答复: 答复: Forbidden account password reuse of the last 5 password

[Tian Zhiying]

Clément Oudot,

 

Thank you.

I have changed the rootdn from root to other user, it’s still not working. I 
can modified the user password same with before.

 

I have set the password policy and added user in this password policy as below:



 



 

 

 

发件人: openldap-technical [mailto:openldap-technical-boun...@openldap.org] 代表 
Clément OUDOT
发送时间: 2019年2月14日 23:19
收件人: openldap-technical@openldap.org
主题: Re: 答复: Forbidden account password reuse of the last 5 password

 

 

Le 14/02/2019 à 12:17, Tian Zhiying a écrit :

But it seems not working, my password is following:

First time password: AAbb1122

Second time password: CCdd3344

Third time password: AAbb1122, same with the first time password, it has been 
modified successfully.

 

Check that the password modification is not done by the rootdn, as the rootdn 
is bypassing password policy constraints.

-- 
Clément Oudot | Identity Solutions Manager
 
clement.ou...@worteks.com  
 
Worteks | https://www.worteks.com

答复: Antw: 答复: Forbidden account password reuse of the last 5 password

[Tian Zhiying]

Yes, I have set a default password policy and assigned the password policy to 
user.

-邮件原件-
发件人: openldap-technical [mailto:openldap-technical-boun...@openldap.org] 代表 
Ulrich Windl
发送时间: 2019年2月14日 22:18
收件人: matthieu.ce...@nbs-system.com; openldap-technical@openldap.org; tianzy1225 

主题: Antw: 答复: Forbidden account password reuse of the last 5 password

>>> "Tian Zhiying"  schrieb am 14.02.2019 um 
>>> 12:17
in
Nachricht <01d4c456$d6b4ed40$841ec7c0$@thundersoft.com>:
> Hi Matthieu,
> 
>  
> 
> Thank you for your reply.
> 
>  
> 
> I have set the "pwdInHistory" attribute to 5 in password policy and 
> set forbidden their reuse in config.inc.php of Self Service Password. 
> As below
> shown:
> 

Did you also assign the password policy to users, or did you set a default 
policy?

> 
> 
>  
> 
> 
> 
>  
> 
> But it seems not working, my password is following:
> 
> First time password: AAbb1122
> 
> Second time password: CCdd3344
> 
> Third time password: AAbb1122, same with the first time password, it 
> has been modified successfully.
> 
>  
> 
> Thanks
> 
>  
> 
>  
> 
> -邮件原件-
> 发件人: openldap-technical 
> [mailto:openldap-technical-boun...@openldap.org] 代表

> Matthieu Cerda
> 发送时间: 2019年2月14日 17:38
> 收件人: openldap-technical@openldap.org
> 主题: Re: Forbidden account password reuse of the last 5 password
> 
>  
> 
> You may set the "pwdInHistory" attribute to 5 to store the last 5 
> passwords

> used, and forbid their reuse.
> 
>  
> 
> Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
> 
>> Yes, you might want to use the password policy (ppolicy) overlay:
> 
>>  
> https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
> 
>> 
> 
>> Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
> 
>>> Hi
> 
>>> 
> 
>>> Is there a feature that OpenLDAP password policy can forbidden user
password 
> reuse of the last 5 password?
> 
>>> 
> 
>>> Thanks.
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> 
> 
> --
> 
> Matthieu Cerda
> 
> Infrastructure, BU Means @ NBS System
> 
>  
> 
>  

Re: help needed for further investigation

[Dieter Klünter]

Am Wed, 13 Feb 2019 14:41:07 +
schrieb :

> Hello together. I am the heir of a setup based on RHEL 6.10 and
> Openldap 2.4.45 (ltb) A master syncrepls to a slave in
> type=refreshOnly using bindmethod=sasl, saslmech=external.
> 
> The mapped techuser resides in ou=ServiceUser. All Clients also use
> user objects in the same ou to bind to the servers.
> 
> I need to set new acls and decided to include a dedicated acl- and
> limits-configfile. The ACLs checked via slapacl look fine and run
> without problems on the test environment. (Which is based on the same
> 2.4.45 rpms, but the replica runs on RHEL 7.5)
> 
> All slapd configuration make use of database mdb and an explicitly
> set maxsize. (which is sized sufficiently: 12 GB, 49 MB used)
> 
> When implementing the configuration on a running system, the replica
> deletes the ou (that one with all the service user objects). Which is
> not what I want 8-/
> 
> How can I find out more about the reason for this peculiar result?
> I set the loglevel to 'stats sync' on the replica and 'sync' on the
[..]

Run slapd in debugging mode and use acl sny stats. That is something
like 

./slapd -d acl -h ldap://:9007/ and further options.

-Dieter


-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Antw: 答复: Forbidden account password reuse of the last 5 password

[Ulrich Windl]

>>> "Tian Zhiying"  schrieb am 14.02.2019 um 12:17
in
Nachricht <01d4c456$d6b4ed40$841ec7c0$@thundersoft.com>:
> Hi Matthieu,
> 
>  
> 
> Thank you for your reply.
> 
>  
> 
> I have set the "pwdInHistory" attribute to 5 in password policy and set 
> forbidden their reuse in config.inc.php of Self Service Password. As below 
> shown:
> 

Did you also assign the password policy to users, or did you set a default
policy?

> 
> 
>  
> 
> 
> 
>  
> 
> But it seems not working, my password is following:
> 
> First time password: AAbb1122
> 
> Second time password: CCdd3344
> 
> Third time password: AAbb1122, same with the first time password, it has 
> been modified successfully.
> 
>  
> 
> Thanks
> 
>  
> 
>  
> 
> -邮件原件-
> 发件人: openldap-technical [mailto:openldap-technical-boun...@openldap.org] 代表

> Matthieu Cerda
> 发送时间: 2019年2月14日 17:38
> 收件人: openldap-technical@openldap.org 
> 主题: Re: Forbidden account password reuse of the last 5 password
> 
>  
> 
> You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords

> used, and forbid their reuse.
> 
>  
> 
> Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
> 
>> Yes, you might want to use the password policy (ppolicy) overlay:
> 
>>   
> https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/ 
> 
>> 
> 
>> Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
> 
>>> Hi
> 
>>> 
> 
>>> Is there a feature that OpenLDAP password policy can forbidden user
password 
> reuse of the last 5 password?
> 
>>> 
> 
>>> Thanks.
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> 
> 
> --
> 
> Matthieu Cerda
> 
> Infrastructure, BU Means @ NBS System
> 
>  
> 
>  

Antw: Forbidden account password reuse of the last 5 password

[Ulrich Windl]

>>> "Tian Zhiying"  schrieb am 14.02.2019 um 07:58 
>>> in
Nachricht <012201d4c432$c27c4540$4774cfc0$@thundersoft.com>:
> Hi 
> 
> Is there a feature that OpenLDAP password policy can forbidden user password 
> reuse of the last 5 password?
> 
> Thanks.

"Password policy" is the name you are looking for.

Re: Forbidden account password reuse of the last 5 password

[Michael Ströder]

On 2/14/19 8:19 AM, Derek Zhou wrote:
> Tian Zhiying writes:
>> Is there a feature that OpenLDAP password policy can forbidden user
>> password reuse of the last 5 password?>
> Better use kerberos for advanced password policy requirements. You can
> use SASL to bridge LDAP's userPassword checking to a kerberos backend so
> everything still work and much safer.

By which definition of "safe" is adding more complexity safer?

Especially you don't know how the original poster does password changes.
Maybe he wants to use ppolicy response controls etc.

Ciao, Michael.

Re: help needed for further investigation

[Quanah Gibson-Mount]

--On Wednesday, February 13, 2019 2:41 PM + thomas.mel...@t-systems.com 
wrote:



Hello together. I am the heir of a setup based on RHEL 6.10 and Openldap
2.4.45 (ltb) A master syncrepls to a slave in type=refreshOnly using
bindmethod=sasl, saslmech=external.


Use refreshAndPersist, use delta-syncrepl

You don't provide enough usable information past that to help you any. 
Generally the replicator DN should have no limits applied to it, and have 
full read access to everything on the master.  Since you didn't provide 
your replication configuration nor your ACLs, there's no way of knowing 
what issue(s) you may encounter.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: 答复: Forbidden account password reuse of the last 5 password

[Clément OUDOT]

Le 14/02/2019 à 12:17, Tian Zhiying a écrit :
>
> But it seems not working, my password is following:
>
> First time password: AAbb1122
>
> Second time password: CCdd3344
>
> *Third time password: AAbb1122, same with the first time password, it
> has been modified successfully.*
>

Check that the password modification is not done by the rootdn, as the
rootdn is bypassing password policy constraints.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: Forbidden account password reuse of the last 5 password

[Derek Zhou]

Tian Zhiying writes:

> Hi 
>
> Is there a feature that OpenLDAP password policy can forbidden user password 
> reuse of the last 5 password?
>
Better use kerberos for advanced password policy requirements. You can
use SASL to bridge LDAP's userPassword checking to a kerberos backend so
everything still work and much safer.

Derek

Re: help with mdb database recovery after crash

[Andrei Mikhailovsky]

Hi Quanah,

Yes, indeed. I've used the ./mdb_copy -v   to get the copy 
of the database. It has created 227MB file, which I've copied over to the ldap 
data folder and replaced the original 80GB file.

Cheers

- Original Message -
> From: "Quanah Gibson-Mount" 
> To: "Andrei Mikhailovsky" , "Howard Chu" 
> Cc: "openldap-technical" 
> Sent: Thursday, 14 February, 2019 01:04:26
> Subject: Re: help with mdb database recovery after crash

> --On Wednesday, February 13, 2019 6:37 PM + Andrei Mikhailovsky
>  wrote:
> 
>> Hi Howard,
>>
>>
>>>
>>> You could try using the preceding transaction and see if it's in any
>>> better shape. The code
>>> for this is not released in LMDB 0.9. You can compile the mdb.master
>>> branch in git to obtain
>>> it. Then use the "-v" option with mdb_copy and see if that copy of the
>>> database is usable.
>>>
>>
>> I have compiled liblmdb using the mdb.master branch and used the mdb_copy
>> as you've suggested. It didn't produce any errors. However, when I copy
>> the data.mdb back to the Zimbra server it still produces the same error:
> 
> Did you use mdb_copy with the -v flag as Howard noted?  It is helpful to be
> precise about exactly what steps you took.
> 
> --Quanah
> 
> 
> --
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> 

Re: help with mdb database recovery after crash

[Andrei Mikhailovsky]

Hi Howard, 

Many thanks for your suggestions. I am about to try what you've suggested 
(download and compile the latest master version of lmdb from git using master 
branch of https://github.com/LMDB/lmdb). 

However, just to note, I am running the latest version of zimbra which uses 
pretty recent version of openldap: 


ii zimbra-lmdb 2.4.46-1zimbra8.7b amd64 LMDB Binaries 
ii zimbra-lmdb-lib:amd64 2.4.46-1zimbra8.7b amd64 LMDB Libraries 
ii zimbra-openldap-client 2.4.46-1zimbra8.7b amd64 OpenLDAP Client Binaries 
ii zimbra-openldap-lib:amd64 2.4.46-1zimbra8.7b amd64 OpenLDAP Libraries 
ii zimbra-openldap-server 2.4.46-1zimbra8.7b amd64 OpenLDAP Server Binaries 


The problem that I am describing occurred with the above version of openldap. 

I will keep you posted with any updates. 


Cheers 
Andrei 

- Original Message - 
> From: "Howard Chu"  
> To: "Andrei Mikhailovsky" , "openldap-technical" 
>  
> Sent: Thursday, 7 February, 2019 02:42:40 
> Subject: Re: help with mdb database recovery after crash 

