Re: MD5 password hash with ppolicy
On Tuesday, 22 December 2009 23:25:21 Joe Friedeggs wrote: I am working (with RH via Dell support) to solve an issue (that I believe to be a pam_ldap issue). The problem is that the password policy control messaging does not occur when I set 'pam_password md5', thus the Linux client never knows that the password expires. Works fine here with pam_ldap 183 and: pam_password exop pam_lookup_policy yes (Well, I would really prefer if pam_ldap prompted to change the password while there are still grace logins left, instead of waiting until they are all used ... I'll file a bug on that). They have informed me that the password policy overlay in LDAP requires clear-text passwords, and will not handle the password policy stuff if the password is hashed. This makes no sense to me, since ppolicy is only handling expiry times, etc. and pam is handling the rest (length, strength, etc., prior to hash). Does the ppolicy overlay require clear-text? Only if you want it to enforce password quality, but then you should use pam_password exop, or set 'ppolicy_hash_cleartext yes' in slapd.conf so that cleartext passwords are hashed on the server. Regards, Buchan
Help migrating an OpenLdap 1.x directory to 2.x
Hello All, I'm currently working on migrating a directory that is currently running on OpenLDAP 1.x to OpenLDAP 2.x. Is there any online documents which detail how to convert the old schemas (which are on ldif format) to the format used by 2.x? I tried to google for that but I could not find much info on the subject. Currently the settings, acls and schemas are all present on ldif format. Any help would be greatly appreciated. Thanks a lot, Diego Lima
Is there any accounting software using ldap for customers and suppliers?
Hi, that's my first post here. I realize that this is not exactly the kind of message that I should post here but I'm really going mad trying to find an accounting software which uses natively ldap as a backend. I'm not looking for something that can synchronize, import or export into ldap. Are you aware of some good software? It doesn't matter if it's for free or not. It would be cool if it's open. Thank you -- Damiano Venturin http://www.squadrainformatica.com
LDAPS queries in C/C++ - conceptual question
Hello, I was asked to expand some C++ software to do ldap queries with TLS on a server with SSL certificate. We want the server to authenticate by its certificate so our software is protected from fake servers. Before I dig too deep into the API, I would like to know: - Is it possible with LDAP API to extract the servers certificate data to verify its integrity? - or should I program it directly with openSSL API? Thank you for sharing your wisdom, kind regards, --- Robert Welz
Re: Is there any accounting software using ldap for customers and suppliers?
Hi, I don't think you will find such software. Accounting requires full transaction control, something that LDAP cannot provide. -Dieter Thank you for your reply, but I didn't mean to use ldap as database for all the accounting software. I meant just for human datas, like customers and suppliers. Does this change something? Basically you're lookin for CRM software then? Or do you intend to enter actions that have been done with these 'people' Like buying selling,... In that case LDAP isn't suitable, since those are transactions Just for storing people information you can perfectly use any LDAP CRM solution HTH Regards, Serge Fonville -- http://www.sergefonville.nl Convince Google!! They need to support Adsense over SSL https://www.google.com/adsense/support/bin/answer.py?hl=enanswer=10528 http://www.google.com/support/forum/p/AdSense/thread?tid=1884bc9310d9f923hl=en
Re: Developer's cookbook for adding LDAP support
Murray S. Kucherawy wrote: Are there any good documentation sites or books out there for adding LDAP support to a program? The ldap(3) man page is pretty sparse. I’ve been told that basically studying the OpenLDAP source itself is the best way to figure it out, but I’m hoping there’s something better. I have only very rudimentary knowledge of LDAP in general. Almost all of my exposure to OpenLDAP was through a helper library that did a lot of work for me, but that was at a previous job. This is for an open source project. The application to be updated already has support to get key-value pairs from SQL/ODBC and Sleepycat DB sources, and I have a request to include support for LDAP. Essentially in the application I am given an email recipient and I need to get from the database a piece of detail I need to append to that outgoing mail. There’s no standard schema for this (yet; it’s been suggested we create one through the IETF), so I will need to allow administrators to specify which attributes to request. Any helpful pointers would be appreciated. I recommend this: http://www.symas.com/blog/?p=38 Read the code in Ekiga, it's fairly compact and straightforward. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: ACL problem
Il Neofita wrote: Hi I delete everything and I did everything from scratch but I have the same problem I am using RH 5.4 Hello, I have no idea what the problem might be. Yet, I've noticed you don't have HASH type prefix to your passwords, and it should be there. userPassword: {SSHA}NG3aoK+L1k9Y0bVpekKkzn1joY/usGdF XXX userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY= The next thing I can suggest is to strip all ACLs except the basic ones and build up, build up... I'd also move attrs=userPassword up in the tree, as ACL ends when the first match is found. Thus it's possible this ACL is never matched. Regards, Zdenek I am posting my configuration slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/pykota.schema allow bind_v2 loglevel 128 pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args access to dn.subtree=ou=PyKota,dc=test,dc=xx by dn=cn=pykotaadmin,dc=test,dc=xx write access to dn.subtree=ou=people,dc=test,dc=xx by dn=cn=mmm,dc=test,dc=xx manage by dn=cn=pykotaadmin,dc=test,dc=xx manage by * read access to dn.subtree=ou=Groups,dc=test,dc=xx by dn=cn=pykotaadmin,dc=test,dc=xx write access to * by self write by usersread by *none access to attrs=userPassword by self =w by anonymous auth databasebdb suffix dc=test,dc=xx rootdn cn=admin,dc=test,dc=xx rootpw {SSHA}Ek2Oyq+/nF4yvd5VlTUX/4d1lHsZ6PBF directory /var/lib/ldap index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShelleq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntryeq,pres,sub index pykotaUserName pres,eq,sub index pykotaGroupName pres,eq,sub index pykotaPrinterName pres,eq,sub index pykotaBillingCode pres,eq,sub index pykotaLastJobIdent eq my ldif # extended LDIF # # LDAPv3 # base dc=test,dc=xx with scope subtree # filter: (objectclass=*) # requesting: ALL # # test.xx dn: dc=test,dc=xx objectClass: dcObject objectClass: organization o: Directory Server dc:: dGVzdCA= # admin, test.xx dn: cn=admin,dc=test,dc=xx objectClass: organizationalRole objectClass: posixAccount cn:: YWRtaW4g gidNumber: 500 homeDirectory: /home/admin uid: admin uidNumber: 500 # mmm, test.xx dn: cn=mmm,dc=test,dc=xx cn:: bW1tIA== sn: mmm objectClass: person objectClass: top userPassword:: e1NTSEF9TkczYW9LK0wxazlZMGJWcGVrS2t6bjFqb1kvdXNHZEY= # people, test.xx dn: ou=people,dc=test,dc=xx objectClass: top objectClass: organizationalUnit ou: people description: Fictional example organizational unit # bjensen, people, test.xx dn: uid=bjensen,ou=people,dc=test,dc=xx objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Babs Jensen sn: Jensen givenName: Babs uid: bjensen ou: people description: Fictional example person telephoneNumber: 555-5557 userPassword:: e1NTSEF9ZGtmbGpsazM0cjJrbGpkc2ZrOQ== # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 5 And this is the log Dec 22 09:42:07 sim slapd[11187]: = access_allowed: auth access to cn=mmm,dc=test,dc=xx userPassword requested Dec 22 09:42:07 sim slapd[11187]: = dn: [1] ou=pykota,dc=test,dc=xx Dec 22 09:42:07 sim slapd[11187]: = dn: [2] ou=people,dc=test,dc=xx Dec 22 09:42:07 sim slapd[11187]: = dn: [3] ou=groups,dc=test,dc=xx Dec 22 09:42:07 sim slapd[11187]: = acl_get: [4] attr userPassword Dec 22 09:42:07 sim slapd[11187]: access_allowed: no res from state (userPassword) Dec 22 09:42:07 sim slapd[11187]: = acl_mask: access to entry cn=mmm,dc=test,dc=xx, attr userPassword requested Dec 22 09:42:07 sim slapd[11187]: = acl_mask: to value by , (=0) Dec 22 09:42:07 sim slapd[11187]: = check a_dn_pat: self Dec 22 09:42:07 sim slapd[11187]: = check a_dn_pat: users Dec 22 09:42:07 sim slapd[11187]: = check a_dn_pat: * Dec 22 09:42:07 sim slapd[11187]: = acl_mask: [3] applying none(=0) (stop) Dec 22 09:42:07 sim slapd[11187]: = acl_mask: [3] mask: none(=0) Dec 22 09:42:07 sim slapd[11187]: = access_allowed: auth access denied by none(=0) Thank you On Tue, Dec 22, 2009 at 2:36 AM, Zdenek Styblik sty...@turnovfree.net wrote: Il Neofita wrote: Hi Hello, I am new and probably I am facing a very basic error I am tring to create an admin for a subset I create this ldif dn: cn=,dc=test,dc=xx cn: sn: