Openldap referral to DS 5.2?
My dept is deploying Sendmail Advanced Messaging Server (SAMS). It stores its user preferences and the userid and password in its own supplied openldap. How can I get openldap to use our DS 5.2 for user authentication? Instead of mirroring userids and password in the openldap I would like it to refer to the DS for uid and userpassword. Is there some way to do a referral?
I dont think its possible. I have set up ds5.2 for
replication.It IS possible. That does not mean it is straightforward though. But it isn't too hard either.
Thats ok. And yes, I cant see ds5.2 in
the dscc. So if I cant see the ds5.2 in dscc how am I
supposed to set up a replication agreement for ds6 to
ds5.2? use dsconf
http://docs.sun.com/app/docs/doc/819-0995/6n3cq3au5?a=view might help but you'll need to dig more in the documentation
Thats how I understand multi master
replication.
You have to create agreements in both
servers, and use one to initialize the other. Maybe
you mean I need to use ds6 command line tools to set
up replication.that's right, CLI is the only way to go for that particular configuration.
Replication has been tested between the two versions.
Similar Messages
-
OpenLDAP and Solaris 10, I'm out of ideas
Hi All,
I have configured OpenLDAP sucessfully and set following results indicating that the user is loaded on the LDAP database
test5:/ $ cat /etc/passwd | grep admin777
test5:/ $ getent passwd admin777
admin777:x:5011:1000::/:/bin/bash
test5:/ $ id admin777
uid=5011(admin777) gid=1000(users) groups=1000(users)
test5:/ $ ldaplist -l passwd admin777
dn: uid=admin777,ou=People,dc=example,dc=com
shadowMin: 10
sn: sn
userPassword: {SSHA}Uy4yMkk71zNJ6XoAAhoKgjYPzXNnU4r5
loginShell: /bin/bash
uidNumber: 5011
gidNumber: 1000
shadowMax: 30
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: admin777
shadowLastChange: 15166
cn: cn
homeDirectory: /
shadowWarning: 7
test5:/ $
I've also added an overall security policy in the LDAP database
# Policies, example.com
dn: ou=Policies,dc=example,dc=com
pwdFailureCountInterval: 0
pwdMaxFailure: 3
pwdMustChange: TRUE
pwdAttribute: userPassword
pwdMinLength: 3
ou: Policies
pwdSafeModify: FALSE
pwdInHistory: 6
pwdGraceAuthNLimit: 0
pwdCheckQuality: 1
objectClass: top
objectClass: device
objectClass: pwdPolicy
pwdLockoutDuration: 1920
cn: default
pwdAllowUserChange: TRUE
pwdExpireWarning: 432000
pwdLockout: TRUE
pwdMaxAge: 7516800
But it seems that this policy is not activated, for example the pwdMinLength: is set to 3, but when the user changes his/her password, it seems that the Solaris policy takes over from the /etc/default/passwd file
test5:/ $ ssh [email protected]
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE
PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OR OTHER
APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY
NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT
TO MONITORING AND AUDITING.
* * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
Password:
Last login: Tue Jul 12 11:14:22 2011 from test5.example.
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sourcing //.profile-EIS.....
test5:/ $ id
uid=5011(admin777) gid=1000(users) groups=1000(users)
test5:/ $ passwd
passwd: Changing password for admin777
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
New Password:
test5:/ $ cat /etc/default/passwd
#ident @(#)passwd.dfl 1.7 04/04/22 SMI
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
MAXWEEKS=13
MINWEEKS=
PASSLENGTH=8
# NAMECHECK enables/disables login name checking.
# The default is to do login name checking.
# Specifying a value of NO will disable login name checking.
NAMECHECK=YES
It seems that the Solaris password policy forces the user to use the Solaris policy and ignore the LDAP ppolicy, below is my slapd.conf file
test5:/ $ cat /usr/local/etc/openldap/slapd.conf
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/ppolicy.schema
include /usr/local/etc/openldap/schema/DUAConfigProfile.schema
include /usr/local/etc/openldap/schema/solaris.schema
include /usr/local/etc/openldap/schema/java.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
loglevel 256
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload ppolicy.la
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# BDB database definitions
database bdb
suffix "dc=example,dc=com"
checkpoint 32 30
cachesize 10000
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw "{SSHA}6FWujVb4YNHJDyniwoWaHTMfXBJBM8u7"
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
index uid,uidNumber,gidNumber,shadowExpire,shadowLastChange eq
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
Edited by: King Rat on 12-Jul-2011 02:20
Edited by: King Rat on 12-Jul-2011 02:21Hi there are you still working on this?
I'm also working on this. My setup is a little differant and I'm a little behind. I installed OpenLDAP server is installed on RHEL 5.5 and it is working with all the Linux servers, but Solaris 10 is giving me trouble. I see your using the ppolicy.schema I have not see this before I have been told to use the solaris.schema and the DUAConfigProfile.schema. It looks like you are using it with a overlay is this needed?
This is what my user account looks like.
dn: uid=user00,ou=People,dc=test,dc=net
uid: user00
cn: user00
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {MD5}X03MO1qnZdYdgyfeuILPmQ==
shadowLastChange: 13048
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 600
gidNumber: 500
homeDirectory: /home/user00
gecos: user00
Can you post the command you used to setup the client.
Example:
ldapclient init -a profileName=profile -a domainName=test.net 10.0.0.2
I also have these items and ACLs in the slapd.conf file.
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
access to attrs=shadowLastChange,userPassword
by self write
by * auth
access to *
by * read
Anyway I hope this helps and if you could help me with the client setup that would be great. -
Decode ASN.1/BER response from PasswordPolicyResponse (openldap)
By using a connection request control (PasswordPolicyControl) I manage to get a response from OpenLDAPs password policy (OID: 1.3.6.1.4.1.42.2.27.8.5.1).
The response is encoded by ASN.1/BER and is probably (?) following the draft-behera-ldap-password-policy-09.txt (http://www.ietf.org/internet-drafts/draft-behera-ldap-password-policy-09.txt) page 20.
Is there anybody out there who has already written a BERdecoder that works with OpenLDAPs passwordpolicyresponse? I tried using the code written for the IBM tivoli server (http://www-128.ibm.com/developerworks/tivoli/library/t-ldap-controls/), but I couldn't get the decoding correct.
Thanks in advance.
J�rgen L�kkefew posts from openldap.org to help explain some potenial problems with password policy:
http://www.openldap.org/lists/openldap-software/200606/msg00220.html
http://www.openldap.org/lists/openldap-software/200606/msg00287.html
versions prior to 2.3.22 that supported ppolicy have PasswordPolicyResponseControl tag value of 0xA1 and not 0xA0.. so you need 2.3.22+
Tried to use Netscape library class JDAPBERTagDecoder, but it didn't handle tag 0x81
http://www.koders.com/java/fid5DD86A39A82ED753BAEC53E84A001BE4D6C6ADF5.aspx?s=JdapBERTagDecoder
so slightly modified a version of it...
and handled case..
case 0x81: /* Context Specific <Construct> [0]:
* v3 Server Control.
* SEQUENCE of SEQUENCE of {OID [critical] [value]}
* THIS IS ERROR FROM PASSWORD CONTROL
element = new BERInteger(stream, bytesRead);
implicit[0] = true;
break;..
more of that file..
public class OpenLdapBERTagDecoder extends BERTagDecoder
public BERElement getElement (BERTagDecoder decoder, int tag, InputStream stream, int[] bytesRead,
boolean[] implicit) throws IOException
BERElement element = null;
switch (tag) {
case 0x60: /* [APPLICATION 0] For Bind Request */
case 0x61: /* [APPLICATION 1] Bind Response */
case 0x63: /* [APPLICATION 3] Search Request
* If doing search without bind first,
* x500.arc.nasa.gov returns tag [APPLICATION 3]
* in Search Response. Gee.
case 0x64: /* [APPLICATION 4] Search Response */
case 0x65: /* [APPLICATION 5] Search Result */
case 0x67: /* [APPLICATION 7] Modify Response */
case 0x69: /* [APPLICATION 9] Add Response */
case 0x6a: /* [APPLICATION 10] Del Request */
case 0x6b: /* [APPLICATION 11] Del Response */
case 0x6d: /* [APPLICATION 13] ModifyRDN Response */
case 0x6f: /* [APPLICATION 15] Compare Response */
case 0x78: /* [APPLICATION 23] Extended Response */
case 0x73: /* [APPLICATION 19] SearchResultReference */
element = new BERSequence(decoder, stream, bytesRead);
implicit[0] = true;
break;
case 0x80: /* [APPLICATION 16] 64+16 */
element = new BERInteger(stream, bytesRead);
implicit[0] = true;
break;
/* 16/02/97 MS specific */
case 0x85: /* Context Specific [5]:
* (a) Handle Microsoft v3 referral bugs! (Response)
* (b) Handle Microsoft v3 supportedVersion in Bind
* response
element = new BERInteger(stream, bytesRead);
implicit[0] = true;
break;
case 0x87: /* Context Specific [7]:
* Handle Microsoft Filter "present" in
* search request.
element = new BEROctetString(decoder, stream, bytesRead);
implicit[0] = true;
break;
case 0x8a: /* Context Specific [10]:
* Handle extended response
element = new BEROctetString(decoder, stream, bytesRead);
implicit[0] = true;
break;
case 0x8b: /* Context Specific [11]:
* Handle extended response
element = new BEROctetString(decoder, stream, bytesRead);
implicit[0] = true;
break;
case 0xa3: /* Context Specific <Construct> [3]:
* Handle Microsoft v3 sasl bind request
element = new BERSequence(decoder, stream, bytesRead);
implicit[0] = true;
break;
case 0xa7: /* Context Specific <Construct> [7]:
* Handle Microsoft v3 serverCred in
* bind response. MS encodes it as SEQUENCE OF
* while it should be CHOICE OF.
element = new BERSequence(decoder, stream, bytesRead);
implicit[0] = true;
break;
case 0xa0: /* Context Specific <Construct> [0]:
* v3 Server Control.
* SEQUENCE of SEQUENCE of {OID [critical] [value]}
* THIS IS WARNING FROM PASSWORD CONTROL
element = new BERSequence(decoder, stream, bytesRead);
implicit[0] = true;
break;
case 0x81: /* Context Specific <Construct> [0]:
* v3 Server Control.
* SEQUENCE of SEQUENCE of {OID [critical] [value]}
* THIS IS ERROR FROM PASSWORD CONTROL
element = new BERInteger(stream, bytesRead);
implicit[0] = true;
break;
case 0xa1: /* Context Specific <Construct> [0]:
* v3 Server Control.
* SEQUENCE of SEQUENCE of {OID [critical] [value]}
element = new BERSequence(decoder, stream, bytesRead);
implicit[0] = true;
break;
default:
throw new IOException("Tag ID not recognised "+Integer.toHexString(tag));
return element;
}had to slightly modify examples from
http://www-128.ibm.com/developerworks/tivoli/library/t-ldap-controls/ to get openldap working
public Control getControlInstance (Control ctl)
Control result = null;
if (ctl.getID().equals( PasswordPolicyControl.OID ))
try
final PasswordPolicyResponseControl rctl = new PasswordPolicyResponseControl();
if (ctl.getEncodedValue() != null)
rctl.setEncodedValue( ctl.getEncodedValue() );
ByteArrayInputStream inStream = new ByteArrayInputStream( ctl.getEncodedValue() );
OpenLdapBERTagDecoder decoder = new OpenLdapBERTagDecoder();
int[] nRead = new int[1];
nRead[0] = 0;
/* A Sequence */
BERSequence aSeq = (BERSequence) BERElement.getElement(decoder,inStream,nRead);
for (int i = 0; i < aSeq.size(); i++)
handleSequenceElement( aSeq.elementAt( i ), rctl );
result = rctl;
catch (IOException e)
LOG.info( e );
return result;
protected void handleSequenceElement (BERElement element, PasswordPolicyResponseControl target)
final BERTag tag = (BERTag) element;
// warning -- Haven't checked warning code - but suspect it mightn't work!!!!
if ((tag.getTag() ^ BERTag.CONTEXT) == 0)
BERSequence sequence = (BERSequence) tag.getValue();
final BERTag elem = (BERTag) sequence.elementAt( 0 );
sequence = (BERSequence) elem.getValue();
final BERInteger intValue = (BERInteger) sequence.elementAt( 0 );
if ((elem.getTag() ^ BERTag.CONTEXT) == 0)
target.setTimeBeforeExpiration( intValue.getValue() );
if ((elem.getTag() ^ BERTag.CONTEXT) == 1)
target.setGraceLoginsRemaining( intValue.getValue() );
// error - THIS WORKS see openldap.org link above
if ((tag.getTag() ^ BERTag.CONTEXT) == 1)
//final BERSequence sequence = (BERSequence) tag.getValue();
//final BEREnumerated berEnum = (BEREnumerated) sequence.elementAt( 0 );
//target.setErrorCode( berEnum.getValue() );
final BERInteger berInteger = (BERInteger) tag.getValue();
target.setErrorCode( berInteger.getValue() );
} -
MQ + OpenLdap: Any working example of LDAP configuration?
