4:23 p.m.
Hi there,
I noted that ppolicy is yet in development and because of that I would like
to check how can I do some password history check. I mean, how can I apply
same password policy defined in /etc/pam.d/system-auth, like history, size,
new chars when changing password, and so on ?
I running OpenLDAP 2.2.13, because is the RHAS4 current version.
Is there any way to force LDAP Seerver to use /etc/pam.d/system-auth
definitions ?
Thanks
---
Gustavo Mendes de Carvalho
email: gmcarvalho(a)gmail.com
1:32 a.m.
Gustavo Mendes de Carvalho wrote:
Hi there,
I noted that ppolicy is yet in development and because of that I would like
to check how can I do some password history check. I mean, how can I apply
same password policy defined in /etc/pam.d/system-auth, like history, size,
new chars when changing password, and so on ?
I running OpenLDAP 2.2.13, because is the RHAS4 current version.
Is there any way to force LDAP Seerver to use /etc/pam.d/system-auth
definitions ?
I don't know where to start...use a recent version of OpenLDAP, see the
list archives why we don't recommend a RH OpenLDAP etc.
No ppolicy in 2.2. anyway.
1:38 a.m.
On Friday 25 April 2008 01:23:52 Gustavo Mendes de Carvalho wrote:
Hi there,
I noted that ppolicy is yet in development and because of that I would like
to check how can I do some password history check. I mean, how can I apply
same password policy defined in /etc/pam.d/system-auth, like history, size,
new chars when changing password, and so on ?
Here is one example:
http://open.calivia.com/projects/openldap/
http://open.calivia.com/projects/openldap/browser/check_password
I running OpenLDAP 2.2.13,
Which doesn't have ppolicy at all.
because is the RHAS4 current version.
Poor excuse: http://staff.telkomsa.net/packages/rhel4/openldap/ , which has
ppolicy. I will look at including the check_password.c plugin from above in
the packages as well.
Is there any way to force LDAP Seerver to use /etc/pam.d/system-auth
definitions ?
No.
4:27 a.m.
New subject: Compiling openldap-2.4.8 on cygwin
Has anyone compiled this successfully on cygwin?
I've never compiled anything via this before, but I need 2.4.x for the
memberOf overlay, for which I can't find a windows binary.
My configure string is as follows:
./configure --sysconfdir=/etc/openldap --enable-proxycache
--enable-translucent --enable-bdb --enable-overlays --enable-hdb
--enable-meta --enable-ldap --enable-perl --enable-relay --enable-sql
I get the following error:
cc -g -O2 -o apitest.exe apitest.o ./.libs/libldap.a
/cygdrive/c/temp/openldap-2.4.8/libraries/liblber/.libs/liblber.a
../../libraries/liblber/.libs/liblber.a
../../libraries/liblutil/liblutil.a /usr/lib/libsasl2.dll.a -lresolv
/usr/lib/gcc/i686-pc-cygwin/3.4.4/../../../../i686-pc-cygwin/bin/ld:
cannot find -lresolv
collect2: ld returned 1 exit status
make[2]: *** [apitest] Error 1
make[2]: Leaving directory
`/cygdrive/c/temp/openldap-2.4.8/libraries/libldap'
make[1]: *** [all-common] Error 1
make[1]: Leaving directory `/cygdrive/c/temp/openldap-2.4.8/libraries'
make: *** [all-common] Error 1
Has anyone seen this before?
Thanks,
Chris
5:53 a.m.
New subject: Compiling openldap-2.4.8 on cygwin
On Friday 25 April 2008 13:27:46 Clemson, Chris (IHG) wrote:
Has anyone compiled this successfully on cygwin?
Why?
http://www.openldap.org/faq/data/cache/145.html
"Due to various Winsock-specific bugs, building with Cygwin is discouraged.
Use the MinGW port instead. See (Xref) Porting to MinGW"
http://www.openldap.org/faq/data/cache/300.html
Regards,
Buchan
4:18 a.m.
New subject: Compiling openldap-2.4.8 on cygwin
On Friday 25 April 2008 13:27:46 Clemson, Chris (IHG) wrote:
> Has anyone compiled this successfully on cygwin?
Why?
http://www.openldap.org/faq/data/cache/145.html
"Due to various Winsock-specific bugs, building with Cygwin
is discouraged.
Use the MinGW port instead. See (Xref) Porting to MinGW"
http://www.openldap.org/faq/data/cache/300.html
Thanks for the reply.
Anyone know of a decent dummies guide to compiling mingw exes?
I've never done this before.
Thanks,
Chris
4:24 a.m.
New subject: Compiling openldap-2.4.8 on cygwin
Please ignore the question, I missed a link at the bottom of the page.
Doh!
Thanks,
Chris
-----Original Message-----
From:
openldap-technical-bounces+chris.clemson=ihg.com(a)OpenLDAP.org
[mailto:openldap-technical-bounces+chris.clemson=ihg.com@OpenL
DAP.org] On Behalf Of Clemson, Chris (IHG)
Sent: 28 April 2008 12:18
To: openldap-technical(a)openldap.org
Subject: RE: Compiling openldap-2.4.8 on cygwin
> On Friday 25 April 2008 13:27:46 Clemson, Chris (IHG) wrote:
> > Has anyone compiled this successfully on cygwin?
>
> Why?
>
> http://www.openldap.org/faq/data/cache/145.html
>
> "Due to various Winsock-specific bugs, building with Cygwin
> is discouraged.
> Use the MinGW port instead. See (Xref) Porting to MinGW"
>
> http://www.openldap.org/faq/data/cache/300.html
Thanks for the reply.
Anyone know of a decent dummies guide to compiling mingw exes?
I've never done this before.
Thanks,
Chris
7:07 p.m.
Hi Buchan,r
I already installed version 2.3 but now I would like to know wher can
I get some documentation about configuring back_passwd.la. Do you have
any link describing it ?
Thanks for you tip. It was very usefull.
Gustavo
---
Gustavo Mendes de Carvalho
e-mail: gmcarvalho(a)gmail.com
7:26 p.m.
Sorry about my mistake.
I meant to say ppolicy.la
Thanks
2008/4/25 Gustavo Mendes de Carvalho <gmcarvalho(a)gmail.com>:
Hi Buchan,
I already installed version 2.3 but now I would like to know wher can
I get some documentation about configuring back_passwd.la. Do you have
any link describing it ?
Thanks for you tip. It was very usefull.
Gustavo
---
Gustavo Mendes de Carvalho
e-mail: gmcarvalho(a)gmail.com
--
---
Gustavo Mendes de Carvalho
e-mail: gmcarvalho(a)gmail.com
3:45 a.m.
Gustavo Mendes de Carvalho wrote:
2008/4/25 Gustavo Mendes de Carvalho <gmcarvalho(a)gmail.com>:
> I already installed version 2.3 but now I would like to know wher can
> I get some documentation about configuring back_passwd.la. Do you have
> any link describing it ?
Sorry about my mistake.
I meant to say ppolicy.la
man 5 slapo-ppolicy
For OpenLDAP 2.3:
http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=...
For OpenLDAP 2.4:
http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=...
Ciao, Michael.
6:29 a.m.
Hi Michael
According with man 5 slapo-policy and OpenLDAP site docs, in attribute
pwdAttribute I have to input value userPassword, but this attribute
does not support strings (according with my tries), so I inserted
correspondent userPassword OID (1.3.6.1.4.1.1466.115.121.1.40) and
even number 1 or 0 (to enable or disable checking).
After that I defined in pwdMaxFailure to 2 and pwdLockout to TRUE, and
then I tried twice wrong passwords and in the third shot I was able to
connect in.
Another test tah I did was defining pwdExpireWarning to few minutes
(5) and pwdMaxAge to 10 minutes, but when I do login, I didn't receive
warning message, and I can login after 10 minutes after first login.
