Re: MD5 password hash with ppolicy
On Tuesday, 22 December 2009 23:25:21 Joe Friedeggs wrote: I am working (with RH via Dell support) to solve an issue (that I believe to be a pam_ldap issue). The problem is that the password policy control messaging does not occur when I set 'pam_password md5', thus the Linux client never knows that the password expires. Works fine here with pam_ldap 183 and: pam_password exop pam_lookup_policy yes (Well, I would really prefer if pam_ldap prompted to change the password while there are still grace logins left, instead of waiting until they are all used ... I'll file a bug on that). They have informed me that the password policy overlay in LDAP requires clear-text passwords, and will not handle the password policy stuff if the password is hashed. This makes no sense to me, since ppolicy is only handling expiry times, etc. and pam is handling the rest (length, strength, etc., prior to hash). Does the ppolicy overlay require clear-text? Only if you want it to enforce password quality, but then you should use pam_password exop, or set 'ppolicy_hash_cleartext yes' in slapd.conf so that cleartext passwords are hashed on the server. Regards, Buchan
Help migrating an OpenLdap 1.x directory to 2.x
Hello All, I'm currently working on migrating a directory that is currently running on OpenLDAP 1.x to OpenLDAP 2.x. Is there any online documents which detail how to convert the old schemas (which are on ldif format) to the format used by 2.x? I tried to google for that but I could not find much info on the subject. Currently the settings, acls and schemas are all present on ldif format. Any help would be greatly appreciated. Thanks a lot, Diego Lima
Is there any accounting software using ldap for customers and suppliers?
Hi, that's my first post here. I realize that this is not exactly the kind of message that I should post here but I'm really going mad trying to find an accounting software which uses natively ldap as a backend. I'm not looking for something that can synchronize, import or export into ldap. Are you aware of some good software? It doesn't matter if it's for free or not. It would be cool if it's open. Thank you -- Damiano Venturin http://www.squadrainformatica.com
LDAPS queries in C/C++ - conceptual question
Hello, I was asked to expand some C++ software to do ldap queries with TLS on a server with SSL certificate. We want the server to authenticate by its certificate so our software is protected from fake servers. Before I dig too deep into the API, I would like to know: - Is it possible with LDAP API to extract the servers certificate data to verify its integrity? - or should I program it directly with openSSL API? Thank you for sharing your wisdom, kind regards, --- Robert Welz
Re: Is there any accounting software using ldap for customers and suppliers?
Hi, I don't think you will find such software. Accounting requires full transaction control, something that LDAP cannot provide. -Dieter Thank you for your reply, but I didn't mean to use ldap as database for all the accounting software. I meant just for human datas, like customers and suppliers. Does this change something? Basically you're lookin for CRM software then? Or do you intend to enter actions that have been done with these 'people' Like buying selling,... In that case LDAP isn't suitable, since those are transactions Just for storing people information you can perfectly use any LDAP CRM solution HTH Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en
Re: Developer's cookbook for adding LDAP support
Murray S. Kucherawy wrote: Are there any good documentation sites or books out there for adding LDAP support to a program? The ldap(3) man page is pretty sparse. I’ve been told that basically studying the OpenLDAP source itself is the best way to figure it out, but I’m hoping there’s something better. I have only very rudimentary knowledge of LDAP in general. Almost all of my exposure to OpenLDAP was through a helper library that did a lot of work for me, but that was at a previous job. This is for an open source project. The application to be updated already has support to get key-value pairs from SQL/ODBC and Sleepycat DB sources, and I have a request to include support for LDAP. Essentially in the application I am given an email recipient and I need to get from the database a piece of detail I need to append to that outgoing mail. There’s no standard schema for this (yet; it’s been suggested we create one through the IETF), so I will need to allow administrators to specify which attributes to request. Any helpful pointers would be appreciated. I recommend this: http://www.symas.com/blog/?p=38 Read the code in Ekiga, it's fairly compact and straightforward. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: ACL problem
Il Neofita wrote:
Hi
I delete everything and I did everything from scratch but I have the
same problem
I am using RH 5.4
Hello,
I have no idea what the problem might be. Yet, I've noticed you don't
have HASH type prefix to your passwords, and it should be there.
userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF
XXX
userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=
The next thing I can suggest is to strip all ACLs except the basic ones
and build up, build up...
I'd also move attrs=userPassword up in the tree, as ACL ends when the
first match is found. Thus it's possible this ACL is never matched.
Regards,
Zdenek
I am posting my configuration
slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/pykota.schema
allow bind_v2
loglevel 128
pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
access to dn.subtree=ou=PyKota,dc=test,dc=xx by
dn=cn=pykotaadmin,dc=test,dc=xx write
access to dn.subtree=ou=people,dc=test,dc=xx
by dn=cn=mmm,dc=test,dc=xx manage
by dn=cn=pykotaadmin,dc=test,dc=xx manage
by * read
access to dn.subtree=ou=Groups,dc=test,dc=xx by
dn=cn=pykotaadmin,dc=test,dc=xx write
access to *
by self write
by usersread
by *none
access to attrs=userPassword
by self =w
by anonymous auth
databasebdb
suffix dc=test,dc=xx
rootdn cn=admin,dc=test,dc=xx
rootpw {SSHA}Ek2Oyq+/nF4yvd5VlTUX/4d1lHsZ6PBF
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShelleq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntryeq,pres,sub
index pykotaUserName pres,eq,sub
index pykotaGroupName pres,eq,sub
index pykotaPrinterName pres,eq,sub
index pykotaBillingCode pres,eq,sub
index pykotaLastJobIdent eq
my ldif
# extended LDIF
#
# LDAPv3
# base dc=test,dc=xx with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# test.xx
dn: dc=test,dc=xx
objectClass: dcObject
objectClass: organization
o: Directory Server
dc:: dGVzdCA=
# admin, test.xx
dn: cn=admin,dc=test,dc=xx
objectClass: organizationalRole
objectClass: posixAccount
cn:: YWRtaW4g
gidNumber: 500
homeDirectory: /home/admin
uid: admin
uidNumber: 500
# mmm, test.xx
dn: cn=mmm,dc=test,dc=xx
cn:: bW1tIA==
sn: mmm
objectClass: person
objectClass: top
userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY=
# people, test.xx
dn: ou=people,dc=test,dc=xx
objectClass: top
objectClass: organizationalUnit
ou: people
description: Fictional example organizational unit
# bjensen, people, test.xx
dn: uid=bjensen,ou=people,dc=test,dc=xx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Babs Jensen
sn: Jensen
givenName: Babs
uid: bjensen
ou: people
description: Fictional example person
telephoneNumber: 555-5557
userPassword:: e1NTSEF9ZGtmbGpsazM0cjJrbGpkc2ZrOQ==
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
And this is the log
Dec 22 09:42:07 sim slapd[11187]: = access_allowed: auth access to
cn=mmm,dc=test,dc=xx userPassword requested
Dec 22 09:42:07 sim slapd[11187]: = dn: [1] ou=pykota,dc=test,dc=xx
Dec 22 09:42:07 sim slapd[11187]: = dn: [2] ou=people,dc=test,dc=xx
Dec 22 09:42:07 sim slapd[11187]: = dn: [3] ou=groups,dc=test,dc=xx
Dec 22 09:42:07 sim slapd[11187]: = acl_get: [4] attr userPassword
Dec 22 09:42:07 sim slapd[11187]: access_allowed: no res from state
(userPassword)
Dec 22 09:42:07 sim slapd[11187]: = acl_mask: access to entry
cn=mmm,dc=test,dc=xx, attr userPassword requested
Dec 22 09:42:07 sim slapd[11187]: = acl_mask: to value by , (=0)
Dec 22 09:42:07 sim slapd[11187]: = check a_dn_pat: self
Dec 22 09:42:07 sim slapd[11187]: = check a_dn_pat: users
Dec 22 09:42:07 sim slapd[11187]: = check a_dn_pat: *
Dec 22 09:42:07 sim slapd[11187]: = acl_mask: [3] applying none(=0) (stop)
Dec 22 09:42:07 sim slapd[11187]: = acl_mask: [3] mask: none(=0)
Dec 22 09:42:07 sim slapd[11187]: = access_allowed: auth access
denied by none(=0)
Thank you
On Tue, Dec 22, 2009 at 2:36 AM, Zdenek Styblik sty...@turnovfree.net wrote:
Il Neofita wrote:
Hi
Hello,
I am new and probably I am facing a very basic error
I am tring to create an admin for a subset
I create this ldif
dn: cn=,dc=test,dc=xx
cn:
sn:
