[Fedora-directory-users] Re: Re: password policy on FDS 1.0.2 - doesn't seem to work?
by Philip Kime
Hmm - If I enable password syntax checking globally, it works -
ldappasswd applies the policy and so does PAM via pam_ldap. If it's a
local policy on a subtree or user, it doesn't? I have checked and the
cn=config "nsslapd-pwpolicy-local" is set to "on" so it should be
applying local password policies. Do I have to enable the password
syntax checking at a global level (possibly with no actual restrictions)
and then overide it at the local level?
PK
17 years, 5 months
[Fedora-directory-users] Re: Re: password policy on FDS 1.0.2 - doesn't seem to work?
by Philip Kime
> The server enforces the policy internally, and (at least in theory)
all the code paths
> that modify passwords should be calling the same policy checking
function. So
> ldappasswd, ldapmodify and the GUI should see exactly the same policy.
If you turn up
> the logging level you might see more interesting output (in the errors
log, not the
> access log, which is always quite terse).
I put "heavy logging on" but I can't see anything to do with password
policies (below is the trace from one ldappaswd update operation which
should have failed due to password policy). I also looked at the funtion
traces and there are calls to get the DNs of the policy object but no
errors or anything to say they were applied.
[12/Nov/2006:11:45:03 -0800] - do_extended: oid
(1.3.6.1.4.1.1466.20037-startTLS)
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - do_extended: oid
(1.3.6.1.4.1.4203.1.11.1-passwd_modify_extop)
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend : userRoot
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - replace: userpassword
[12/Nov/2006:11:45:03 -0800] - removing entire attribute userpassword
[12/Nov/2006:11:45:03 -0800] - userpassword:
{SSHA}W4FdKGuc/MmN3w8f98UgmtyMaWH0Hn1GMM/LhA==
[12/Nov/2006:11:45:03 -0800] - -
[12/Nov/2006:11:45:03 -0800] - replace: modifiersname
[12/Nov/2006:11:45:03 -0800] - removing entire attribute modifiersname
[12/Nov/2006:11:45:03 -0800] - modifiersname:
cn=server,cn=plugins,cn=config
[12/Nov/2006:11:45:03 -0800] - -
[12/Nov/2006:11:45:03 -0800] - replace: modifytimestamp
[12/Nov/2006:11:45:03 -0800] - removing entire attribute modifytimestamp
[12/Nov/2006:11:45:03 -0800] - modifytimestamp: 20061112194503Z
[12/Nov/2006:11:45:03 -0800] - -
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:03 -0800] - replace: passwordgraceusertime
[12/Nov/2006:11:45:03 -0800] - removing entire attribute
passwordgraceusertime
[12/Nov/2006:11:45:03 -0800] - passwordgraceusertime: 0
[12/Nov/2006:11:45:03 -0800] - -
[12/Nov/2006:11:45:03 -0800] - replace: modifiersname
[12/Nov/2006:11:45:03 -0800] - removing entire attribute modifiersname
[12/Nov/2006:11:45:03 -0800] - modifiersname:
cn=server,cn=plugins,cn=config
[12/Nov/2006:11:45:03 -0800] - -
[12/Nov/2006:11:45:03 -0800] - replace: modifytimestamp
[12/Nov/2006:11:45:03 -0800] - removing entire attribute modifytimestamp
[12/Nov/2006:11:45:03 -0800] - modifytimestamp: 20061112194503Z
[12/Nov/2006:11:45:03 -0800] - -
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - SRCH base="" scope=0 deref=0 sizelimit=0
timelimit=600 attrsonly=0 filter="(objectClass=*)"
attrs="supportedControl supportedExtension"
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - SRCH base="" scope=0 deref=0 sizelimit=0
timelimit=600 attrsonly=0 filter="(objectClass=*)"
attrs="supportedControl supportedExtension"
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:03 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - do_extended: oid
(2.16.840.1.113730.3.5.3-Netscape Replication Start Session)
[12/Nov/2006:11:45:04 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:04 -0800] - do_extended: oid
(2.16.840.1.113730.3.5.5-Netscape Replication End Session)
[12/Nov/2006:11:45:04 -0800] - mapping tree selected backend : userRoot
[12/Nov/2006:11:45:04 -0800] - indextype: "eq" indexmask: 0x2
[12/Nov/2006:11:45:04 -0800] - nsds50ruv: {replicageneration}
44a5cc86000000010000
[12/Nov/2006:11:45:04 -0800] - nsds50ruv: {replica 1
ldap://hqldap01.blah.com:389} 44a5ce65000000010000 45577d66000100010000
[12/Nov/2006:11:45:04 -0800] - nsds50ruv: {replica 2
ldap://ldap001.bo1.blah.hou:389} 44a5f47e000000020000
4553f30e000000020000
[12/Nov/2006:11:45:04 -0800] - replace: nsds50ruv
[12/Nov/2006:11:45:04 -0800] - -
[12/Nov/2006:11:45:04 -0800] - nsruvReplicaLastModified: {replica 1
ldap://hqldap01.blah.com:389} 455779bf
[12/Nov/2006:11:45:04 -0800] - nsruvReplicaLastModified: {replica 2
ldap://ldap001.bo1.blah.hou:389} 4553ef67
[12/Nov/2006:11:45:04 -0800] - replace: nsruvReplicaLastModified
[12/Nov/2006:11:45:04 -0800] - -
[12/Nov/2006:11:45:11 -0800] - do_modify: dn (cn=config)
[12/Nov/2006:11:45:11 -0800] - modifications:
[12/Nov/2006:11:45:11 -0800] - replace: nsslapd-errorlog-level
[12/Nov/2006:11:45:11 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:11 -0800] - mapping tree selected backend :
frontend-internal
[12/Nov/2006:11:45:11 -0800] - mapping tree release backend :
frontend-internal
[12/Nov/2006:11:45:11 -0800] - nsslapd-errorlog-level: 0
[12/Nov/2006:11:45:11 -0800] - replace: nsslapd-errorlog-level
[12/Nov/2006:11:45:11 -0800] - -
[12/Nov/2006:11:45:11 -0800] - modifiersname: cn=directory manager
[12/Nov/2006:11:45:11 -0800] - replace: modifiersname
[12/Nov/2006:11:45:11 -0800] - -
[12/Nov/2006:11:45:11 -0800] - modifytimestamp: 20061112194511Z
[12/Nov/2006:11:45:11 -0800] - replace: modifytimestamp
[12/Nov/2006:11:45:11 -0800] - -
17 years, 5 months
[Fedora-directory-users] password policy on FDS 1.0.2 - doesn't seem to work?
by Philip Kime
I have
pam_lookup_policy yes
and a user-local password policy for one user as a test.
If I try to change the user's password, it updates fine in LDAP but
does't warn me about the policy restrictions (set to min 8 chars but I
can use 7 no problem, for example).
I read that PAM needs anonymous bind access to the
objectclass=passwordpolicy attrs? I tried that but it made no
difference.
The really odd thing is that the policy object lives in:
cn=nspwpolicycontainer,ou=people,dc=blah,dc=com
but if I ldapsearch on '(objectclass=passwordpolicy)' in the above
container (or in the whole root DSE for that matter), I find
nothing,even if I bind as Directory Manager. It's there - I can see the
object in the GUI.
PK
--
Philip Kime
NOPS Systems Architect
310 401 0407
17 years, 5 months
[Fedora-directory-users] roleOccupant in ACI
by Dan
I am in the process of migrating ACLs from OpenLDAP to ACIs in FDS. I'm
having trouble figuring out how to best convert from
"group/organizationalRole/roleOccupant" bind rules to a comparable
method in the Fedora Directory Server.
Do I need to move the roleOccupant entries to uniquemember entries
(which would require objectClass changes as well) then use a groupDN
bind rule? I would rather not change the data.
Is it possible to have the groupDN bind rule use an attribute other than
uniquemember?
Any help/thoughts would be appreciated.
17 years, 5 months
[Fedora-directory-users] Unattended Admin Server Startup
by Glenn
I'm testing a new installation of Directory Server. I have both
the directory server and the admin server using SSL. There are instructions
for auto-starting the SSL-enabled directory server at boot time by putting
the SSL password in a text file, and this works fine. But I can't seem to
find any instructions for doing the same with the admin server, so the boot
process stops at the password prompt for the admin server. Anyone have a
clue how to get this done?
The message prompt when the admin server tries to start is:
"Please enter password for "NSS Certificate DB" token:"
Thanks. -G.
17 years, 5 months
[Fedora-directory-users] Macro ACI not working as expected
by Dan
I have set up a directory structure as follows:
ou=Domains,dc=example,dc=net
o=hostedDomain1.com
mail=user1(a)hostedDomain1.com
mail=user2(a)hostedDomain1.com
mail=user3(a)hostedDomain1.com
o=hostedDomain2.net
mail=user1(a)hostedDomain2.net
mail=user2(a)hostedDomain2.net
mail=user3(a)hostedDomain2.net
o=hostedDomain3.com
...
I would like to allow any mail user to only read the attributes of the
users within their domain. For example, user1(a)hostedDomain1.com can see
user2(a)hostedDomain1.com, but not user2(a)hostedDomain2.net.
I am not allowing anonymous access.
I have allowed access to the Domains OU with this aci entry (placed on
the Domains OU):
aci: (targetattr=*)(targetfilter=(ou=Domains)) (version 3.0;acl "Allow
read access to Domains OU";allow (read,search)
(userdn="ldap:///mail=*,o=*,ou=Domains,dc=example,dc=net");)
I have placed the following macro aci on the Domains OU without success:
aci:
(targetattr!="userPassword")
(target="ldap:///($dn),ou=Domains,dc=example,dc=net")
(version 3.0;acl "Allow read access to Domain members";allow
(read,search)(userdn="ldap:///mail=*,($dn),ou=Domains,dc=example,dc=net");)
As I understand it, the second aci should allow read and search access
to domain ($dn) and all entries below it. However, the behavior that
I'm seeing is that the user can only see down to the domain with no
access to the sub-entries. In other words, user1(a)hostedDomain1.com can
see o=hostedDomain1.com,ou=Domains,dc=example,dc=net, but can not see
anything below.
Am I missing something? How can I get this to work properly?
Thanks in advance.
17 years, 5 months
Re: [Fedora-directory-users] FDS with TLS/SSL Port issue
by Howard Chu
> Date: Thu, 9 Nov 2006 18:52:58 -0600
> From: Greg Hetrick <ghetrick(a)minderaser.org>
> New to FDS/LDAP doing a proof of concept and I have FDS 1.0.4
> installed with SSL enabled on the DS side, TLS enabled on a FC 6
> client. In ldap config I have TLS_REQCERT required.
>
> Question is, should ldap traffic generated from the client to the
> server pass on port 636 or port 389, I am seeing traffic that is
> supposed to be encrypted passing on the regular ldap port (389).
ldaps:// uses port 636 by default. That's the non-standard method of
using LDAP over SSL that was common with LDAPv2. The connection has
SSL/TLS enabled on it from the moment the connection opens.
LDAPv3 uses port 389 by default. Connections are always opened in the
clear. Then the StartTLS Extended Operation is issued by the client, and
an SSL/TLS layer is added to the connection.
> I am seeing what appears to be correct in the access logs during the
> communication indicating that the traffic is in fact encrypted.
Your log clearly shows StartTLS being used, successfully. Looks normal.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
17 years, 5 months
[Fedora-directory-users] disable bind with blank password
by nattapon viroonsri
Hi,
Look like default fedora-ds policy is accept bind with blank password?
i have tested with
ldapsearch -x -D "uid=someone,ou=people,dc=example,dc=com" -w ""
get same result as use correct password
if i use wrong password i wil get
ldap_bind: Invalid credentials (49)
How can i disable bind with blank password ?
Thanks
Nattapon
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
17 years, 5 months
[Fedora-directory-users] Bind with Blank password
by nattapon viroonsri
Hi,
Look like default fedora-ds accept bind without password. i have test with
ldapsearch -x -D "uid=someuser,ou=people,dc=example,dc=com" -w ""
has same result as use correct password
if i use wrong password , output will returned
ldap_bind: Invalid credentials (49)
How can i disable bind with blank password ?
Thanks
Nattapon
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
17 years, 5 months
[Fedora-directory-users] FDS with TLS/SSL Port issue
by Greg Hetrick
New to FDS/LDAP doing a proof of concept and I have FDS 1.0.4
installed with SSL enabled on the DS side, TLS enabled on a FC 6
client. In ldap config I have TLS_REQCERT required.
Question is, should ldap traffic generated from the client to the
server pass on port 636 or port 389, I am seeing traffic that is
supposed to be encrypted passing on the regular ldap port (389).
I am seeing what appears to be correct in the access logs during the
communication indicating that the traffic is in fact encrypted.
[09/Nov/2006:18:50:10 -0600] conn=3 fd=65 slot=65 connection from
151.148.60.67 to 151.148.218.175
[09/Nov/2006:18:50:10 -0600] conn=3 op=0 EXT
oid="1.3.6.1.4.1.1466.20037" name="startTLS"
[09/Nov/2006:18:50:10 -0600] conn=3 op=0 RESULT err=0 tag=120
nentries=0 etime=0
[09/Nov/2006:18:50:10 -0600] conn=3 SSL 256-bit AES
[09/Nov/2006:18:50:10 -0600] conn=3 op=1 BIND dn="" method=128 version=3
[09/Nov/2006:18:50:10 -0600] conn=3 op=1 RESULT err=0 tag=97
nentries=0 etime=0 dn=""
[09/Nov/2006:18:50:10 -0600] conn=3 op=2 SRCH
base="ou=People,dc=example,dc=com" scope=2 filter="(uid=testuser)"
attrs=ALL
[09/Nov/2006:18:50:10 -0600] conn=3 op=2 RESULT err=0 tag=101
nentries=1 etime=0
[09/Nov/2006:18:50:10 -0600] conn=3 op=3 UNBIND
[09/Nov/2006:18:50:10 -0600] conn=3 op=3 fd=65 closed - U1
Thanks,
Greg
17 years, 5 months