November 2006 - 389-users - Fedora Mailing-Lists

[Fedora-directory-users] Re: Re: password policy on FDS 1.0.2 - doesn't seem to work?

by Philip Kime

Hmm - If I enable password syntax checking globally, it works - ldappasswd applies the policy and so does PAM via pam_ldap. If it's a local policy on a subtree or user, it doesn't? I have checked and the cn=config "nsslapd-pwpolicy-local" is set to "on" so it should be applying local password policies. Do I have to enable the password syntax checking at a global level (possibly with no actual restrictions) and then overide it at the local level? PK

17 years, 5 months

2
1
0 / 0

[Fedora-directory-users] Re: Re: password policy on FDS 1.0.2 - doesn't seem to work?

by Philip Kime

> The server enforces the policy internally, and (at least in theory) all the code paths > that modify passwords should be calling the same policy checking function. So > ldappasswd, ldapmodify and the GUI should see exactly the same policy. If you turn up > the logging level you might see more interesting output (in the errors log, not the > access log, which is always quite terse). I put "heavy logging on" but I can't see anything to do with password policies (below is the trace from one ldappaswd update operation which should have failed due to password policy). I also looked at the funtion traces and there are calls to get the DNs of the policy object but no errors or anything to say they were applied. [12/Nov/2006:11:45:03 -0800] - do_extended: oid (1.3.6.1.4.1.1466.20037-startTLS) [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - do_extended: oid (1.3.6.1.4.1.4203.1.11.1-passwd_modify_extop) [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - replace: userpassword [12/Nov/2006:11:45:03 -0800] - removing entire attribute userpassword [12/Nov/2006:11:45:03 -0800] - userpassword: {SSHA}W4FdKGuc/MmN3w8f98UgmtyMaWH0Hn1GMM/LhA== [12/Nov/2006:11:45:03 -0800] - - [12/Nov/2006:11:45:03 -0800] - replace: modifiersname [12/Nov/2006:11:45:03 -0800] - removing entire attribute modifiersname [12/Nov/2006:11:45:03 -0800] - modifiersname: cn=server,cn=plugins,cn=config [12/Nov/2006:11:45:03 -0800] - - [12/Nov/2006:11:45:03 -0800] - replace: modifytimestamp [12/Nov/2006:11:45:03 -0800] - removing entire attribute modifytimestamp [12/Nov/2006:11:45:03 -0800] - modifytimestamp: 20061112194503Z [12/Nov/2006:11:45:03 -0800] - - [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:03 -0800] - replace: passwordgraceusertime [12/Nov/2006:11:45:03 -0800] - removing entire attribute passwordgraceusertime [12/Nov/2006:11:45:03 -0800] - passwordgraceusertime: 0 [12/Nov/2006:11:45:03 -0800] - - [12/Nov/2006:11:45:03 -0800] - replace: modifiersname [12/Nov/2006:11:45:03 -0800] - removing entire attribute modifiersname [12/Nov/2006:11:45:03 -0800] - modifiersname: cn=server,cn=plugins,cn=config [12/Nov/2006:11:45:03 -0800] - - [12/Nov/2006:11:45:03 -0800] - replace: modifytimestamp [12/Nov/2006:11:45:03 -0800] - removing entire attribute modifytimestamp [12/Nov/2006:11:45:03 -0800] - modifytimestamp: 20061112194503Z [12/Nov/2006:11:45:03 -0800] - - [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=600 attrsonly=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - SRCH base="" scope=0 deref=0 sizelimit=0 timelimit=600 attrsonly=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension" [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:03 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - do_extended: oid (2.16.840.1.113730.3.5.3-Netscape Replication Start Session) [12/Nov/2006:11:45:04 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:04 -0800] - do_extended: oid (2.16.840.1.113730.3.5.5-Netscape Replication End Session) [12/Nov/2006:11:45:04 -0800] - mapping tree selected backend : userRoot [12/Nov/2006:11:45:04 -0800] - indextype: "eq" indexmask: 0x2 [12/Nov/2006:11:45:04 -0800] - nsds50ruv: {replicageneration} 44a5cc86000000010000 [12/Nov/2006:11:45:04 -0800] - nsds50ruv: {replica 1 ldap://hqldap01.blah.com:389} 44a5ce65000000010000 45577d66000100010000 [12/Nov/2006:11:45:04 -0800] - nsds50ruv: {replica 2 ldap://ldap001.bo1.blah.hou:389} 44a5f47e000000020000 4553f30e000000020000 [12/Nov/2006:11:45:04 -0800] - replace: nsds50ruv [12/Nov/2006:11:45:04 -0800] - - [12/Nov/2006:11:45:04 -0800] - nsruvReplicaLastModified: {replica 1 ldap://hqldap01.blah.com:389} 455779bf [12/Nov/2006:11:45:04 -0800] - nsruvReplicaLastModified: {replica 2 ldap://ldap001.bo1.blah.hou:389} 4553ef67 [12/Nov/2006:11:45:04 -0800] - replace: nsruvReplicaLastModified [12/Nov/2006:11:45:04 -0800] - - [12/Nov/2006:11:45:11 -0800] - do_modify: dn (cn=config) [12/Nov/2006:11:45:11 -0800] - modifications: [12/Nov/2006:11:45:11 -0800] - replace: nsslapd-errorlog-level [12/Nov/2006:11:45:11 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:11 -0800] - mapping tree selected backend : frontend-internal [12/Nov/2006:11:45:11 -0800] - mapping tree release backend : frontend-internal [12/Nov/2006:11:45:11 -0800] - nsslapd-errorlog-level: 0 [12/Nov/2006:11:45:11 -0800] - replace: nsslapd-errorlog-level [12/Nov/2006:11:45:11 -0800] - - [12/Nov/2006:11:45:11 -0800] - modifiersname: cn=directory manager [12/Nov/2006:11:45:11 -0800] - replace: modifiersname [12/Nov/2006:11:45:11 -0800] - - [12/Nov/2006:11:45:11 -0800] - modifytimestamp: 20061112194511Z [12/Nov/2006:11:45:11 -0800] - replace: modifytimestamp [12/Nov/2006:11:45:11 -0800] - -

17 years, 5 months

1
0
0 / 0

[Fedora-directory-users] password policy on FDS 1.0.2 - doesn't seem to work?

by Philip Kime

I have pam_lookup_policy yes and a user-local password policy for one user as a test. If I try to change the user's password, it updates fine in LDAP but does't warn me about the policy restrictions (set to min 8 chars but I can use 7 no problem, for example). I read that PAM needs anonymous bind access to the objectclass=passwordpolicy attrs? I tried that but it made no difference. The really odd thing is that the policy object lives in: cn=nspwpolicycontainer,ou=people,dc=blah,dc=com but if I ldapsearch on '(objectclass=passwordpolicy)' in the above container (or in the whole root DSE for that matter), I find nothing,even if I bind as Directory Manager. It's there - I can see the object in the GUI. PK -- Philip Kime NOPS Systems Architect 310 401 0407

17 years, 5 months

2
1
0 / 0

[Fedora-directory-users] roleOccupant in ACI

by Dan

I am in the process of migrating ACLs from OpenLDAP to ACIs in FDS. I'm having trouble figuring out how to best convert from "group/organizationalRole/roleOccupant" bind rules to a comparable method in the Fedora Directory Server. Do I need to move the roleOccupant entries to uniquemember entries (which would require objectClass changes as well) then use a groupDN bind rule? I would rather not change the data. Is it possible to have the groupDN bind rule use an attribute other than uniquemember? Any help/thoughts would be appreciated.

17 years, 5 months

1
0
0 / 0

[Fedora-directory-users] Unattended Admin Server Startup

by Glenn

I'm testing a new installation of Directory Server. I have both the directory server and the admin server using SSL. There are instructions for auto-starting the SSL-enabled directory server at boot time by putting the SSL password in a text file, and this works fine. But I can't seem to find any instructions for doing the same with the admin server, so the boot process stops at the password prompt for the admin server. Anyone have a clue how to get this done? The message prompt when the admin server tries to start is: "Please enter password for "NSS Certificate DB" token:" Thanks. -G.