MQ + OpenLdap: Any working example of [LDAP configuration], [LDIF initial data] and [imobjmgr addTopicFactory/addTopic command] files ?
I'm using Sun MQ3.5 + OpenLdap2.2.20 as jndi remote binding mechanism.
I've unsuccessfuly tryed to add a Topic Factory!
Running the command
imqobjmgr -i add_ldap_topic_factory.poperties
I get such an exception:
javax.naming.OperationNotSupportedException:
[LDAP: error code 53 - no global superior knowledge];
remaining name 'cn=myTopicConnectionFactory'
This is the test configuration adopted using rootdn user to write to LDAP repository:
#slapd.conf
include /usr/local/etc/openldap/schema/core.schema
database bdb
suffix "dc=imq,dc=com"
rootdn "cn=Manager,dc=imq,dc=com"
rootpw secret
directory /usr/local/etc/openldap/var/openldap-data
index objectClass eq
#test.ldif
dn: dc=imq,dc=com
objectClass: dcObject
objectClass: organization
dc: imq
o: imq
#add_ldap_topic_factory.poperties
version=2.0
cmdtype=add
obj.type=tf
obj.lookupName=cn=myTopicConnectionFactory
obj.attrs.imqAddressList=mq://localhost:7676/jms
objstore.attrs.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
objstore.attrs.java.naming.provider.url=ldap://localhost:389/o=imq
objstore.attrs.java.naming.security.principal=cn=Manager,dc=imq,dc=com
objstore.attrs.java.naming.security.credentials=secret
objstore.attrs.java.naming.security.authentication=simple
Thanks for any suggestion,
SilvanoAgreed.
I've been wanting to test the steps and write a tech article on this
and post it to somewhere on sunsolve.sun.com but have not had
time yet.
In any case, the instructions Ken-shi gave are below including
the 3 files (etang.ldif objectstore.properties slapd.conf). Not sure
how messy this posting can get due to size of files.
I'd much rather point you to a sunsolve article but don't want
to make you wait. When I do post the sunsolve article, this thread
will be updated with a ptr to it.
===Begin instructions===
Attached please see my working configuation files.
1.Modify your OpenLdap configuration. (see slapd.conf)
start OpenLdap: ./slapd
2.Modify you initial data.( see etang.ldif)
load initial data: ldapadd -x -D "cn=Manager,dc=etang,dc=com" -W -f
etang.ldif
3.ObjectStore properties ( see objectstore.properties )
create your object store with "Administration" GUI on windows;
while creating destinations or connection factories, be sure that the
lookup names start with "cn=".
===End instructions===
===Begin etang.ldif===
dn: dc=etang,dc=com
objectClass: dcObject
objectClass: organization
dc: etang
o: Etang Corporation
description: The etang corporation
dn: cn=Manager,dc=etang,dc=com
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: o=IMQ,dc=etang,dc=com
objectClass: organization
o: IMQ
dn: ou=imqusers,o=IMQ,dc=etang,dc=com
objectClass: organizationalUnit
ou: imqusers
dn: cn=admin,ou=imqusers,o=IMQ,dc=etang,dc=com
objectClass: person
cn: admin
sn: admin
userPassword: admin
dn: cn=guest,ou=imqusers,o=IMQ,dc=etang,dc=com
objectClass: person
cn: guest
sn: guest
userPassword: guest
===End etang.ldif===
===Begin objectstore.properties===
java.naming.provider.url ldap://10.1.0.195:389/o=IMQ,dc=etang,dc=com
java.naming.factory.initial com.sun.jndi.ldap.LdapCtxFactory
java.naming.security.principal cn=admin,ou=imqusers,o=IMQ,dc=etang,dc=com
java.naming.security.authentication simple
java.naming.security.credentials admin
===End objectstore.properties===
===Begin slapd.conf===
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
include /usr/local/openldap/etc/schema/core.schema
include /usr/local/openldap/etc/schema/cosine.schema
include /usr/local/openldap/etc/schema/inetorgperson.schema
include /usr/local/openldap/etc/schema/dyngroup.schema
include /usr/local/openldap/etc/schema/java.schema
include /usr/local/openldap/etc/schema/nis.schema
include /usr/local/openldap/etc/schema/misc.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/openldap/var/run/slapd.pid
argsfile /usr/local/openldap/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/openldap/libexec
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
# rootdn can always read and write EVERYTHING!
access to * by * write
# ldbm database definitions
database bdb
suffix "dc=etang,dc=com"
rootdn "cn=Manager,dc=etang,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/openldap/var/openldap-data
# Indices to maintain
index objectClass eq
===End slapd.conf=== -
Hi,
I try to add a new entry in a referral link on an openLdap directory by using java class.
I ' m able to search and list all the entries in the referral subtree with my search class.
Is some one have an example which add a new entry in a referral subtree in java , what help me .
ThxHi,
I try to add a new entry in a referral link on an openLdap directory by using java class.
I ' m able to search and list all the entries in the referral subtree with my search class.
Is some one have an example which add a new entry in a referral subtree in java , what help me .
Thx -
Cannot Access OpenLDAP Directory Server for Windows
Hi All,
Need urgent help for connecting to LDAP server which I installed on my Win 2000 Professional m/c. The LDAP installation was downloaded from the site www.ilex.fr/openldap. I successfully installed it. In the slapd.conf file, I have set the server suffice as dc=mycompany,dc=com and the rootdn is cn=Manager,dc-mycompany,dc=com. I have the following piece of code which tries to list the Java schema in the LDAP directory. The code was downloaded from sun's JNDI tutorial. The name of the Program is
CreateJavaSchema and it is run by giving the following options:
-l List the Java schema in the directory
-n<dn> Use <dn> as the distinguished name for authentication
-p<passwd> Use <passwd> as the password for authentication
-a<auth> Use <auth> as the authentication mechanism. Default is "simple".
I tried to run the program as java CreateJavaSchema -ncn=Manager,dc=mycompany,dc=com -psecret99
where secret99 is the root password . However I get the following exception
javax.naming.CommunicationException: localhost:389. Root exception is java.net.ConnectException: Connection refused: connect
Can somone help me with this?
ThanksThe Code ..yes
Here it is: .This code is availbale from JNDI tutorial. I run the program by specifying following command-line arguments.
java ListJavaSchema -ncn=Manager,dc=mycompany,dc=com -psecret99.
However I get the exception "javax.naming.CommunicationException: localhost:389. Root exception is java.net.ConnectException: Connection refused: connect"
import javax.naming.*;
import javax.naming.directory.*;
import java.util.Hashtable;
public class ListJavaSchema {
protected static String dn, passwd, auth;
protected static boolean netscapebug;
// NS 4.1 has problems parsing an object class definition which contains
// a MUST clause without parentheses. The workaround is to add a
// superfluous value (objectClass) to each MUST clause.
// It also doesn't like the Octet String syntax (use Binary instead)
protected static boolean netscape41bug = false;
// AD supports auxiliary classes in a peculiar way.
protected static boolean activeDirectorySchemaBug = false;
protected static boolean traceLdap = false;
protected static final int LIST = 0;
protected static final int UPDATE = 1;
private static String[] allAttrs = {
"javaSerializedObject",
"javaFactoryLocation",
"javaReferenceAddress",
"javaFactory",
"javaClassName",
"javaClassNames",
"javaDoc",
"javaSerializedData",
"javaCodebase",
"javaFactory",
"javaReferenceAddress"};
private static String[] allOCs = {
"javaObject",
"javaNamingReference",
"javaSerializedObject",
"javaRemoteObject",
"javaMarshalledObject",
"javaContainer"};
public static void main(String[] args) {
new ListJavaSchema().run(args, allAttrs, allOCs);
ListJavaSchema() {
protected void run(String[] args, String[] attrIDs, String[] ocIDs) {
int cmd = processCommandLine(args);
try {
DirContext ctx = signOn();
System.out.println("Context: "+ctx);
switch (cmd) {
case UPDATE:
// updateSchema(ctx, attrIDs, ocIDs);
break;
default:
showSchema(ctx, attrIDs, ocIDs);
} catch (NamingException e) {
e.printStackTrace();
* Signs on to directory server using parameters supplied to program.
* @return The initial context to the server.
private DirContext signOn() throws NamingException {
if (dn != null && auth == null) {
auth = "simple"; // use simple for Netscape
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.REFERRAL, "follow");
if (auth != null) {
env.put(Context.SECURITY_AUTHENTICATION, auth);
env.put(Context.SECURITY_PRINCIPAL, dn);
env.put(Context.SECURITY_CREDENTIALS, passwd);
// Workaround for Netscape schema bugs
if (netscapebug) {
env.put("com.sun.naming.netscape.schemaBugs", "true");
// LDAP protocol tracing
if (traceLdap) {
env.put("com.sun.jndi.ldap.trace.ber", System.err);
System.out.println("HashMap: "+env);
return new InitialDirContext(env);
void showSchema(DirContext ctx, String[] attrs, String[] ocs)
throws NamingException {
DirContext attrRoot =
(DirContext)ctx.getSchema("").lookup("AttributeDefinition");
printSchema(attrRoot, attrs);
DirContext ocRoot =
(DirContext)ctx.getSchema("").lookup("ClassDefinition");
printSchema(ocRoot, ocs);
private void printSchema(DirContext ctx, String[] ids) {
for (int i = 0; i < ids.length; i++) {
try {
System.out.print(ids[i] + ": ");
System.out.print(ctx.getAttributes(ids));
} catch (NamingException e) {
} finally {
System.out.println();
private int processCommandLine(String[] args) {
String option;
boolean schema = false;
boolean list = false;
for (int i = 0; i < args.length; i++) {
option = args[i];
if (option.startsWith("-h")) {
printUsage(null);
if (option.startsWith("-s")) {
schema = true;
netscapebug = option.equals("-sn");
netscape41bug = option.equals("-sn41");
activeDirectorySchemaBug = option.equals("-sad");
} else if (option.startsWith("-l")) {
list = true;
} else if (option.startsWith("-a")) {
auth = option.substring(2);
} else if (option.startsWith("-n")) {
dn = option.substring(2);
} else if (option.startsWith("-p")) {
passwd = option.substring(2);
} else if (option.startsWith("-trace")) {
traceLdap = true;
} else {
// invalid option
printUsage("Invalid option");
if (!schema) {
return LIST;
} else {
return UPDATE;
protected void printUsage(String msg) {
printUsageAux(msg, "Java");
protected void printUsageAux(String msg, String key) {
if (msg != null) {
System.out.println(msg);
System.out.print("Usage: ");
System.out.println("java [-Djava.naming.provider.url=<ldap_server_url>] \\");
System.out.println(" Create" + key + "Schema [-h|-l|-s[n|n41|ad]] [-n<dn>] [-p<passwd>] [-a<auth>]");
System.out.println();
System.out.println(" -h\t\tPrint the usage message");
System.out.println(" -l\t\tList the " + key + " schema in the directory");
System.out.println(" -sn\tUpdate schema:");
System.out.println(
"\t\t -sn use workaround for Netscape Directory pre-4.1 schema bug");
System.out.println(
"\t\t -sn41 use workaround for Netscape Directory 4.1 schema bug");
System.out.println(
"\t\t -sad use workaround for Active Directory schema bug");
System.out.println(" -n<dn>\tUse <dn> as the distinguished name for authentication");
System.out.println(" -p<passwd>\tUse <passwd> as the password for authentication");
System.out.println(" -a<auth>\tUse <auth> as the authentication mechanism");
System.out.println("\t\t Default is 'simple' if dn specified; otherwise 'none'");
System.exit(-1); -
Jabber for Windows openLDAP and Deskphone Control
Hello all
I have a new install of 9.1 CUCM, with CUCM IM and Presence. I'm trying to get Jabber 4 windows functioning with an openLDAP directory, and also get Deskphone control working. I suspect i missed something with the configuration as this 9.1 interface is a little different than i'm used to.
