conf file the statement overlay ppolicy my ldap does not starts. Then I was checking in google and I find out that my rpm version maybe does not have the option to support overlays when it was built.
Do you have any idea in how to include overlay module into an already built rpm ?
I am talking about this version http://staff.telkomsa.net/packages/rhel4/openldap/
Gustavo
2008/4/28 Gustavo Mendes de Carvalho gmcarvalho@gmail.com:
2008/4/28 Michael Ströder michael@stroeder.com:
Gustavo Mendes de Carvalho wrote:
According with man 5 slapo-policy and OpenLDAP site docs, in attribute pwdAttribute I have to input value userPassword, but this attribute does not support strings (according with my tries), so I inserted correspondent userPassword OID (1.3.6.1.4.1.1466.115.121.1.40)
1.3.6.1.4.1.1466.115.121.1.40 is not the correct OID here. It identifies the LDAP syntax 'Octet String' which is used for attribute type 'userPassword'.
The correct OID for attribute type 'userPassword' to be put in 'pwdAttribute' is 2.5.4.35.
Yes, you are right, but my main question is what value do I have to setup in pwdAttribute when configuring some user, if I choose to use Password policy ?
Gustavo
Ciao, Michael.
--
Gustavo Mendes de Carvalho e-mail: gmcarvalho@gmail.com
Gustavo Mendes de Carvalho wrote:
T be sure about what error I got when I was using pwd policy, I was checking ldap.log file and I saw that when I define in slapd.conf file the statement overlay ppolicy my ldap does not starts.
Any meaningful message written to the log when startup failed?
How about just starting slapd from command-line with debug level set with option -d?
Then I was checking in google and I find out that my rpm version maybe does not have the option to support overlays when it was built.
Could you please be more precise with the information? "Checking in Google" does not say much. Reference the information by giving URL here.
You might have to load this overlay in slapd.conf before using it.
moduleload ppolicy.la [..] overlay ppolicy
Do you have any idea in how to include overlay module into an already built rpm ?
I am talking about this version http://staff.telkomsa.net/packages/rhel4/openldap/
Don't know these RPMs myself.
Ciao, Michael.
Hi Michael,
Bellow you can see my slapd.conf and slapd debug messages
2008/4/28 Michael Ströder michael@stroeder.com:
Gustavo Mendes de Carvalho wrote:
T be sure about what error I got when I was using pwd policy, I was checking ldap.log file and I saw that when I define in slapd.conf file the statement overlay ppolicy my ldap does not starts.
Any meaningful message written to the log when startup failed?
How about just starting slapd from command-line with debug level set with option -d?
when starting slapd with this command # slapd2.4 -d -1 I got this messages
line 29 (pidfile /var/run/ldap2.4/slapd.pid) line 30 (argsfile /var/run/ldap2.4/slapd.args) line 31 (logfile /var/log/ldap.log) line 32 (loglevel 256) line 84 (overlay /usr/lib/openldap2.4/ppolicy) overlay "ppolicy" not found /etc/openldap2.4/slapd.conf: line 84: <overlay> handler exited with 1! slapd2.4 destroy: freeing system resources. slapd stopped. connections_destroy: nothing to destroy.
and my slapd.coonf has this lines
include /usr/share/openldap2.4/schema/core.schema include /usr/share/openldap2.4/schema/cosine.schema include /usr/share/openldap2.4/schema/inetorgperson.schema include /usr/share/openldap2.4/schema/misc.schema include /usr/share/openldap2.4/schema/nis.schema include /usr/share/openldap2.4/schema/openldap.schema include /usr/share/openldap2.4/schema/evolutionperson.schema include /usr/share/openldap2.4/schema/sudo.schema include /usr/share/openldap2.4/schema/ppolicy.schema
pidfile /var/run/ldap2.4/slapd.pid argsfile /var/run/ldap2.4/slapd.args logfile /var/log/ldap.log loglevel 256
modulepath /usr/lib/openldap2.4 moduleload back_ldap.la moduleload back_passwd.la moduleload accesslog.la moduleload pcache.la moduleload ppolicy.la moduleload unique.la
overlay ppolicy ppolicy_default "dc=domain,dc=com" database bdb suffix "dc=domain,dc=com" rootdn "cn=Manager,dc=domain,dc=com" rootpw {SSHA}KybohLTa4NZZYc2C4iAefyNYq8ghnGsx directory /var/lib/ldap2.4 mode 0600 cachesize 1000000 checkpoint 256 60
Then I was checking in google and I find out that my rpm version maybe does not have the option to support overlays when it was built.
