Re: SSL based ldap server

2015-10-05 Thread Aneela Saleem
Do we need to have CA certificate/server key  on other client machine as
well? If yes, then how can we achieve that?

On Sun, Oct 4, 2015 at 9:00 PM, Dieter Klünter  wrote:

> Am Sun, 4 Oct 2015 19:18:19 +0500
> schrieb Aneela Saleem :
>
> > I have followed this link
> > <
> http://stackoverflow.com/questions/21488845/how-can-i-generate-a-self-signed-certificate-with-subjectaltname-using-openssl
> >.
> > I update openssl.cnf file manually and added the ip address of other
> > client machine. Then i generated ssl certificate. Now accessing
> > ldaps:// platalytics.com:636 from other client machine (i also have
> > added platalytics.com in /etc/hosts file) but unable to access it
> > from external ip address. What i'm missing now?
>
> Domain Name Service? Firewall? Routing Tables?
>
> -Dieter
>
> >
> > On Fri, Oct 2, 2015 at 5:35 PM, Aneela Saleem 
> > wrote:
> >
> > > Hi Michael,
> > >
> > > Thanks for explaining. I just so far performed server side
> > > validation using the link
> > > 
> > >
> > > Can you please guide me how can we perform client side
> > > verification? Means how to set subjectAltName extension?
> > >
> > > On Fri, Oct 2, 2015 at 4:10 PM, Michael Ströder
> > >  wrote:
> > >
> > >> Aneela Saleem wrote:
> > >> > What if i want to access LDAP from external source? how would it
> > >> recognize
> > >> > platalytics.com?
> > >>
> > >> Hope fully the client perfoms the TLS hostname check as defined in
> > >> RFC 6125.
> > >>
> > >> All hostnames and IP addresses used by clients have to be listed
> > >> in the subjectAltName extension.
> > >>
> > >> Ciao, Michael.
> > >>
> > >>
> > >
>
>
>
> --
> Dieter Klünter | Systemberatung
> http://sys4.de
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E
>
>


New User unable to authenticate on new client

2015-10-05 Thread Varadi, Louis - 0442 - MITLL
I have a new OpenLDAP server. I am also using it as a Ldap Client.

 

I have added a user but cannot authenticate. 

 

I have spent a lot of time researching this issue.  All the suggestions are
very different - ACL issues,  slapd pointing the incorrect  config files,  

Ldap.conf file is incorrect, nsswitch is incorrect,  incorrect password.   

 

Is there a straight forward way to troubleshoot this issue.   What are the
configs files that are involved with this failure? 

Your help is greatly appreciated. 

 

This user works

[root@ldapservrer]# ldapwhoami -x -D cn=ldapadmin,dc=group1,dc=ldap -W

Enter LDAP Password: 

dn:cn=ldapadmin,dc=group1,dc=ldap

 

This user fails

[root@ldapserver]# ldapwhoami -x -D cn=lou,dc=group1,dc=ldap -W

Enter LDAP Password: 

ldap_bind: Invalid credentials (49)

 

 

5612e45a conn=1051 fd=12 ACCEPT from IP=192.168.0.101:59308
(IP=192.168.0.a0a:389)

5612e45a conn=1051 op=0 BIND dn="cn=lou,dc=group1,dc=ldap" method=128

5612e45a conn=1051 op=0 RESULT tag=97 err=49 text=

5612e45a conn=1051 op=1 UNBIND

5612e45a conn=1051 fd=12 closed

 

 

Oct  5 16:03:32 ldapserver sshd[1432]: Received disconnect from 9.9.9.9: 11:
disconnected by user

Oct  5 16:03:36 ldapserver sshd[1528]: Invalid user lou from 9.9.9.9

Oct  5 16:03:36 ldapserver sshd[1529]: input_userauth_request: invalid user
lou

Oct  5 16:03:53 ldapserver sshd[1528]: Failed password for invalid user lou
from 9.9.9.9 port 33968 ssh2

 

___

 

[root@ldapserver man1]#   su - lou

su: user lou does not exis

 

5612ebc3 conn=1053 fd=12 ACCEPT from IP=192.168.0.101:59310
(IP=192.168.0.101:389)

5612ebc3 conn=1053 op=0 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"

5612ebc3 conn=1053 op=0 SRCH attr=* altServer namingContexts
supportedControl supportedExtension supportedFeatures supportedLDAPVersion
supportedSASLMechanisms domainControllerFunctionality defaultNamingContext
lastUSN highestCommittedUSN

5612ebc3 conn=1053 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=

5612ebc3 conn=1053 op=1 SRCH base="dc=group1,dc=ldap" scope=2 deref=0
filter="(&(uid=lou)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNum
ber=0"

5612ebc3 conn=1053 op=1 SRCH attr=objectClass uid userPassword uidNumber
gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp
modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning
shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublicKey

5612ebc3 conn=1053 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=

5612ebc3 conn=1053 op=2 UNBIND

5612ebc3 conn=1053 fd=12 closed

 

