5 a.m.
Hello
I've installed a openldap as proxy in a DMZ for authentication
forwarding to an Active Directoy.
The Proxy is used by a VPN gateway.
That all works very well, but password change from client fails with
following error:
slapd[30661]: conn=1001 op=5 do_modify
slapd[30661]: conn=1001 op=5 do_modify: dn (cn=XPTEST5,ou=Users,dc=myorg,dc=net)
slapd[30661]: >>> dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net>
slapd[30661]: <<< dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net>,
<cn=xptest5,ou=users,dc=myorg,dc=net>
slapd[30661]: conn=1001 op=5 modifications:
slapd[30661]: delete: UnicodePwd
slapd[30661]: one value, length 26
slapd[30661]: add: UnicodePwd
slapd[30661]: one value, length 26
slapd[30661]: conn=1001 op=5 MOD dn="cn=TEST5,ou=Users,dc=myorg,dc=net"
slapd[30661]: conn=1001 op=5 MOD attr=UnicodePwd UnicodePwd
slapd[30661]: send_ldap_result: conn=1001 op=5 p=3
slapd[30661]: send_ldap_result: err=17 matched="" text="UnicodePwd:
attribute type undefined"
slapd[30661]: send_ldap_response: msgid=6 tag=103 err=17
slapd[30661]: conn=1001 op=5 RESULT tag=103 err=17 text=UnicodePwd:
attribute type undefined
slapd[30661]: daemon: activity on 1 descriptor
slapd[30661]: daemon: activity on:
slapd[30661]:
slapd[30661]: daemon: epoll: listen=7 active_threads=0 tvp=zero
slapd[30661]: daemon: activity on 1 descriptor
slapd[30661]: daemon: activity on:
As I understand, UnicodePwd is a proprietary "standard" MS attribute
in AD to store the password but the RFC attribute is the userPassword.
Is it possible, to get the proxy working to process this MOD request,
may be that openldap proxy pass through the MOD operation with the
attribute UnicodePwd from the VPN-gateway?
I use openldap 2.4.40, here is my configuration:
==============================================================
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/openldap/modules
moduleload back_ldap
disallow bind_anon
require authc
TLSCACertificateFile /etc/openldap/certs/myorg.net.root.pem
TLSCertificateFile /etc/openldap/certs/proxy1.myorg.net.pem
TLSCertificateKeyFile /etc/openldap/certs/proxy1.myorg.net.pem.key
TLSVerifyClient never
TLSCipherSuite ALL:!DH:!EDH
database ldap
security tls=256
rebind-as-user yes
suffix "dc=myorg,dc=net"
uri "ldap://dc1.myorg.net ldap://dc2.myorg.net"
tls start
tls_cacert=/etc/openldap/certs/adroot.pem
chase-referrals no
protocol-version 3
loglevel -1
==============================================================
Thanks for help!!
Meike
7:02 a.m.
Am Thu, 30 Jul 2015 14:00:06 +0200
schrieb Meike Stone <meike.stone(a)googlemail.com>:
Hello
I've installed a openldap as proxy in a DMZ for authentication
forwarding to an Active Directoy.
The Proxy is used by a VPN gateway.
That all works very well, but password change from client fails with
following error:
slapd[30661]: conn=1001 op=5 do_modify
slapd[30661]: conn=1001 op=5 do_modify: dn
(cn=XPTEST5,ou=Users,dc=myorg,dc=net) slapd[30661]: >>>
dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net> slapd[30661]: <<<
dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net>,
<cn=xptest5,ou=users,dc=myorg,dc=net> slapd[30661]: conn=1001 op=5
modifications: slapd[30661]: delete: UnicodePwd
slapd[30661]: one value, length 26
slapd[30661]: add: UnicodePwd
slapd[30661]: one value, length 26
slapd[30661]: conn=1001 op=5 MOD
dn="cn=TEST5,ou=Users,dc=myorg,dc=net" slapd[30661]: conn=1001 op=5
MOD attr=UnicodePwd UnicodePwd slapd[30661]: send_ldap_result:
conn=1001 op=5 p=3 slapd[30661]: send_ldap_result: err=17 matched=""
text="UnicodePwd: attribute type undefined"
slapd[30661]: send_ldap_response: msgid=6 tag=103 err=17
slapd[30661]: conn=1001 op=5 RESULT tag=103 err=17 text=UnicodePwd:
attribute type undefined
slapd[30661]: daemon: activity on 1 descriptor
slapd[30661]: daemon: activity on:
slapd[30661]:
slapd[30661]: daemon: epoll: listen=7 active_threads=0 tvp=zero
slapd[30661]: daemon: activity on 1 descriptor
slapd[30661]: daemon: activity on:
As I understand, UnicodePwd is a proprietary "standard" MS attribute
in AD to store the password but the RFC attribute is the userPassword.
Is it possible, to get the proxy working to process this MOD request,
may be that openldap proxy pass through the MOD operation with the
attribute UnicodePwd from the VPN-gateway?
[...]
create a private schema with all relevant attribute types and object
classes.Or get the AD schema and add it to your directories
configuration.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
2:18 a.m.
> Hello
>
>
> I've installed a openldap as proxy in a DMZ for authentication
> forwarding to an Active Directoy.
> The Proxy is used by a VPN gateway.
>
> That all works very well, but password change from client fails with
> following error:
>
> slapd[30661]: conn=1001 op=5 do_modify
> slapd[30661]: conn=1001 op=5 do_modify: dn
> (cn=XPTEST5,ou=Users,dc=myorg,dc=net) slapd[30661]: >>>
> dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net> slapd[30661]: <<<
> dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net>,
> <cn=xptest5,ou=users,dc=myorg,dc=net> slapd[30661]: conn=1001 op=5
> modifications: slapd[30661]: delete: UnicodePwd
> slapd[30661]: one value, length 26
> slapd[30661]: add: UnicodePwd
> slapd[30661]: one value, length 26
> slapd[30661]: conn=1001 op=5 MOD
> dn="cn=TEST5,ou=Users,dc=myorg,dc=net" slapd[30661]: conn=1001 op=5
> MOD attr=UnicodePwd UnicodePwd slapd[30661]: send_ldap_result:
> conn=1001 op=5 p=3 slapd[30661]: send_ldap_result: err=17 matched=""
> text="UnicodePwd: attribute type undefined"
> slapd[30661]: send_ldap_response: msgid=6 tag=103 err=17
> slapd[30661]: conn=1001 op=5 RESULT tag=103 err=17 text=UnicodePwd:
> attribute type undefined
> slapd[30661]: daemon: activity on 1 descriptor
> slapd[30661]: daemon: activity on:
> slapd[30661]:
> slapd[30661]: daemon: epoll: listen=7 active_threads=0 tvp=zero
> slapd[30661]: daemon: activity on 1 descriptor
> slapd[30661]: daemon: activity on:
>
> As I understand, UnicodePwd is a proprietary "standard" MS attribute
> in AD to store the password but the RFC attribute is the userPassword.
>
>
> Is it possible, to get the proxy working to process this MOD request,
> may be that openldap proxy pass through the MOD operation with the
> attribute UnicodePwd from the VPN-gateway?
[...]
create a private schema with all relevant attribute types and object
classes
Thanks, that worked!!!
Meike
2081
days inactive
2082
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Dieter Klünter -
Meike Stone