Could you please be more precise with the information? "Checking in Google" does not say much. Reference the information by giving URL here.
http://www.openldap.org/lists/openldap-software/200701/msg00242.html http://www.openldap.org/lists/openldap-software/200701/msg00240.html http://www.openldap.org/lists/openldap-software/200701/msg00246.html
You might have to load this overlay in slapd.conf before using it.
moduleload ppolicy.la [..] overlay ppolicy
As you can see above, I already try to load it
--- Gustavo Mendes de Carvalho e-mail: gmcarvalho@gmail.com
Gustavo Mendes de Carvalho wrote:
line 84 (overlay /usr/lib/openldap2.4/ppolicy)
If the overlay was built as dynamically loadlable module you should find a file ppolicy.la in directory /usr/lib/openldap2.4 (or whereever overlay modules were installed). But it can also be statically built into slapd executable. Then just leave out the 'moduleload' statement in slapd.conf. Maybe you should ask the guy providing this particular RPM packages.
Ciao, Michael.
Hi Michael,
Just to be sure about the whole packet, I will build it from source, so I will really enjoy if you can check the configure command before compiling it
./configure --program-prefix=/usr/local/openldap --enable-modules --enable-backends --enable-overlays --disable-ipv6 --enable-crypt --enable-ldap --enable-constraint --with-cyrus-sasl --with-tls
Any comment about it ?
2008/4/28 Michael Ströder michael@stroeder.com:
Gustavo Mendes de Carvalho wrote:
line 84 (overlay /usr/lib/openldap2.4/ppolicy)
If the overlay was built as dynamically loadlable module you should find a file ppolicy.la in directory /usr/lib/openldap2.4 (or whereever overlay modules were installed). But it can also be statically built into slapd executable. Then just leave out the 'moduleload' statement in slapd.conf. Maybe you should ask the guy providing this particular RPM packages.
Ciao, Michael.
--- Gustavo Mendes de Carvalho e-mail: gmcarvalho@gmail.com
Gustavo Mendes de Carvalho wrote:
Hi Michael,
Just to be sure about the whole packet, I will build it from source, so I will really enjoy if you can check the configure command before compiling it
./configure --program-prefix=/usr/local/openldap --enable-modules --enable-backends --enable-overlays --disable-ipv6 --enable-crypt --enable-ldap --enable-constraint --with-cyrus-sasl --with-tls
--enable-ldap and --enable-constraint is AFAIK not needed if you already build all backends and overlays. Note that maybe backends and overlays get built statically within slapd.
Ciao, Michael.
Gustavo Mendes de Carvalho wrote:
2008/4/28 Michael Ströder michael@stroeder.com:
Gustavo Mendes de Carvalho wrote:
According with man 5 slapo-policy and OpenLDAP site docs, in attribute pwdAttribute I have to input value userPassword, but this attribute does not support strings (according with my tries), so I inserted correspondent userPassword OID (1.3.6.1.4.1.1466.115.121.1.40)
1.3.6.1.4.1.1466.115.121.1.40 is not the correct OID here. It identifies the LDAP syntax 'Octet String' which is used for attribute type 'userPassword'.
The correct OID for attribute type 'userPassword' to be put in 'pwdAttribute' is 2.5.4.35.
Yes, you are right, but my main question is what value do I have to setup in pwdAttribute when configuring some user, if I choose to use Password policy ?
I'm not sure I understand your question.
Mainly you'll add entries for specifying possibly different password policies. AFAIK for OpenLDAP's ppolicy implementation only pwdAttribute: 2.5.4.35 is valid in these entry.
You can then
1. define a default password policy entry in slapd.conf and
2. you can specify which password policy is applied to a certain entry by adding attribute 'pwdPolicySubentry' to the user's entry which contains the DN of the required password policy entry.
Ciao, Michael.
openldap-technical@openldap.org
-
Buchan Milne -
Clemson, Chris (IHG) -
Gavin Henry -
Gustavo Mendes de Carvalho -
Michael Ströder