[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-technical
Subject: password policies not functioning as expected
From: Kruger, P (Justid) <p.kruger () justid ! nl>
Date: 2016-08-02 13:01:01
Message-ID: 0225C0718C172540817182B2E2B3160C203548F8 () JSTD-PSEXCH02 ! ad ! minjus ! nl
[Download RAW message or body]
Just found the problem and the solution.
It occurred that there was also a (probably mistakenly) second config module \
activated.
The module I had configured with ppolicy, was not used. The extra module that was \
active, did not have the ppolicy overlay loaded.
After correcting this, all seems to work as expected.
-----Oorspronkelijk bericht-----
Van: openldap-technical [mailto:openldap-technical-bounces(a)openldap.org] Namens \
openldap-technical-request(a)openldap.org
Verzonden: donderdag 28 juli 2016 14:00
Aan: openldap-technical(a)openldap.org
Onderwerp: openldap-technical Digest, Vol 104, Issue 21
Send openldap-technical mailing list submissions to
openldap-technical(a)openldap.org
To subscribe or unsubscribe via the World Wide Web, visit
http://www.openldap.org/lists/mm/listinfo/openldap-technical
or, via email, send a message with subject or body 'help' to
openldap-technical-request(a)openldap.org
You can reach the person managing the list at
openldap-technical-owner(a)openldap.org
When replying, please edit your Subject line so it is more specific than "Re: \
Contents of openldap-technical digest..."
Send openldap-technical mailing list submissions to
openldap-technical(a)openldap.org
When replying, please edit your Subject: header so it is more specific than "Re: \
openldap-technical digest..."
Today's Topics:
1. Re: need to recover slapd password and upgrade openldap
(Dan Hyatt)
2. Re: Antw: Intermediate certificates not being sent (Nat Sincheler)
3. Re: sizelimit (Maily Peng)
4. Missing user entries after restoring a backup ldif
(Matt Spaulding)
5. password policies not functioning properly (Kruger, P (Justid))
6. Re: sizelimit (Dieter Kl?nter)
7. Re: Antw: Intermediate certificates not being sent (Ulrich Windl)
----------------------------------------------------------------------
Message: 1
Date: Tue, 26 Jul 2016 12:15:00 -0500
From: Dan Hyatt <dhyatt(a)dsgmail.wustl.edu>
To: Aaron Richton <richton(a)nbcs.rutgers.edu>, dhyatt(a)wustl.edu
Cc: openldap-technical(a)openldap.org
Subject: Re: need to recover slapd password and upgrade openldap
Message-ID: <b5a9dc49-8420-ef20-0779-d65ddfcdcad7(a)dsgmail.wustl.edu>
Content-Type: text/plain; charset=windows-1252; format=flowed
So, a more simple question...
Can I install a current version of OpenLDAP on a current RedHat/Centos server \
(specially built for this purpose. Then use slapcat to export the information from \
the old server, import it to the new server, where the admin password is not corrupt.
Can I import the schemas or are there likely substantial changes to the schemas \
across versions?
My goals are to create a new LDAP server running Centos/Redhat, transfer
20 users and allow them to keep their existing passwords, allow them to access my \
servers, and allow them authentication to samba. and create an LDAP slave (or \
cluster) not sure if syncrepl is the current way to go.
I have root to the server, but I do not have the admin password to the Openldap 2.2 \
as it became corrupted somehow.
On 07/24/2016 09:15 PM, Aaron Richton wrote:
> On Fri, 22 Jul 2016, Dan Hyatt wrote:
>
> > My admin openLDAP 2.2 password became corrupt in the last week and I
> > cannot
> [...]
> > I found some instructions which seem simple risky and no backout
> > strategy. Simply running
> > http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/
> >
>
> That link (apparently from 2011) doesn't apply to your software from
> 2003. There's no back-config in OpenLDAP 2.2. So don't try that...
@(#) $OpenLDAP: slapd 2.2.13 (Nov 26 2010 07:45:22) $
mockbuild(a)x86-003.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.2.13/openldap-2.2.13/build-servers/servers/slapd
>
> [...]
> > Having the LDAP on two separate hyper visors (with local disks) to
> > avoid the storage/authentication chicken/egg
> > Is there a better upgrade plan
>
> Are you saying that your one and only LDAP server uses itself for its
> own A&A?
Authentication and Authorization?
The server provides authentication and authorization for my group. The
server only does LDAP and home dirs.