First of all, does the concept of a Jabber-Config.xml still apply to a 9.1 install or does the "Service Profile Configuration" in the CUCM interface write the Jabber-config.xml file for you? If my customer uses openLDAP for their LDAP how should I configure the "Service Profile" or do I still use a jabber-config.xml file?
I have successfully tied openLDAP into CUCM with Authetication and brought the users into CUCM. I tested Authentication by logging into the End user page for both CUCM and the CUP server so I know authenticaiton is working. I can login to Jabber but when i click on Help "connection Status" it shows me only connected to "PRESENCE" and "OUTLOOK ADDRESS BOOK" my "Directory", and DESKPHONE" will not connect.
Can I actually get a copy of "my jabber-config.xml" file from the CUCM server to see what it looks like?
Thanks allOk I have half of the problem resolved. I got Deskphone controll working with CTI.
Still working on the LDAP issue with openLDAP
My config file looks like so
<?xml version="1.0" encoding="utf-8"?>
EDI
1
ldap.acme.ca
389
backup.acme.ca
389
0
uid=voipldap,ou=Users,dc=acme,dc=ca
password
givenname
(&(objectClass=inetOrgPerson)
telephonenumber
uid
ou=users,dc=acme,dc=ca
I got this from page 117 of this guide
http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_1/JABW_BK_CA48EE46_00_cisco-jabber-for-windows-administration.pdf
The error I'm getting "invalid credential" but i know they are good because i'm using the same account and path for the CUCM LDAP sync.
Any help would be appreciated. -
Jabber for iPhone 9.6 Integration with OpenLDAP
Hi everyone! i just found an issue when try to integrated jabber for iphone version 9.6 with OpenLDAP that seem like not working and want to describe my environment as below.
Using BE6K 9.1 includes,
- CUCM 9.1.2
- IM&Presense 9.1
- Jabber for Window 9.6 integrate with OpenLDAP using EDI on jabber-config.xml is working properly.
- Jabber for iPhone 9.6 integrate with OpenLDAP using BDI on jabber-config.xml not working(cannot lookup)
- Jabber Voice for iPhone and Android can integrate with OpenLDAP which configure in phone configuration
- Both of Jabber can't access the photo in OpenLDAP with "jpegPhoto" attribute.
By the way im also included jabber-config.xml files for further troubleshooting. Another question, is it possible to include EDI and BDI for working together in one jabber-config.xml file
One another file is jabber for iphone log when im trying to search "anu" word in searching box
-- 2557-02-02 20:48:06.045 DEBUG [3d8d018c] - sidebar search, string is : a <------ started from this line in my log file for easier troubleshooting.
If you need more log or any files for troubleshoot just tell me. Thanks for reading!.
<Jabber-config.xml>
<?xml version="1.0" encoding="utf-8"?>
<config version="1.0">
<Directory>
<DirectoryServerType>BDI</DirectoryServerType>
<BDILDAPServerType>OpenLDAP</BDILDAPServerType>
<BDIPrimaryServerName>10.0.1.11</BDIPrimaryServerName>
<BDIServerPort1>389</BDIServerPort1>
<BDIConnectionUsername>cn=xxx,dc=xxxx,dc=xx,dc=xx</BDIConnectionUsername>
<BDIConnectionPassword>xxxxxxxBDIConnectionPassword>
<BDIUseJabberCredentials>false</BDIUseJabberCredentials>
<BDIEnableTLS>false</BDIEnableTLS>
<BDIPredictiveSearchFilter>uid</BDIPredictiveSearchFilter>
<BDIUserAccountName>uid</BDIUserAccountName>
<BDIBaseFilter>(&(objectClass=inetOrgPerson)</BDIBaseFilter>
<BDISearchBase1>ou=users, dc=xxxx,dc=xx,dc=xx</BDISearchBase1>
<BDIUseANR>false</BDIUseANR>
<ConnectionType>1</ConnectionType>
<PrimaryServerName>10.0.1.11</PrimaryServerName>
<UseWindowsCredentials>0</UseWindowsCredentials>
<UseSecureConnection>0</UseSecureConnection>
<SearchBase1>ou=users, dc=xxx,dc=xx,dc=xx</SearchBase1>
<UserAccountName>uid</UserAccountName>
<BaseFilter>(&(objectClass=inetOrgPerson)</BaseFilter>
<PredictiveSearchFilter>uid</PredictiveSearchFilter>
<ConnectionUsername>cn=xxxx,dc=xxx,dc=xx,dc=xx</ConnectionUsername>
<ConnectionPassword>xxxxxx</ConnectionPassword>
<PhotoSource>jpegPhoto</PhotoSource>
</Directory>
</config>Hi noom_ekkalak ,
Thanks for your answer!
I have specific LDAP parameter in TCT phone configuration as you say, then try to connect the "Directory" setting in Jabber Voice, but it didn't work . i just get the error “Unable to verify account” all the time. :(
Besides this ,is there anything i need to specific? How did you specific Jabber Voice "Directory" parameter?
Thank you! -
Problem with OpenLDAP and JNDI
I'm having problem working with OpenLDAP and JNDI.
First I have changed LDAP's slapd.conf file:
suffix "dc=antipodes,dc=com"
rootdn cn=Manager,dc=antipodes,dc=com
directory "C:/Program Files/OpenLDAP/data"
rootpw secret
schemacheck offthan i used code below, to create root context:
package test;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.naming.NameAlreadyBoundException;
import javax.naming.directory.*;
import java.util.*;
public class MakeRoot {
final static String ldapServerName = "localhost";
final static String rootdn = "cn=Manager,dc=antipodes,dc=com";
final static String rootpass = "secret";
final static String rootContext = "dc=antipodes,dc=com";
public static void main( String[] args ) {
// set up environment to access the server
Properties env = new Properties();
env.put( Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory" );
env.put( Context.PROVIDER_URL, "ldap://" + ldapServerName + "/" );
env.put( Context.SECURITY_PRINCIPAL, rootdn );
env.put( Context.SECURITY_CREDENTIALS, rootpass );
try {
// obtain initial directory context using the environment
DirContext ctx = new InitialDirContext( env );
// now, create the root context, which is just a subcontext
// of this initial directory context.
ctx.createSubcontext( rootContext );
} catch ( NameAlreadyBoundException nabe ) {
System.err.println( rootContext + " has already been bound!" );
} catch ( Exception e ) {
System.err.println( e );
}this worked fine, I could see that by using "LDAP Browser/Editor".
and then I tried to create group with code:
package test;
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.ldap.*;
import javax.naming.directory.*;
public class MakeGroup
public static void main (String[] args)
Hashtable env = new Hashtable();
String adminName = "cn=Manager,dc=antipodes,dc=com";
String adminPassword = "secret";
String ldapURL = "ldap://127.0.0.1:389";
String groupName = "CN=Evolution,OU=Research,DC=antipodes,DC=com";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
// Create attributes to be associated with the new group
Attributes attrs = new BasicAttributes(true);
attrs.put("objectClass","group");
attrs.put("samAccountName","Evolution");
attrs.put("cn","Evolution");
attrs.put("description","Evolutionary Theorists");
//group types from IAds.h
int ADS_GROUP_TYPE_GLOBAL_GROUP = 0x0002;
int ADS_GROUP_TYPE_DOMAIN_LOCAL_GROUP = 0x0004;
int ADS_GROUP_TYPE_LOCAL_GROUP = 0x0004;
int ADS_GROUP_TYPE_UNIVERSAL_GROUP = 0x0008;
int ADS_GROUP_TYPE_SECURITY_ENABLED = 0x80000000;
attrs.put("groupType",Integer.toString(ADS_GROUP_TYPE_UNIVERSAL_GROUP + ADS_GROUP_TYPE_SECURITY_ENABLED));
// Create the context
Context result = ctx.createSubcontext(groupName, attrs);
System.out.println("Created group: " + groupName);
ctx.close();
catch (NamingException e) {
System.err.println("Problem creating group: " + e);
}got the error code: Problem creating group: javax.naming.directory.InvalidAttributeIdentifierException: [LDAP: error code 17 - groupType: attribute type undefined]; remaining name 'CN=Evolution,OU=Research,DC=antipodes,DC=com'
I tried by creating organizational unit "ou=Research" from "LDAP Browser/Editor", and then running the same code -> same error.
also I have tried code for adding users:
package test;
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import javax.net.ssl.*;
import java.io.*;
public class MakeUser
public static void main (String[] args)
Hashtable env = new Hashtable();
String adminName = "cn=Manager,dc=antipodes,dc=com";
String adminPassword = "secret";
String userName = "cn=Albert Einstein,ou=Research,dc=antipodes,dc=com";
String groupName = "cn=All Research,ou=Research,dc=antipodes,dc=com";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:389");
try {
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
// Create attributes to be associated with the new user
Attributes attrs = new BasicAttributes(true);
//These are the mandatory attributes for a user object
//Note that Win2K3 will automagically create a random
//samAccountName if it is not present. (Win2K does not)
attrs.put("objectClass","user");
attrs.put("samAccountName","AlbertE");
attrs.put("cn","Albert Einstein");
//These are some optional (but useful) attributes
attrs.put("giveName","Albert");
attrs.put("sn","Einstein");
attrs.put("displayName","Albert Einstein");
attrs.put("description","Research Scientist");
attrs.put("userPrincipalName","[email protected]");
attrs.put("mail","[email protected]");
attrs.put("telephoneNumber","999 123 4567");
//some useful constants from lmaccess.h
int UF_ACCOUNTDISABLE = 0x0002;
int UF_PASSWD_NOTREQD = 0x0020;
int UF_PASSWD_CANT_CHANGE = 0x0040;
int UF_NORMAL_ACCOUNT = 0x0200;
int UF_DONT_EXPIRE_PASSWD = 0x10000;
int UF_PASSWORD_EXPIRED = 0x800000;
//Note that you need to create the user object before you can
//set the password. Therefore as the user is created with no
//password, user AccountControl must be set to the following
//otherwise the Win2K3 password filter will return error 53
//unwilling to perform.
attrs.put("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWD_NOTREQD + UF_PASSWORD_EXPIRED+ UF_ACCOUNTDISABLE));
// Create the context
Context result = ctx.createSubcontext(userName, attrs);
System.out.println("Created disabled account for: " + userName);
//now that we've created the user object, we can set the
//password and change the userAccountControl
//and because password can only be set using SSL/TLS
//lets use StartTLS
StartTlsResponse tls = (StartTlsResponse)ctx.extendedOperation(new StartTlsRequest());
tls.negotiate();
//set password is a ldap modfy operation
//and we'll update the userAccountControl
//enabling the acount and force the user to update ther password
//the first time they login
ModificationItem[] mods = new ModificationItem[2];
//Replace the "unicdodePwd" attribute with a new value
//Password must be both Unicode and a quoted string
String newQuotedPassword = "\"Password2000\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWORD_EXPIRED)));
// Perform the update
ctx.modifyAttributes(userName, mods);
System.out.println("Set password & updated userccountControl");
//now add the user to a group.
try {
ModificationItem member[] = new ModificationItem[1];
member[0]= new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("member", userName));
ctx.modifyAttributes(groupName,member);
System.out.println("Added user to group: " + groupName);
catch (NamingException e) {
System.err.println("Problem adding user to group: " + e);
//Could have put tls.close() prior to the group modification
//but it seems to screw up the connection or context ?
tls.close();
ctx.close();
System.out.println("Successfully created User: " + userName);
catch (NamingException e) {
System.err.println("Problem creating object: " + e);
catch (IOException e) {
System.err.println("Problem creating object: " + e); }
}same error.
I haven't done any chages to any schema manually.
I know I'm missing something crucial but have no idea what. I have tried many other code from tutorials from net, but they are all very similar and throwing the same error I showed above.
thanks in advance for help.I've solved this.
The problem was that all codes were using classes from Microsoft Active Directory, and they are not supported in OpenLDAP (microsoft.schema in OpenLDAP is just for info). Due to this some fields are not the same in equivalent classes ("user" and "person").
so partial code for creating user in root would be:
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
import javax.net.ssl.*;
import java.io.*;
public class MakeUser
public static void main (String[] args)
Hashtable env = new Hashtable();
String adminName = "cn=Manager,dc=antipodes,dc=com";
String adminPassword = "secret";
String userName = "cn=Albert Einstein,ou=newgroup,dc=antipodes,dc=com";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:389");
try {
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
// Create attributes to be associated with the new user
Attributes attrs = new BasicAttributes(true);
attrs.put("objectClass","user");
attrs.put("cn","Albert Einstein");
attrs.put("userPassword","Nale");
attrs.put("sn","Einstein");
attrs.put("description","Research Scientist");
attrs.put("telephoneNumber","999 123 4567");
// Create the context
Context result = ctx.createSubcontext(userName, attrs);
System.out.println("Successfully created User: " + userName);
catch (NamingException e) {
System.err.println("Problem creating object: " + e);
}hope this will help anyone. -
Connecting to a remote OpenLDAP server over SSL.
I've been trying for several weeks now to get a remote OpenLDAP server up and running; configured in such a way that it only allows SSL and requires certificate validation.
I've created a CA with a self-signed certificate.
I used that CA to create a server and client certificate.
The server certificate is in /etc/ssl/certs, has a link by the name of its hash.0 pointing to it; permissions are all correct and /etc/ssl/slapd.conf point to it and the CA certificate.
The client certificate is on my MacBook Pro in /etc/ssl/certs along with the CA certificate; each of which also has its hash linked to it. /etc/ssl/ldap.conf is set up properly, the permissions are correct, and the following test command ran as my user produces a successful result:
ldapsearch -v -x -H ldaps://ldap.foo.org -b "dc=foo,dc=org" -d -1
Now the problem part. I open Directory Utility; go to Services with Advanced Settings enabled. After unlocking it, I click the LDAPv3 and the pencil icon.
I hit New... in the window that pops up and use ldap.foo.org as servername, SSL box ticked. I hit Continue, and behold; nothing happens.
It is to say; Directory Utility hangs for a while; after which it goes back to the box I clicked Continue in without any error or warning popping up; but obviously hasn't advanced.
The server logs indicate my Mac had actually connected; received the server certificate; but didn't send a client certificate at which point the TLS connection got aborted for some reason and the session ended.
My Mac Console shows something even more bizare, though:
11/09/08 23:09:22 com.apple.DirectoryServices[97123] Assertion failed: (ld != NULL), function ldapsearchext, file search.c, line 76.
My suspicion is that Directory Utility can't verify the server certificate and aborts the TLS connection. I expect it also uses /etc/openldap/ldap.conf? How can I diagnose the root of this problem?
Thanks a lot for your assistance; I just can't figure this out and any hint or pointer would be greatly appreciated. It now just looks like OSX does not support a secure LDAP over SSL configuration.
Though it currently isn't set up to be that way, I'd like to have my client also provide a certificate (CN=lhunath.foo.org) and have the server validate that. For now I've got the server set to:
TLSVerifyClient never
(And of course, the client:)
TLS_REQCERT demand
Message was edited by: lhunathBy the way; about the assertion error I get in Console; here's the relevant source of ldap.c. Looks like ld is not set; probably something going wrong before that with setting up the TLS connection, perhaps? Or not?
* ldapsearchext - initiate an ldap search operation.
* Parameters:
* ld LDAP descriptor
int
ldapsearchext(
LDAP *ld,
assert( ld != NULL ); -
How can I modify datas on one OpenLDAP server
Hello, I am testing Leopard server 10.5.2 ; we have one open ldap server on our network with more than 700 users and I can access to it on the workgroup manager. Unfortunately I can't modify the datas which are on the open ldap server (only with Workgroup manager) but I have no authentification problem using Safari and a php module (cn=admin.....+ password). Is it normal ? Can I import the accounts on my OD Server. This one is setup as a OD Master. As we have a lot of people on the Openldap server I don't want to recreate them manualy.
Thank you.Hi
Yes you should be able to do this. Passwords will probably not be transferred over. However once transferred you can specify a password policy for all users to change their passwords at next log in.
You don't say which existing LDAP server you have. It may be advisable to you use a 3rd-Party application to transfer Users etc over. I've heard that Excel can be used although I have always used Passenger.
Tony -
How to change a password for an OpenLDAP user, which fails when using Lion's System Preferences?
The Problem
Users are unable to change their password using System Preferences -> Users & Groups on a Mac that is connected to an LDAP server (specifically, OpenLDAP).
This error appears to be a result of OS X 10.7.4 now sending the username of the user rather than their full DN (e.g. it's sending bobsmith, notuid=bobsmith,ou=Users,dc=companyname,dc=com).
(a bug report for this issue has been filed with Apple and can be seen on OpenRader @http://openradar.appspot.com/11768796)
Steps to Reproduce:
Try to change the password using the System Preferences -> Users & Groups prefpane on Lion. It fails with the following error message:
The password for the account “bobsmith” was not changed. Your system administrator may not allow you to change your password or there was some other problem with your password. Contact your system administrator for help.
Expected Results:
The password should be changed.
Actual Results:
The error appears, and on the LDAP server, an error like the following is logged:
Jun 28 08:42:21 ldap3 slapd[7810]: conn=10518785 op=2 RESULT oid= err=21 text=Invalid DN
This error appears to be a result of OS X 10.7.4 now sending the username of the user rather than their full DN (e.g. it's sending bobsmith, notuid=bobsmith,ou=Users,dc=companyname,dc=com)
Notes: This was encountered by someone else over at the AFP548.com forums who ended up patching their LDAP server to resolve the issue. This shouldn't require patching LDAP to resolve, however. Lion needs to (at least have an option to) send the full DN of a user requesting to change their password, not the short username:
Text from above forum link (in case it is taken down):
So, I’ve got this OpenLDAP server with network home directories at home that all of my Mac machines authenticate to. Everybody can bounce around to whatever Mac is available. It works great.
Anyway, with Snow Leopard, I was able to change user passwords via System Preferences. However, that got broken when I upgraded to Lion (amongst other things). Both Snow Leopard and Lion send exop’s to the ldap server, but for whatever reason, the id is screwed up in Lion (or at least, it’s screwed up on the two machines at home I tested this with). Instead of sending the user’s DN, e.g. “uid=user,cn=users,ou=something,dc=somewhere,dc=com”, the ldap server is only sent the uid, e.g. “user”. The ldap server is expecting a DN here, so naturally, it fails with the error “Invalid DN”.
Bummer.
So, to work around that, I had to patch OpenLDAP (version 2.4.26 in this case). Now, when my server can’t resolve the id it’s given during a password change, it will look at the bind DN, and if the id string is contained within the bind DN string, it will just use the bind DN as the entry to change. I figured this would still allow me to manually specify password changes via an admin account while still giving users the ability to change their own passwords without having to point them at a webpage (lame).
I should point out that all my accounts have the uid as part of the DN… I guess if you were doing some kind of crazy SASL mappings, this might not work for you…
Anyway, here’s the patch in case anyone else is interested… If it works for you, great. If not, oh well.