17 years, 5 months

3
2
0 / 0

[Fedora-directory-users] Macro ACI not working as expected

by Dan

I have set up a directory structure as follows: ou=Domains,dc=example,dc=net o=hostedDomain1.com mail=user1(a)hostedDomain1.com mail=user2(a)hostedDomain1.com mail=user3(a)hostedDomain1.com o=hostedDomain2.net mail=user1(a)hostedDomain2.net mail=user2(a)hostedDomain2.net mail=user3(a)hostedDomain2.net o=hostedDomain3.com ... I would like to allow any mail user to only read the attributes of the users within their domain. For example, user1(a)hostedDomain1.com can see user2(a)hostedDomain1.com, but not user2(a)hostedDomain2.net. I am not allowing anonymous access. I have allowed access to the Domains OU with this aci entry (placed on the Domains OU): aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow read access to Domains OU";allow (read,search) (userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net");) I have placed the following macro aci on the Domains OU without success: aci: (targetattr!="userPassword") (target="ldap:///($dn),ou=Domains,dc=example,dc=net") (version 3.0;acl "Allow read access to Domain members";allow (read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");) As I understand it, the second aci should allow read and search access to domain ($dn) and all entries below it. However, the behavior that I'm seeing is that the user can only see down to the domain with no access to the sub-entries. In other words, user1(a)hostedDomain1.com can see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can not see anything below. Am I missing something? How can I get this to work properly? Thanks in advance.

17 years, 5 months

2
3
0 / 0

Re: [Fedora-directory-users] FDS with TLS/SSL Port issue

by Howard Chu

> Date: Thu, 9 Nov 2006 18:52:58 -0600 > From: Greg Hetrick <ghetrick(a)minderaser.org> > New to FDS/LDAP doing a proof of concept and I have FDS 1.0.4 > installed with SSL enabled on the DS side, TLS enabled on a FC 6 > client. In ldap config I have TLS_REQCERT required. > > Question is, should ldap traffic generated from the client to the > server pass on port 636 or port 389, I am seeing traffic that is > supposed to be encrypted passing on the regular ldap port (389). ldaps:// uses port 636 by default. That's the non-standard method of using LDAP over SSL that was common with LDAPv2. The connection has SSL/TLS enabled on it from the moment the connection opens. LDAPv3 uses port 389 by default. Connections are always opened in the clear. Then the StartTLS Extended Operation is issued by the client, and an SSL/TLS layer is added to the connection. > I am seeing what appears to be correct in the access logs during the > communication indicating that the traffic is in fact encrypted. Your log clearly shows StartTLS being used, successfully. Looks normal. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/

17 years, 5 months

1
0
0 / 0

[Fedora-directory-users] disable bind with blank password

by nattapon viroonsri

Hi, Look like default fedora-ds policy is accept bind with blank password? i have tested with ldapsearch -x -D "uid=someone,ou=people,dc=example,dc=com" -w "" get same result as use correct password if i use wrong password i wil get ldap_bind: Invalid credentials (49) How can i disable bind with blank password ? Thanks Nattapon _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

17 years, 5 months

3
2
0 / 0

[Fedora-directory-users] Bind with Blank password

by nattapon viroonsri

Hi, Look like default fedora-ds accept bind without password. i have test with ldapsearch -x -D "uid=someuser,ou=people,dc=example,dc=com" -w "" has same result as use correct password if i use wrong password , output will returned ldap_bind: Invalid credentials (49) How can i disable bind with blank password ? Thanks Nattapon _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

17 years, 5 months

1
0
0 / 0

[Fedora-directory-users] FDS with TLS/SSL Port issue

by Greg Hetrick

New to FDS/LDAP doing a proof of concept and I have FDS 1.0.4 installed with SSL enabled on the DS side, TLS enabled on a FC 6 client. In ldap config I have TLS_REQCERT required. Question is, should ldap traffic generated from the client to the server pass on port 636 or port 389, I am seeing traffic that is supposed to be encrypted passing on the regular ldap port (389). I am seeing what appears to be correct in the access logs during the communication indicating that the traffic is in fact encrypted. [09/Nov/2006:18:50:10 -0600] conn=3 fd=65 slot=65 connection from 151.148.60.67 to 151.148.218.175 [09/Nov/2006:18:50:10 -0600] conn=3 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [09/Nov/2006:18:50:10 -0600] conn=3 op=0 RESULT err=0 tag=120 nentries=0 etime=0 [09/Nov/2006:18:50:10 -0600] conn=3 SSL 256-bit AES [09/Nov/2006:18:50:10 -0600] conn=3 op=1 BIND dn="" method=128 version=3 [09/Nov/2006:18:50:10 -0600] conn=3 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [09/Nov/2006:18:50:10 -0600] conn=3 op=2 SRCH base="ou=People,dc=example,dc=com" scope=2 filter="(uid=testuser)" attrs=ALL [09/Nov/2006:18:50:10 -0600] conn=3 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [09/Nov/2006:18:50:10 -0600] conn=3 op=3 UNBIND [09/Nov/2006:18:50:10 -0600] conn=3 op=3 fd=65 closed - U1 Thanks, Greg

17 years, 5 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-users November 2006