> Andrei Mikhailovsky wrote: 
>> Hello everyone, 
>> 
>> I have a bit of an issue with my ldap database. I have a Zimbra community 
>> edition which uses openldap. A server crashed and I am unable to start the 
>> ldap 
>> services after the reboot. The description of my problem, after some digging 
>> about is: 
>> 
>> 
>> the initial error indicated problem with the ldap 
>> 
>> Starting ldap...Done. 
>> Search error: Unable to determine enabled services from ldap. 
>> Enabled services read from cache. Service list may be inaccurate. 
>> 
>> Having investigated the issue, I noticed the following errors in the 
>> zimbra.log 
>> 
>> *slapd[31281]: mdb_entry_decode: attribute index 560427631 not recognized* 
>> 
>> I also noticed that the /opt/zimbra/data/ldap/mdb/db/data.mdb is actually 
>> 81Gb 
>> in size and had reached the limit imposed by the ldap_db_maxsize variable. 
>> so 
>> over the weekend, the LDAP mdb file became no longer sparse. 
>> 
>> I tried following the steps described in 
>> https://syslint.com/blog/tutorial/solved-critical-ldap-primary-mdb-database-is-90-full-in-zimbra/
>>  
>> but with no success, as the slapcat segfaults with the following message. 
>> 
>> 
>> /opt/zimbra/common/sbin/slapcat -ccc -F /opt/zimbra/data/ldap/config -b "" 
>> -l 
>> /opt/zimbra/RECOVERY/SLAPCAT/zimbra_mdb.ldiff 
>> 5c583982 mdb_entry_decode: attribute index 560427631 not recognized 
>> Segmentation fault (core dumped) 
>> 
>> the mdb_copy produces a file of 420 mb in size, but it still contains the 
>> "mdb_entry_decode: attribute index 560427631 not recognized" error. 
>> I've also tried mdb_dump, but had the same issues after using the mdb_load 
>> command. 
>> 
>> I found a post ( 
>> http://www.openldap.org/its/index.cgi/Software%20Bugs?id=8360 ) 
>> in the openldap community that the mdb gets corrupted if it reaches the 
>> maximum 
>> defined size. but no solution of how to fix it. 
> 
> That's from over 3 years ago and has subsequently fixed. If you're running on 
> such an old 
> release, there's likely not much that can be done. Ordinarily it's possible 
> to 
> back up to 
> the immediately preceding transaction, in case the last transaction is 
> corrupted, but with 
> that particular bug it's likely that the corruption occurred in an earlier 
> transaction 
> and has been carried forward in all subsequent ones. 
>> 
>> any advice on getting the database recovered and working again? 
> 
> You could try using the preceding transaction and see if it's in any better 
> shape. The code 
> for this is not released in LMDB 0.9. You can compile the mdb.master branch 
> in 
> git to obtain 
> it. Then use the "-v" option with mdb_copy and see if that copy of the 
> database 
> is usable. 
> 
> -- 
> -- Howard Chu 
> CTO, Symas Corp. http://www.symas.com 
> Director, Highland Sun http://highlandsun.com/hyc/ 
> Chief Architect, OpenLDAP http://www.openldap.org/project/ 

答复: Forbidden account password reuse of the last 5 password

[Tian Zhiying]

Hi Matthieu,

 

Thank you for your reply.

 

I have set the "pwdInHistory" attribute to 5 in password policy and set 
forbidden their reuse in config.inc.php of Self Service Password. As below 
shown:



 



 

But it seems not working, my password is following:

First time password: AAbb1122

Second time password: CCdd3344

Third time password: AAbb1122, same with the first time password, it has been 
modified successfully.

 

Thanks

 

 

-邮件原件-
发件人: openldap-technical [mailto:openldap-technical-boun...@openldap.org] 代表 
Matthieu Cerda
发送时间: 2019年2月14日 17:38
收件人: openldap-technical@openldap.org
主题: Re: Forbidden account password reuse of the last 5 password

 

You may set the "pwdInHistory" attribute to 5 to store the last 5 passwords 
used, and forbid their reuse.

 

Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :

> Yes, you might want to use the password policy (ppolicy) overlay:

>   
> https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/

> 

> Le 14/02/2019 à 07:58, Tian Zhiying a écrit :

>> Hi

>> 

>> Is there a feature that OpenLDAP password policy can forbidden user password 
>> reuse of the last 5 password?

>> 

>> Thanks.

>> 

>> 

>> 

>> 

--

Matthieu Cerda

Infrastructure, BU Means @ NBS System

 

 

Re: Forbidden account password reuse of the last 5 password

[Matthieu Cerda]

You may set the "pwdInHistory" attribute to 5 to store the last 5
passwords used, and forbid their reuse.

Le 14/02/2019 à 10:35, Matthieu Cerda a écrit :
> Yes, you might want to use the password policy (ppolicy) overlay:
> https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/
>
> Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
>> Hi 
>>
>> Is there a feature that OpenLDAP password policy can forbidden user password 
>> reuse of the last 5 password?
>>
>> Thanks.
>>
>>
>>
>>
-- 
Matthieu Cerda
Infrastructure, BU Means @ NBS System

Re: Forbidden account password reuse of the last 5 password

[Matthieu Cerda]

Yes, you might want to use the password policy (ppolicy) overlay:
https://kb.symas.com/v2.4.45.2/man5/slapo-ppolicy/

Le 14/02/2019 à 07:58, Tian Zhiying a écrit :
> Hi 
>
> Is there a feature that OpenLDAP password policy can forbidden user password 
> reuse of the last 5 password?
>
> Thanks.
>
>
>
>
-- 
Matthieu Cerda
Infrastructure, BU Means @ NBS System