__

 

 

ssh  lou@192.168.101

 

5612ed15 conn=1107 fd=12 ACCEPT from IP=192.168.0.101:59364
(IP=192.168.0.101:389)

5612ed15 conn=1107 op=0 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"

5612ed15 conn=1107 op=0 SRCH attr=* altServer namingContexts
supportedControl supportedExtension supportedFeatures supportedLDAPVersion
supportedSASLMechanisms domainControllerFunctionality defaultNamingContext
lastUSN highestCommittedUSN

5612ed15 conn=1107 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=

5612ed15 conn=1107 op=1 SRCH base="dc=group1,dc=ldap" scope=2 deref=0
filter="(&(uid=lou)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNum
ber=0"

5612ed15 conn=1107 op=1 SRCH attr=objectClass uid userPassword uidNumber
gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp
modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning
shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublicKey

5612ed15 conn=1107 op=1 SEARCH RESULT tag=101 err=50 nentries=0 text=

5612ed15 conn=1107 op=2 UNBIND

5612ed15 conn=1107 fd=12 closed

 

 

[root@ldapserver ]# ldapsearch -H ldap://ldapserver.group1.ldap -d 256 -D
cn=ldapadmin,dc=group1,dc=ldap -W -b ou=Users,dc=group1,dc=ldap

Enter LDAP Password: 

# extended LDIF

#

# LDAPv3

# base 

Re: implementation specific error trying to modify olcSyncProvConfig object

2015-10-05 Thread Quanah Gibson-Mount
--On Friday, October 02, 2015 12:56 PM +0200 "Angel L. Mateo" 
 wrote:




Is this a bug? If not, why I'm having this error? Any idea?


No, it is by design.  You are encountering the error because that's what it 
is designed to do.  Whether or not that is the correct design is a 
different question.  But everything is working here as it is supposed to 
currently.


--Quanah


--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration



Re: Allow users to change ldap password with passwd

2015-10-05 Thread Real, Elizabeth (392K)
I have reinstalled openldap and applied slapo-ppolicy carefully looking at man 
pages and the configuration.

How do I then apply this to existing openldap accounts?

Thank you,
Liz

From: Michael Ströder >
Date: Monday, September 28, 2015 at 10:57 PM
To: Elizabeth Real Chavez 
>, 
"openldap-technical@openldap.org" 
>
Subject: Re: Allow users to change ldap password with passwd

Elizabeth,

sorry, your wording does not result in any valid interpretation on my side.
Especially you obfuscated too much.

To see what's really going on you should again carefully examine your
configuration, slapd logs and check the command-lines more carefully.

Ciao, Michael.

Real, Elizabeth (392K) wrote:
Michael,
I modified the command and was able to implement the password policy using:
# ldapadd -x -W -D cn=,dc=,dc= -f passwordPolicy.ldif
Verified the policy was applied:
# ldapsearch -x -D cn=,dc=,dc= -H ldap:// -b dc=,dc= -W
# real, People, .
dn: uid=real,ou=People,dc=,dc=
uid: real
homeDirectory: /home/real
memberUid: real
…
…
# policies, .
dn: cn=policies,dc=cluster,dc=sec312
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn:: cG9saWNpZXMg
sn: policies
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 3600
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 8
pwdMustChange: FALSE
pwdSafeModify: FALSE
# search result
search: 2
result: 0 Success
# numResponses: 598
# numEntries: 597
TEST: I reset the password for user ‘real’ an ldap client using passwd, the 
password was successfully changed. However, the new user password did not 
change on the ldap server. It appears that the policy is not updating the ou 
where my user ‘real’ belongs to.
Maybe it’s got to do with my ldap tree and where I configured my password 
policy (cn=policies), this is how it is now:
dc=, dc=
cn=policies
…
…
ou=People
…
…
Thank you,
Liz
From: Michael Ströder 
>
Date: Thursday, September 24, 2015 at 11:42 AM
To: Elizabeth Real Chavez 
>,
 
"openldap-technical@openldap.org"
 
>
Subject: Re: Allow users to change ldap password with passwd
Real, Elizabeth (392K) wrote:
I replaced ou with cn, tried loading the ldif and got this message:
# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f passwordPolicy.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=policies,dc=*,dc=*"
ldap_add: Insufficient access (50)
additional info: no write access to parent
I guess you want to use another bind-DN with -D when writing to your normal DB
backend / naming context dc=*,dc=*.
And defining -Y and -D together does not make sense. Please consult the man
page and look at various bind methods more closely.
Ciao, Michael.


--
Michael Ströder Klauprechtstr. 11
Dipl.-Inform.   D-76137 Karlsruhe, Germany
Tel.: +49 721 8304316   Mobil: +49 170 2391920
E-Mail: mich...@stroeder.com
http://www.stroeder.com




Re: OS X Yosemite clients

2015-10-05 Thread oldap
I have this problem resolved. It isn't related to the OpenLDAP code at all,
but has to do with the password formatting.

What I found was the passwords in OpenLDAP were in this format:

{MD5}

The base64 encoder on the Linux server always adds a a newline character (\n)
to the end of the encoding. Multiple platforms have always ignored that 
character
until OS X 10.10.5. Simply removing the newline before inserting the encoded
password into the OpenLDAP database allows 10.10.5 and later to authenticate
against that password.

--
Jon



olcAccess with combined "by who" condition

2015-10-05 Thread rss ln
Hello,

Is it possible to combine olcAccess "by who" condition for DN and IP
address, that both conditions must by true? Something like:

to dn.subtree="ou=test,dc=domain,dc=com"
by dn="uid=someuser,ou=users,dc=domain,dc=com" & peername.ip=10.10.10.10
read

So, it should be possible to read the subtree for the user only from the
specific IP address.

I tried also use "set=(...)" but without success.

Any chance to do that?


RE: Allow users to change ldap password with passwd

2015-10-05 Thread Craig White
From: openldap-technical [mailto:openldap-technical-boun...@openldap.org] On 
Behalf Of Real, Elizabeth (392K)
Sent: Monday, October 05, 2015 1:18 PM
To: Michael Ströder; openldap-technical@openldap.org
Subject: Re: Allow users to change ldap password with passwd

I have reinstalled openldap and applied slapo-ppolicy carefully looking at man 
pages and the configuration.

How do I then apply this to existing openldap accounts?

Thank you,
Liz

You need to have a 'pwdPolicySubentry' attribute assigned to each user and the 
value for that attribute would have to be a valid DN of the password policy 
itself.

For example, below is what I used to add password policy recently - fix as 
needed, YMMV

#!/bin/bash
#
# assign password policy to LDAP users
for USER in `cat users`; do
  ldapmodify -x -D cn=rootbinddn,dc=example,dc=com -w $SOME_PASSWORD <

Re: olcAccess with combined "by who" condition

2015-10-05 Thread Quanah Gibson-Mount
--On Monday, October 05, 2015 12:02 PM +0200 rss ln  
wrote:






Hello,


Is it possible to combine olcAccess "by who" condition for DN and IP
address, that both conditions must by true? Something like:

to dn.subtree="ou=test,dc=domain,dc=com"
by dn="uid=someuser,ou=users,dc=domain,dc=com" & peername.ip=10.10.10.10
read


So, it should be possible to read the subtree for the user only from the
specific IP address.


I tried also use "set=(...)" but without success.


Any chance to do that?


It is already noted in the slapd.access(5) man page that you can have 
multiple requirements in the WHO clause.  I.e., what you're asking for is 
already implemented.


Try

by dn.exact="..." peername.ip=xxx read

--Quanah



--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration



RE: Allow users to change ldap password with passwd

2015-10-05 Thread Craig White
From: Real, Elizabeth (392K) [mailto:elizabeth.r...@jpl.nasa.gov]
Sent: Monday, October 05, 2015 3:41 PM
To: Craig White; Michael Ströder; openldap-technical@openldap.org
Subject: Re: Allow users to change ldap password with passwd

Thanks for the tip. I added the pwdPolicySubentry to one user but it did not 
work, the attribute is not listed for the user.

I read that this attribute has to be enabled in the ppolicy schema?? I looked 
at my ppolicy schema which is located here: 
/etc/openldap/slapd.d/cn=config/cn=schema/cn={3}ppolicy.ldif HOWEVER I did not 
find pwdPolicySubentry.

What version of openldap is your suggestion based of? I'm running v2.4.39.
You really need to increase your level of LDAP fu.

pwdPolicySubEntry is an operational attribute which won't normally show up.

Google is your friend.

Craig


Re: Allow users to change ldap password with passwd

2015-10-05 Thread Ryan Tandy

On Mon, Oct 05, 2015 at 09:41:25PM +, Craig White wrote:
You need to have a 'pwdPolicySubentry' attribute assigned to each user 
and the value for that attribute would have to be a valid DN of the 
password policy itself.


Either that, or an appropriate olcPPolicyDefault configured on the 
ppolicy overlay instance (as above, value should be the DN of the 
default password policy entry). That will be used for any entry that 
doesn't have an explicit pwdPolicySubentry.




Re: RBAC

2015-10-05 Thread Aneela Saleem
Thanks Dieter!

On Sun, Oct 4, 2015 at 10:58 PM, Dieter Klünter  wrote:

> Am Fri, 2 Oct 2015 16:11:01 +0500
> schrieb Aneela Saleem :
>
> > Hi all,
> >
> > Can anyone please provide me with some useful tutorials about "How
> > can we implement RBAC in LDAP" ? I have mostly seen research papers
> > only. I want to see some implementation examples.
>
> I prefer defining roles as groupOfNames objects and in order to verify
> membership I use slapo-memberOf(5) and a ldapcompare operation on
> memberOf:myRole
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://sys4.de
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E
>
>