29 Jan 2013 13:39
21 Jan 2013 13:57
ACL issues Insufficient access (50)
Hi there guys.
I'm facing a problem with my acl, basically I want my users be able to
change their password, but I always get
New password:
Re-enter new password:
ldap_initialize(ldap://ldapserver )
Enter LDAP Password:
Result: Insufficient access (50)
From the logs
access_allowed: backend default write access denied to userxxxx
Reading some posts, someone suggested to add olcAccess: {0} to * by *
write to the ACL, which I tested bu with no luck, I'm just using
simple
authentication, no ssl or that king of stuff.
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0} to * by * write
The weird thing is that I still see the anonymous access.
slap_access_allowed: backend default auth access granted to "(anonymous)"
I'm trying to change the password locally from the ldap server itself,
from the client doesn't work either, I'm using nslcd.conf and I'm not
allowing anon logins, but it seems
that by default in some place it' allowing it.
These are the default password policies:
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: 2.5.4.35
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdSafeModify: FALSE
sn: dummy value
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdMaxFailure: 5
pwdMinAge: 0
pwdMaxAge: 0
pwdMustChange: TRUE
pwdMinLength: 5
I'm Using:
openldap-servers-2.4.23-26.el6_3.2.x86_6
Centos 6.3
If you need more information just let me know.
Thanks in advance.
Best regards
16 Dec 2012 22:48
Fwd: New Version Notification for draft-stroeder-mailboxrelatedobject-00.txt
HI! Please review this draft intended to be published as informational RFC. Ciao, Michael. -------- Original Message -------- Subject: New Version Notification for draft-stroeder-mailboxrelatedobject-00.txt Date: Sun, 16 Dec 2012 13:47:40 -0800 From: internet-drafts@... To: michael@... CC: michael@... A new version of I-D, draft-stroeder-mailboxrelatedobject-00.txt has been successfully submitted by Michael Ströder and posted to the IETF repository. Filename: draft-stroeder-mailboxrelatedobject Revision: 00 Title: Lightweight Directory Access Protocol (LDAP): Auxiliary Object Class 'mailboxRelatedObject' Creation date: 2012-12-16 WG ID: Individual Submission Number of pages: 4 URL: http://www.ietf.org/internet-drafts/draft-stroeder-mailboxrelatedobject-00.txt Status: http://datatracker.ietf.org/doc/draft-stroeder-mailboxrelatedobject Htmlized: http://tools.ietf.org/html/draft-stroeder-mailboxrelatedobject-00 Abstract: This document defines the auxiliary object class 'mailboxRelatedObject' that can be used to associate an arbitrary object with a RFC 2822 mail address. The IETF Secretariat
14 Nov 2012 18:21
ldap_bind: Invalid credentials (49)
Hi, I have Ubuntu 12.10 operating system. I just installed slapd and want to use it as my e-mail AddressBook. I'm following the tutorial: http://linsec.ca/Using_OpenLDAP_as_an_Address_Book When I'm trying to run the following command: ldapadd -h localhost -D "cn=root,dc=mylan,dc=net" \ -W -x -f addr-skel.ldif Enter LDAP Password: and when I add here the slapd administrator password that I was enter when I was installed slapd and was asked for, I get error message: ldap_bind: Invalid credentials (49) How can I solve this problem? -- -- Regards from Pal
6 Aug 2012 03:35
Re: Lovely Generator From China
Dear Sir: Glad to hear that you're in the market for generator. We specialize in this field for several years, with good quality and pretty competitive price. The product mode as follow: 1) Diesel generator set. 2) Gasoline generator set. 3) Mobile-trailer power station. 4) ATS series diesel gen-sets. Kindly contact me if any question. It's our pleasure to be on service of you! Thanks & Best regards. David. Alexda international Ltd
12 Apr 2012 11:23
Any case where same controlType is used twice?
HI! Is there any known LDAP extended control which is used more than once in a LDAPRequest or LDAPResponse? Or can a client expect that a controlType is only used exactly once in the list of returned controls in a single message? Up to now I've never seen something like this but one never knows. Ciao, Michael.
9 Mar 2012 12:44
Re: RDN construction (was: Re: LDAPS Connection difficulties)
Hey Peter and Quanah,
On Thu, Mar 8, 2012 at 7:36 PM, Quanah Gibson-Mount <quanah-zAQalKWTt5vQT0dZR+AlfA@public.gmane.org> wrote:
--On Thursday, March 08, 2012 3:07 PM +0100 Peter Schober <peter.schober-4JhlDu4IDl0juwv8T7myQQ@public.gmane.org> wrote:It creates:* Quanah Gibson-Mount <quanah-zAQalKWTt5vQT0dZR+AlfA@public.gmane.org> [2012-03-07 18:04]:> Is anyone doing that? Is it worth the effort?
See Stanford University's suRegID
Well, I can see[1] that it's a registry identifier that's unique per
person and that accounts refer to it via the owner attribute.
I did not however find how DNS (and most-specific RDNs) are
constructed, but take your above answer to mean that Standford creates
DNs as suRegID=$whatever,cn=accounts,$BASEDN
OK, thanks,
-peter
suregid=<whatever>,cn=people,dc=stanford,dc=edu
For people.
For accounts, it uses uid
uid=joe,cn=accounts,dc=stanford,dc=edu
People are not accounts. ;)
Yeah, that identity vs. account thing is a somewhat rare insight, especially when it comes to applications that need more than just account or identity data from directories.
If you do seperate them, you will almost certainly require some feature to build virtual objects/views containing data from both, accounts and the corresponing identity.
Using persistent identifiers in RDNs for identities as well as accounts can simplify many use cases.
Whether it is worth the effort is something that you must decide for yourself based on the complexity of the required migration an what applications/services would be affected.
Regards, Linus
7 Mar 2012 19:32
filtered replication
I have an Openldap environment with 2 servers, one serving as provider for 2 databases and one as consumer.
On one of the databases I only want to replicate certain entries, filtered by objectclass. I use syncrepl for replication. Now I would like to write entries, which are not covered by the filter and so are not replicated. But Openldap sends me a referral to the master on write attempts if I use the updateref directive. If I don't use this directive, I get error 53: unwilling to perform.
Is there a way to have part of a databases entries to be replicated and others being allowed to write locally?
Thanks a lot,
Michael
6 Mar 2012 11:36
Require TLS for simple binds with password
Hi, I was happy to get your conversation about the LDAPS issues (although your mail went to the spam folderI do not want to interfere your problem finding, but would like to ask another question around this subject, and having found the experts I want to keep that chance... I have the following question: we have about 100 LDAP applications running to our Novell LDAP interface. Some work on port 636, some on 389. Now I want to set the parameter "require TLS for simple bind with password". My understanding was that TLS (or StartTLS) is an additional feature which can be used (but must not be used) and that therefore the running applications should not be affected. I had to learn that this is not true. Can you help me to identify the requirements to understand which applications would be affected by this change? Thanks in advance. Jürgen Sitz der Gesellschaft / Corporate Headquarters: Lufthansa Systems Aktiengesellschaft, Kelsterbach, Registereintragung / Registration: Amtsgericht Darmstadt 84307 Vorsitzender des Aufsichtsrats / Chairman of the Supervisory Board: Stephan Gemkow Vorstand / Executive Board: Stefan Hansen (Vorsitzender / Chairman), Dr. Gunter Kuechler
4 Mar 2012 04:07
*****SPAM***** LDAPS Connection difficulties
Hi all
I'm a bit of a newbie with LDAPS but I have been asked to perform an LDAPS authentication from a unix server to a windows server, but I cannot get it to bind.
The windows admin supplied a username, a password, an IP address and a certificate (eLearningPublic.cer) but they don't know their Bind-DN.
I used #strings to look in the certificate to see what the hostname seemed to be and the following string is in the certificate:
mldshomdsp01.ce.xyz.com.au
This does not seem to resolve publically but I assume that's the hostname used to create the certificate. I put an entry into /etc/hosts to have this resolve to the IP they gave me.
I installed the certificate in a /usr/local/etc/openldap/certs and placed the following in my ldap.conf:
TLS_REQCERT never
TLS_CACERT /usr/local/etc/openldap/certs/eLearningPublic.cer
I then looked at the certificate to try and find the bind-DN
# openssl s_client -connect mldshomdsp01.ce.xyz.com.au:636 -CAfile /usr/local/etc/openldap/certs/eLearningPublic.cer
CONNECTED(00000003)
depth=0 /CN=mldshomdsp01.ce.xyz.com.au
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=mldshomdsp01.ce.xyz.com.au
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=mldshomdsp01.ce.xyz.com.au
i:/CN=mldshomdsp01.ce.xyz.com.au
---
Server certificate
-----BEGIN CERTIFICATE-----
< SNIP...>
-----END CERTIFICATE-----
subject=/CN=mldshomdsp01.ce.xyz.com.au
issuer=/CN=mldshomdsp01.ce.xyz.com.au
---
Acceptable client certificate CA names
/DC=au/DC=com/DC=xyz/DC=ce/CN=Internal Company Root CA
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft
Corporation/CN=Microsoft Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
---
SSL handshake has read 1291 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID:
CA3E0000FDAB34D348334DACE16E940397A02812E3F20B60EB631B9784BAA87B
Session-ID-ctx:
Master-Key:
E63D5D64939F6A9AD3A232B046D0AADF4303756335D7FD3B112EACD822BA1B3692BE06FCCBADBACCA14A648A67C018E7
Key-Arg : None
Start Time: 1330655479
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
At this point I was a bit out of my depth but I made a guess:
#ldapwhoami -x -D "cn=theUserName,dc=au,dc=com,dc=xyz,dc=ce" -H
"ldaps://mldshomdsp01.ce.xyz.com.au" -w #testPassword -d1
ldap_url_parse_ext(ldaps://mldshomdsp01.ce.xyz.com.au)
ldap_create
ldap_url_parse_ext(ldaps://mldshomdsp01.ce.xyz.com.au:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP mldshomdsp01.ce.xyz.com.au:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.143.2:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: could not load verify locations
(file:`/usr/local/etc/openldap/certs/eLearningPublic.cer',dir:`').
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I know the server's reachable (for one thing I can telnet to it on port 636 and get a connection).
I can see it says it cannopt load the certificate, but it seemed to parse it with s_client and it has suitable permissions (not to mention I'm logged in as root):
# ls -l /usr/local/etc/openldap/certs/eLearningPublic.cer
-rw-r--r-- 1 peter peter 526 Feb 29 19:20 /usr/local/etc/openldap/certs/eLearningPublic.cer
Can anyone shed any light on this?
Thanks
Peter
I'm a bit of a newbie with LDAPS but I have been asked to perform an LDAPS authentication from a unix server to a windows server, but I cannot get it to bind.
The windows admin supplied a username, a password, an IP address and a certificate (eLearningPublic.cer) but they don't know their Bind-DN.
I used #strings to look in the certificate to see what the hostname seemed to be and the following string is in the certificate:
mldshomdsp01.ce.xyz.com.au
This does not seem to resolve publically but I assume that's the hostname used to create the certificate. I put an entry into /etc/hosts to have this resolve to the IP they gave me.
I installed the certificate in a /usr/local/etc/openldap/certs and placed the following in my ldap.conf:
TLS_REQCERT never
TLS_CACERT /usr/local/etc/openldap/certs/eLearningPublic.cer
I then looked at the certificate to try and find the bind-DN
# openssl s_client -connect mldshomdsp01.ce.xyz.com.au:636 -CAfile /usr/local/etc/openldap/certs/eLearningPublic.cer
CONNECTED(00000003)
depth=0 /CN=mldshomdsp01.ce.xyz.com.au
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=mldshomdsp01.ce.xyz.com.au
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=mldshomdsp01.ce.xyz.com.au
i:/CN=mldshomdsp01.ce.xyz.com.au
---
Server certificate
-----BEGIN CERTIFICATE-----
< SNIP...>
-----END CERTIFICATE-----
subject=/CN=mldshomdsp01.ce.xyz.com.au
issuer=/CN=mldshomdsp01.ce.xyz.com.au
---
Acceptable client certificate CA names
/DC=au/DC=com/DC=xyz/DC=ce/CN=Internal Company Root CA
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft
Corporation/CN=Microsoft Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
---
SSL handshake has read 1291 bytes and written 346 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID:
CA3E0000FDAB34D348334DACE16E940397A02812E3F20B60EB631B9784BAA87B
Session-ID-ctx:
Master-Key:
E63D5D64939F6A9AD3A232B046D0AADF4303756335D7FD3B112EACD822BA1B3692BE06FCCBADBACCA14A648A67C018E7
Key-Arg : None
Start Time: 1330655479
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
At this point I was a bit out of my depth but I made a guess:
#ldapwhoami -x -D "cn=theUserName,dc=au,dc=com,dc=xyz,dc=ce" -H
"ldaps://mldshomdsp01.ce.xyz.com.au" -w #testPassword -d1
ldap_url_parse_ext(ldaps://mldshomdsp01.ce.xyz.com.au)
ldap_create
ldap_url_parse_ext(ldaps://mldshomdsp01.ce.xyz.com.au:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP mldshomdsp01.ce.xyz.com.au:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.143.2:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
TLS: could not load verify locations
(file:`/usr/local/etc/openldap/certs/eLearningPublic.cer',dir:`').
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
I know the server's reachable (for one thing I can telnet to it on port 636 and get a connection).
I can see it says it cannopt load the certificate, but it seemed to parse it with s_client and it has suitable permissions (not to mention I'm logged in as root):
# ls -l /usr/local/etc/openldap/certs/eLearningPublic.cer
-rw-r--r-- 1 peter peter 526 Feb 29 19:20 /usr/local/etc/openldap/certs/eLearningPublic.cer
Can anyone shed any light on this?
Thanks
Peter
17 Feb 2012 12:13
Better schema for room entries
HI! The COSINE schema defined object class 'room' but requires setting attribute 'cn' and also recommends to use it for forming the RDN: http://tools.ietf.org/html/rfc4524#section-3.8 IMHO this does not make sense for most rooms. Are any LDAP admins here maintaining rooms as LDAP entries? Do you know a better existing schema? Ciao, Michael.
RSS Feed