Is there any missing parameter that I have to setup or do I am doing
something wrong ?
Thanks
2008/4/26 Michael Ströder <michael(a)stroeder.com>:
Gustavo Mendes de Carvalho wrote:
>
> 2008/4/25 Gustavo Mendes de Carvalho <gmcarvalho(a)gmail.com>:
>
>
> > I already installed version 2.3 but now I would like to know wher can
> > I get some documentation about configuring back_passwd.la. Do you have
> > any link describing it ?
> >
>
> Sorry about my mistake.
>
> I meant to say ppolicy.la
>
man 5 slapo-ppolicy
For OpenLDAP 2.3:
http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=...
For OpenLDAP 2.4:
http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=...
Ciao, Michael.
--
---
Gustavo Mendes de Carvalho
e-mail: gmcarvalho(a)gmail.com
8:22 a.m.
Gustavo Mendes de Carvalho wrote:
According with man 5 slapo-policy and OpenLDAP site docs, in
attribute
pwdAttribute I have to input value userPassword, but this attribute
does not support strings (according with my tries), so I inserted
correspondent userPassword OID (1.3.6.1.4.1.1466.115.121.1.40)
1.3.6.1.4.1.1466.115.121.1.40 is not the correct OID here. It identifies
the LDAP syntax 'Octet String' which is used for attribute type
'userPassword'.
The correct OID for attribute type 'userPassword' to be put in
'pwdAttribute' is 2.5.4.35.
Ciao, Michael.
8:38 a.m.
2008/4/28 Michael Ströder <michael(a)stroeder.com>:
Gustavo Mendes de Carvalho wrote:
> According with man 5 slapo-policy and OpenLDAP site docs, in attribute
> pwdAttribute I have to input value userPassword, but this attribute
> does not support strings (according with my tries), so I inserted
> correspondent userPassword OID (1.3.6.1.4.1.1466.115.121.1.40)
>
1.3.6.1.4.1.1466.115.121.1.40 is not the correct OID here. It identifies
the LDAP syntax 'Octet String' which is used for attribute type
'userPassword'.
The correct OID for attribute type 'userPassword' to be put in
'pwdAttribute' is 2.5.4.35.
Yes, you are right, but my main question is what value do I have to
setup in pwdAttribute when configuring some user, if I choose to use
Password policy ?
Gustavo
Ciao, Michael.
--
---
Gustavo Mendes de Carvalho
e-mail: gmcarvalho(a)gmail.com
11:36 a.m.
Michael,
T be sure about what error I got when I was using pwd policy, I was
checking ldap.log file and I saw that when I define in slapd.conf file
the statement
overlay ppolicy
my ldap does not starts. Then I was checking in google and I find out
that my rpm version maybe does not have the option to support overlays
when it was built.
Do you have any idea in how to include overlay module into an already
built rpm ?
I am talking about this version
http://staff.telkomsa.net/packages/rhel4/openldap/
Gustavo
2008/4/28 Gustavo Mendes de Carvalho <gmcarvalho(a)gmail.com>:
2008/4/28 Michael Ströder <michael(a)stroeder.com>:
> Gustavo Mendes de Carvalho wrote:
>
> > According with man 5 slapo-policy and OpenLDAP site docs, in attribute
> > pwdAttribute I have to input value userPassword, but this attribute
> > does not support strings (according with my tries), so I inserted
> > correspondent userPassword OID (1.3.6.1.4.1.1466.115.121.1.40)
> >
>
> 1.3.6.1.4.1.1466.115.121.1.40 is not the correct OID here. It identifies
> the LDAP syntax 'Octet String' which is used for attribute type
> 'userPassword'.
>
> The correct OID for attribute type 'userPassword' to be put in
> 'pwdAttribute' is 2.5.4.35.
>
Yes, you are right, but my main question is what value do I have to
setup in pwdAttribute when configuring some user, if I choose to use
Password policy ?
Gustavo
> Ciao, Michael.
>
--
---
Gustavo Mendes de Carvalho
e-mail: gmcarvalho(a)gmail.com
--
---
Gustavo Mendes de Carvalho
e-mail: gmcarvalho(a)gmail.com
1:14 p.m.
Gustavo Mendes de Carvalho wrote:
T be sure about what error I got when I was using pwd policy, I was
checking ldap.log file and I saw that when I define in slapd.conf file
the statement
overlay ppolicy
my ldap does not starts.
Any meaningful message written to the log when startup failed?
How about just starting slapd from command-line with debug level set
with option -d?
Then I was checking in google and I find out
that my rpm version maybe does not have the option to support overlays
when it was built.
Could you please be more precise with the information? "Checking in
Google" does not say much. Reference the information by giving URL here.
You might have to load this overlay in slapd.conf before using it.
moduleload ppolicy.la
[..]
overlay ppolicy
Do you have any idea in how to include overlay module into an
already
built rpm ?
I am talking about this version
http://staff.telkomsa.net/packages/rhel4/openldap/
Don't know these RPMs myself.
Ciao, Michael.
1:28 p.m.
Hi Michael,
Bellow you can see my slapd.conf and slapd debug messages
2008/4/28 Michael Ströder <michael(a)stroeder.com>:
Gustavo Mendes de Carvalho wrote:
>
> T be sure about what error I got when I was using pwd policy, I was
> checking ldap.log file and I saw that when I define in slapd.conf file
> the statement
> overlay ppolicy
> my ldap does not starts.
>
Any meaningful message written to the log when startup failed?
How about just starting slapd from command-line with debug level set with
option -d?
when starting slapd with this command
# slapd2.4 -d -1
I got this messages
line 29 (pidfile /var/run/ldap2.4/slapd.pid)
line 30 (argsfile /var/run/ldap2.4/slapd.args)
line 31 (logfile /var/log/ldap.log)
line 32 (loglevel 256)
line 84 (overlay /usr/lib/openldap2.4/ppolicy)
overlay "ppolicy" not found
/etc/openldap2.4/slapd.conf: line 84: <overlay> handler exited with 1!
slapd2.4 destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
and my slapd.coonf has this lines
include /usr/share/openldap2.4/schema/core.schema
include /usr/share/openldap2.4/schema/cosine.schema
include /usr/share/openldap2.4/schema/inetorgperson.schema
include /usr/share/openldap2.4/schema/misc.schema
include /usr/share/openldap2.4/schema/nis.schema
include /usr/share/openldap2.4/schema/openldap.schema
include /usr/share/openldap2.4/schema/evolutionperson.schema
include /usr/share/openldap2.4/schema/sudo.schema
include /usr/share/openldap2.4/schema/ppolicy.schema
pidfile /var/run/ldap2.4/slapd.pid
argsfile /var/run/ldap2.4/slapd.args
logfile /var/log/ldap.log
loglevel 256
modulepath /usr/lib/openldap2.4
moduleload back_ldap.la
moduleload back_passwd.la
moduleload accesslog.la
moduleload pcache.la
moduleload ppolicy.la
moduleload unique.la
overlay ppolicy
ppolicy_default "dc=domain,dc=com"
database bdb
suffix "dc=domain,dc=com"
rootdn "cn=Manager,dc=domain,dc=com"
rootpw {SSHA}KybohLTa4NZZYc2C4iAefyNYq8ghnGsx
directory /var/lib/ldap2.4
mode 0600
cachesize 1000000
checkpoint 256 60
> Then I was checking in google and I find out
> that my rpm version maybe does not have the option to support overlays
> when it was built.
>
Could you please be more precise with the information? "Checking in Google"
does not say much. Reference the information by giving URL here.
http://www.openldap.org/lists/openldap-software/200701/msg00242.html
http://www.openldap.org/lists/openldap-software/200701/msg00240.html
http://www.openldap.org/lists/openldap-software/200701/msg00246.html
You might have to load this overlay in slapd.conf before using it.
moduleload ppolicy.la
[..]
overlay ppolicy
As you can see above, I already try to load it
---
Gustavo Mendes de Carvalho
e-mail: gmcarvalho(a)gmail.com
4:43 p.m.
Gustavo Mendes de Carvalho wrote:
line 84 (overlay /usr/lib/openldap2.4/ppolicy)
If the overlay was built as dynamically loadlable module you should find
a file ppolicy.la in directory /usr/lib/openldap2.4 (or whereever
overlay modules were installed). But it can also be statically built
into slapd executable. Then just leave out the 'moduleload' statement in
slapd.conf. Maybe you should ask the guy providing this particular RPM
packages.
Ciao, Michael.
5:38 p.m.
Hi Michael,
Just to be sure about the whole packet, I will build it from source,
so I will really enjoy if you can check the configure command before
compiling it
./configure --program-prefix=/usr/local/openldap
--enable-modules
--enable-backends
--enable-overlays
--disable-ipv6
--enable-crypt
--enable-ldap
--enable-constraint
--with-cyrus-sasl
--with-tls
Any comment about it ?
2008/4/28 Michael Ströder <michael(a)stroeder.com>:
Gustavo Mendes de Carvalho wrote:
>
> line 84 (overlay /usr/lib/openldap2.4/ppolicy)
>
If the overlay was built as dynamically loadlable module you should find a
file ppolicy.la in directory /usr/lib/openldap2.4 (or whereever overlay
modules were installed). But it can also be statically built into slapd
executable. Then just leave out the 'moduleload' statement in slapd.conf.
Maybe you should ask the guy providing this particular RPM packages.
Ciao, Michael.
---
Gustavo Mendes de Carvalho
e-mail: gmcarvalho(a)gmail.com
1:12 a.m.
Gustavo Mendes de Carvalho wrote:
Hi Michael,
Just to be sure about the whole packet, I will build it from source,
so I will really enjoy if you can check the configure command before
compiling it
./configure --program-prefix=/usr/local/openldap
--enable-modules
--enable-backends
--enable-overlays
--disable-ipv6
--enable-crypt
--enable-ldap
--enable-constraint
--with-cyrus-sasl
--with-tls
--enable-ldap and --enable-constraint is AFAIK not needed if you already
build all backends and overlays. Note that maybe backends and overlays
get built statically within slapd.
Ciao, Michael.
1:20 p.m.
Gustavo Mendes de Carvalho wrote:
2008/4/28 Michael Ströder <michael(a)stroeder.com>:
> Gustavo Mendes de Carvalho wrote:
>
>> According with man 5 slapo-policy and OpenLDAP site docs, in attribute
>> pwdAttribute I have to input value userPassword, but this attribute
>> does not support strings (according with my tries), so I inserted
>> correspondent userPassword OID (1.3.6.1.4.1.1466.115.121.1.40)
>>
> 1.3.6.1.4.1.1466.115.121.1.40 is not the correct OID here. It identifies
> the LDAP syntax 'Octet String' which is used for attribute type
> 'userPassword'.
>
> The correct OID for attribute type 'userPassword' to be put in
> 'pwdAttribute' is 2.5.4.35.
Yes, you are right, but my main question is what value do I have to
setup in pwdAttribute when configuring some user, if I choose to use
Password policy ?
I'm not sure I understand your question.
Mainly you'll add entries for specifying possibly different password
policies. AFAIK for OpenLDAP's ppolicy implementation only
pwdAttribute: 2.5.4.35
is valid in these entry.
You can then
1. define a default password policy entry in slapd.conf and
2. you can specify which password policy is applied to a certain entry
by adding attribute 'pwdPolicySubentry' to the user's entry which
contains the DN of the required password policy entry.
Ciao, Michael.
4734
days inactive
4740
days old
openldap-technical@openldap.org
19 comments
5 participants
participants (5)
-
Buchan Milne -
Clemson, Chris (IHG) -
Gavin Henry -
Gustavo Mendes de Carvalho -
Michael Ströder