I want to upgrade it to Centos 6.8 or Centos 7 (that is equal to redhat
6.8 or redhat 7) on a hypervisor with a slave running the current
favored release.
>
> [...]
> > I have the log files, is there a way to backout to last week without
> > the admin password (which became corrupt last week).
>
> I'm not sure what you're referring to by "log files." The general-case
> OpenLDAP backup tool is slapcat(8). Hopefully you have been running it
> routinely. The resulting LDIF can be easily inspected; if you have
> enough backups, you might even be able to find one without corruption.
We took over responsibility the LDAP in December, there was not a happy
handoff... no documenation..just the password and had to move it to the
new VLAN.
------------------------------
Message: 2
Date: Tue, 26 Jul 2016 08:20:14 -0700
From: Nat Sincheler <fai1107(a)macrotex.net>
To: Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de>,
openldap-technical(a)openldap.org
Subject: Re: Antw: Intermediate certificates not being sent
Message-ID: <991f77f9-fd05-eb9b-7f07-f350c4a7bc68(a)macrotex.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
On 7/25/2016 11:24 PM, Ulrich Windl wrote:
> > > > Nat Sincheler <fai1107(a)macrotex.net> schrieb am 25.07.2016 um 19:06 in
> Nachricht <c19c2a3a-3c90-5baa-43c7-800b050ea5b7(a)macrotex.net>:
> > We have an OpenLDAP server that is listening on port 636 over ldaps.
> > When I run
> >
> > openssl s_client -showcerts -connect ldap-server:636
> >
> > I only see the host certificate. The intermediate and root certificates
> > do *not* come through.
>
> If I di that on one of outr servers, I get:
> Root CA
> Intermediate CA
> Server Certificate
>
> ...
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
>
> >
> > For this server I have in the file slapd.d/cn=config.ldif the setting
> >
> > olcTLSCACertificatePath: /etc/ssl/certs
>
> Hi!
>
> Here it works with these settings:
> olcTLSCACertificatePath: /etc/ssl/certs
> olcTLSCertificateFile: /etc/ssl/servercerts/slapd.pem
> olcTLSCertificateKeyFile: /etc/ssl/private/slapd.key
>
> Could it be a permissions problem? Did you try to check the certificate chain with \
> openssl (preferrable as LDAP user)?
When I run the openssl s_client command I get no errors, but I also get
no intermediate or root certificates sent. I see this in the output: "No
client certificate CA names sent".
It appears that OpenLDAP is not sending the intermediate or root
certificates.
However, if I put all the intermediate and root certificates into a
single file and point olcTLSCACertificateFile at this file, those
intermediate certificates _are_ sent.
So, it appears that olcTLSCACertificateFile sends the certificates but
but olcTLSCACertificatePath does not.
Am I misunderstanding the purpose olcTLSCACertificatePath?
Thanks.
>
> Regards,
> Ulrich
>
> >
> > I checked and all the intermediate and root certificates are in
> > /etc/ssl/certs soft-linked via the usual OpenSSL rehash hash, e.g.,
> >
> > lrwxrwxrwx 1 root root 42 Jul 14 19:03 b4261fc2.0 ->
> > /etc/ssl/certs/incommon-usertrust-2024.pem
> >
> > Any idea why the intermediate and root certificates do not get sent to
> > the LDAPS client? Is there something in the LDAP log that might give me
> > a clue as to what is going on?
>
>
>
>
------------------------------
Message: 3
Date: Tue, 26 Jul 2016 19:47:27 +0200
From: Maily Peng <mpeng(a)keyyo.com>
To: Frank Swasey <Frank.Swasey(a)uvm.edu>
Cc: openldap-technical(a)openldap.org
Subject: Re: sizelimit
Message-ID: <6fedd3fe-f1c4-9897-0eae-3c77159add6d(a)keyyo.com>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"
Hello Frank,
Nope, the limits directive are unlimited on the provider.
First of all, I need to have access to all of the entries on the
consumers , in order to check EntryCSN between provider and consumers. I
use the python script : check_syncrepl_extended that needs to bind
provider and consumer via the same dn. That's why I could not use rootdn
. ( not the same between slapd servers) .
thank you
Le 26/07/2016 ? 19:09, Frank Swasey a ?crit :
> You have shown us what the syncrepl, sizelimit and limits look like on
> your consumer. Have you got that limits directive also set up on your
> provider? It is the provider that needs to allow your replication DN
> to obtain unlimited entries.
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic