Re: biometric authentication
Chris Lee wrote: Dear all, I am a newbie to OpenLDAP. I would like to know whether OpenLDAP can interface with other authentication method. For example, finger print authentication. OpenLDAP relies on SASL for pluggable authentication mechanisms. Since SASL is extensible, new mechs should just be implemented there (which thus allows them to be used by any other applications that are also SASL-enabled, such as IMAP servers or whatever...) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: MDB name
On 11/14/2011 09:20 AM, Howard Chu wrote: 4. If it is a small amount of work, you might as well do it. Yeah, sounds about right. At this point, for lack of a better idea, I think mmdb may be different enough to distinguish it and also lend some more meaning to the name. This thread was too quick for me to catch up :) I think mmdb sounds fine. p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
Re: MDB distribution
Brett @Google wrote: On Mon, Nov 14, 2011 at 3:20 PM, Howard Chu h...@symas.com mailto:h...@symas.com wrote: Brett @Google wrote: Sorry for the fuzzy logic :P, but : My thoughts for no: 1. The name will affect only the name of the backend module, which is logically a unit under the scope of openldap (and all backends share a prefix), it can't exist by itself. This point is false; libmdb builds on its own and is intended for use in more than just OpenLDAP. (I already spelled this out in my LDAPCon presentation...) I've ported SQLite to use it, for example, and I will be porting it to Cyrus SASL (sasldb), Heimdal, and various other miscellaneous stuff that comes along. The API is fully documented in Doxygen, and part of the reason I went to that trouble was to ensure that other programmers could use it easily. Mmm. That sounds interesting. I have only just read your LDAPCon presentation, i have been away. Will the source for mmdb library itself eventually live separately somewhere, or just bundled with ldap ? It will always reside in the OpenLDAP git repo. You can use e.g. git clone -b mdb.master git://git.openldap.org/openldap.git mdb to grab just the libmdb source. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: biometric authentication
Dear Howard, If the fingerprint authentication provides API, can it be invoked from OpenLDAP and how? Thanks in advance for all your helps. Best regards, Chris. Howard Chu wrote, On 2011-11-14 16:15: Chris Lee wrote: Dear all, I am a newbie to OpenLDAP. I would like to know whether OpenLDAP can interface with other authentication method. For example, finger print authentication. OpenLDAP relies on SASL for pluggable authentication mechanisms. Since SASL is extensible, new mechs should just be implemented there (which thus allows them to be used by any other applications that are also SASL-enabled, such as IMAP servers or whatever...)
Re: About set LDAP passwd expires
On 11/11/2011 03:10, Gary Jsz wrote: Hi,All I want set my ldap user's password expires in linux server. how can to do? or the LDAP service read the linux system's /etc/login.defs file? If you use (as almost all distributions are doing) the traditional posixAccount account approach, you must set the shadowMax attribute to the maximum number of days the password can be considered value. And be sure that when you change an user password the shadowLastChange attribute is updated. Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-103243350142 Firenze http://www.truelite.it Tel. +39-055-7879597Fax. +39-055-736
Re: About set LDAP passwd expires
On 11/11/2011 03:31, Chris Jacobs wrote: Password Policy. The OpenLDAP Admin Guide and Google are your friends. That's good for LDAP authentication, but when you want to put linux users in LDAP then you need to have also to configure NSS and PAM to use it. And for most distribution nssov (that if I understand rightly the issue is the way to use ppolicy for NSS) is not packaged nor supported (and is not documented too, at least in the Guide). So at least for me the traditional posixAccount and posixGroup are still a better option (and there are many management packages you can use). Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-103243350142 Firenze http://www.truelite.it Tel. +39-055-7879597Fax. +39-055-736
Overlays syncrepl and smbk5pwd
Hi, I am using both syncrepl (for replication) and smbk5pwd (for password synchronisation between samba and ldap account) overlays. I have configured replication in the simplest way: a read-only producer that forwards updates to the provider thought updateref. If I change my password thought passwd command on a client with pam modules configured for gaining information from the provider everything works fine (userPassword, sambaLMPassword and sambaNTPassword are correctly syncronized). Instead, if I change my password thought passwd command on another client with pam modules configured for gaining information from the consumer only the userPassword is changed. I do not understand why. Has someone experimented the same problem? Thank you in advance.
Re: Overlays syncrepl and smbk5pwd
On 14/11/2011 15:22, Francesco Storti wrote: Hi, I am using both syncrepl (for replication) and smbk5pwd (for password synchronisation between samba and ldap account) overlays. I have configured replication in the simplest way: a read-only producer that forwards updates to the provider thought updateref. If I change my password thought passwd command on a client with pam modules configured for gaining information from the provider everything works fine (userPassword, sambaLMPassword and sambaNTPassword are correctly syncronized). Instead, if I change my password thought passwd command on another client with pam modules configured for gaining information from the consumer only the userPassword is changed. I do not understand why. Has someone experimented the same problem? Thank you in advance. If I remember right password modification is done by an extended operation (at least the one needed for smbk5pwd to work). Not sure if this is forwarded as an ordinary modification. Unfortunately I don't have any experience in your setup, so this can be just a guess. Ciao Simone -- Simone Piccardi Truelite Srl picca...@truelite.it (email/jabber) Via Monferrato, 6 Tel. +39-347-103243350142 Firenze http://www.truelite.it Tel. +39-055-7879597Fax. +39-055-736
Re: Overlays syncrepl and smbk5pwd
On 14/11/11 15:22 +0100, Francesco Storti wrote: Hi, I am using both syncrepl (for replication) and smbk5pwd (for password synchronisation between samba and ldap account) overlays. I have configured replication in the simplest way: a read-only producer that forwards updates to the provider thought updateref. If I change my password thought passwd command on a client with pam modules configured for gaining information from the provider everything works fine (userPassword, sambaLMPassword and sambaNTPassword are correctly syncronized). Instead, if I change my password thought passwd command on another client with pam modules configured for gaining information from the consumer only the userPassword is changed. I do not understand why. Has someone experimented the same problem? Thank you in advance. The smbk5pwd only takes effect when performing a password Extended Operation (see the smbk5pwd/README file in the source). On the systems where 'passwd' is not doing the correct thing, verify that your ldap pam config is performing an ExOp, and not just overwriting userPassword. I am performing replication without any issues with the samba/kerberos attributes propagating. -- Dan White
Re: biometric authentication
Howard Chu wrote, On 2011-11-14 16:15: Chris Lee wrote: Dear all, I am a newbie to OpenLDAP. I would like to know whether OpenLDAP can interface with other authentication method. For example, finger print authentication. OpenLDAP relies on SASL for pluggable authentication mechanisms. Since SASL is extensible, new mechs should just be implemented there (which thus allows them to be used by any other applications that are also SASL-enabled, such as IMAP servers or whatever...) On 14/11/11 18:19 +0800, Chris Lee wrote: Dear Howard, If the fingerprint authentication provides API, can it be invoked from OpenLDAP and how? Thanks in advance for all your helps. You could implement a new SASL (RFC 4422) mechanism by creating a new shared library within the Cyrus SASL code, which would then be usable via slapd, and any other software which links against Cyrus. For Cyrus SASL developer documentation, see: http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/plugprog.php http://www.cyrussasl.org/docs/cyrus-sasl/2.1.25/programming.php The implementation would not require any changes to the OpenLDAP code. It would be invoked by specifying the new mechanism - e.g. via the '-Y' option when using the OpenLDAP client utilities. You can direct any additional questions to the cyrus-sasl mailing list at: http://www.cyrussasl.org/mediawiki/index.php/Cyrus_Mailing_Lists -- Dan White
Re: trigger script on change to db
Eli, E.S. Rosenberg schrieb (13.11.2011 17:13 Uhr): I was wondering is it possible to set a slapd syncprov consumer to trigger a script when it receives changes to the db (updates of specific attributes). I think you might be able to replicate to a server instance with back-perl or back-shell backend and add a script checking for changes. http://www.openldap.org/doc/admin24/backends.html http://linux.die.net/man/5/slapd-perl Marc
Re: About set LDAP passwd expires
Simone Piccardi wrote: On 11/11/2011 03:31, Chris Jacobs wrote: Password Policy. The OpenLDAP Admin Guide and Google are your friends. That's good for LDAP authentication, but when you want to put linux users in LDAP then you need to have also to configure NSS and PAM to use it. And for most distribution nssov (that if I understand rightly the issue is the way to use ppolicy for NSS) is not packaged nor supported (and is not documented too, at least in the Guide). When did nssov come into the discussion? pam_ldap supports the password policy extension. The Admin Guide has only ever been a Guide, not an exhaustive reference. The manpages are always the complete and authoritative documentation. If you choose not to use features because they aren't mentioned in the Guide, you're shortchanging yourself. So at least for me the traditional posixAccount and posixGroup are still a better option (and there are many management packages you can use). -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: trigger script on change to db
E.S. Rosenberg wrote: I was wondering is it possible to set a slapd syncprov consumer to trigger a script when it receives changes to the db (updates of specific attributes). You might want to try something with a synclrepl consumer served by back-sock. But I think getting this right is almost as much work as implementing your own syncrepl client. Ciao, Michael.
Re: trigger script on change to db
Michael Ströder wrote: E.S. Rosenberg wrote: I was wondering is it possible to set a slapd syncprov consumer to trigger a script when it receives changes to the db (updates of specific attributes). You might want to try something with a synclrepl consumer served by back-sock. But I think getting this right is almost as much work as implementing your own syncrepl client. That's almost on the right track. Use back-sock as an overlay. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: trigger script on change to db
Howard Chu wrote: Michael Ströder wrote: E.S. Rosenberg wrote: I was wondering is it possible to set a slapd syncprov consumer to trigger a script when it receives changes to the db (updates of specific attributes). You might want to try something with a synclrepl consumer served by back-sock. But I think getting this right is almost as much work as implementing your own syncrepl client. That's almost on the right track. Use back-sock as an overlay. That's what I was thinking first. But I'd be afraid that a blocking/misbehaving script would lock up slapd. I'd prefer to decouple such components to be on the safe side. Ciao, Michael.
Search access does not return any result
Hi All, I am playing with access controls on openldap 2.4.26, I have a user with search access on everything access to * by anonymous auth by dn=uid=102,ou=system,dc=example,dc=com search And when I perform search I get nothing ldapsearch -H ldap://testldap:389; -D uid=102,ou=system,dc=example,dc=com -b ou=users,dc=example,dc=com -x -W '(uid=1)' mail cn dn Enter LDAP Password: # extended LDIF # # LDAPv3 # base ou=users,dc=example,dc=com with scope subtree # filter: (uid=1) # requesting: mail cn dn # # search result search: 2 result: 0 Success # numResponses: 1 so I get a success but no value, is it a valid response? I want to control access so that the uid=102 user can do lookup from given attributes but can not do (objectClass=*) to get a list of every entry in the ldap. Thanks for the help