-- passwd.c 2011-06-30 11:13:36.000000000 -0400 +++ passwd.lion_compatability.c 2012-02-13 22:48:54.213214617 -0500 @@ -18,4 +18,5 @@ #include +#include #include @@ -59,4 +60,5 @@ int freenewpw = 0; struct berval dn = BER_BVNULL, ndn = BER_BVNULL; + ber_int_t err; assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 ); @@ -102,11 +104,8 @@ if ( !BER_BVISEMPTY( &id ) ) { - rs->sr_err = dnPrettyNormal( NULL, &id, &dn, &ndn, op->o_tmpmemctx ); - id.bv_val[id.bv_len] = idNul; - if ( rs->sr_err != LDAP_SUCCESS ) { - rs->sr_text = "Invalid DN"; - rc = rs->sr_err; - goto error_return; - } + err = dnPrettyNormal( NULL, &id, &dn, &ndn, op->o_tmpmemctx ); + } + + if ( !BER_BVISEMPTY( &id ) && (err == LDAP_SUCCESS) ) { op->o_req_dn = dn; op->o_req_ndn = ndn; @@ -116,4 +115,16 @@ ber_dupbv_x( &dn, &op->o_dn, op->o_tmpmemctx ); ber_dupbv_x( &ndn, &op->o_ndn, op->o_tmpmemctx ); + if ( !BER_BVISEMPTY( &id ) ) { + /* See if the id matches the bind dn */ + if ( strstr( dn.bv_val, id.bv_val ) == NULL ) + { + rs->sr_err = err; /* From dnPrettyNormal */ + rs->sr_text = "Invalid DN"; + rc = rs->sr_err; + goto error_return; + } + Statslog( LDAP_DEBUG_STATS, "%s Invalid id (%s) specified; using bind DN (%s)\n", + op->o_log_prefix, id.bv_val, dn.bv_val, 0, 0 ); + } op->o_req_dn = dn; op->o_req_ndn = ndn; @@ -123,4 +134,8 @@ } + if ( !BER_BVISEMPTY( &id ) ) { + id.bv_val[id.bv_len] = idNul; + } + if( op->o_bd == NULL ) { if ( qpw->rs_old.bv_val != NULL ) { "
UPDATE (still not working, though)
I tried to change my password with dscl too, like so:
$ dscl -u bobsmith -p /LDAPv3/ldap -passwd /Users/bobsmith
...and this generated the following after I input my current password and a new one:
Password: New Password: passwd: DS error: eNotYetImplemented DS Error: -14988 (eNotYetImplemented)
On my OpenLDAP server, it generated:
Jul 3 11:47:51 ldap slapd[7810]: conn=12282745 fd=1633 ACCEPT from IP=10.0.1.3:64485 (IP=0.0.0.0:636) Jul 3 11:47:51 ldap slapd[7810]: conn=12282745 fd=1633 closed (TLS negotiation failure) Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 fd=1633 ACCEPT from IP=10.0.1.3:64486 (IP=0.0.0.0:636) Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 fd=1633 TLS established tls_ssf=256 ssf=256 Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 op=0 SRCH attr=supportedSASLMechanisms defaultNamingContext namingContexts schemaNamingContext Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" method=128 Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" mech=SIMPLE ssf=0 Jul 3 11:47:51 ldap slapd[7810]: conn=12282746 op=1 RESULT tag=97 err=0 text= Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=2 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=3 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=4 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=4 SRCH attr=objectClass apple-generateduid uid uidNumber userPassword cn Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=5 EXT oid=1.3.6.1.4.1.4203.1.11.1 Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=5 PASSMOD old Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=5 RESULT oid= err=53 text=old password value is empty Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 op=6 UNBIND Jul 3 11:47:56 ldap slapd[7810]: conn=12282746 fd=1633 closed
If I run the same dscl command from a Snow Leopard machine, it works without an error:
$ dscl -u bobsmith -p /LDAPv3/myldapserver.com -passwd /Users/bobsmith Password: New Password:
It generates these logs on the server
Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 fd=1283 ACCEPT from IP=10.0.1.2:51013 (IP=0.0.0.0:636) Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 fd=1283 TLS established tls_ssf=256 ssf=256 Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 op=0 SRCH attr=supportedSASLMechanisms namingContexts dnsHostName krbName Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 op=1 UNBIND Jul 3 12:03:29 ldap slapd[7810]: conn=12293658 fd=1283 closed Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 fd=1283 ACCEPT from IP=10.0.1.2:51014 (IP=0.0.0.0:636) Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 fd=1283 TLS established tls_ssf=256 ssf=256 Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 op=0 SRCH attr=supportedSASLMechanisms namingContexts dnsHostName krbName Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" method=128 Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" mech=SIMPLE ssf=0 Jul 3 12:03:29 ldap slapd[7810]: conn=12293659 op=1 RESULT tag=97 err=0 text= Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=2 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=2 SRCH attr=uid cn Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=3 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=3 SRCH attr=uid cn Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=4 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=5 EXT oid=1.3.6.1.4.1.4203.1.11.1 Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=5 PASSMOD id="uid=bobsmith,ou=Users,dc=mycompany,dc=com" new Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=5 RESULT oid= err=0 text= Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=6 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))" Jul 3 12:03:31 ldap slapd[7810]: conn=12293659 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 3 12:03:32 ldap slapd[7810]: conn=12293659 op=7 UNBIND Jul 3 12:03:32 ldap slapd[7810]: conn=12293659 fd=1283 closedHi Koen,
I tried to test this, but for me its working sorry(!). Here are the details of what I did in case that helps you diagnose....
# add the 2 test users
ldapadd -h $my_ldaphost -p $my_ldapport -D $my_adminuid -w $my_adminpwd <<EOF
dn: cn=TEST_A, cn=Users, dc=myco,dc=com
sn: TEST_A
mail: [email protected]
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserv2
objectclass: organizationalperson
objectclass: person
objectclass: top
uid: TEST_A
cn: TEST_A
dn: cn=TEST_B, cn=Users, dc=myco,dc=com
sn: TEST_B
mail: [email protected]
objectclass: inetorgperson
objectclass: orcluser
objectclass: orcluserv2
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: TEST_B
uid: TEST_B
EOF
# reset the passwords
sqlplus /nolog <<EOF
conn orasso/${orclpasswordattribute}@${my_sid}
set serveroutput on
exec wwsso_oid_integration.reset_passwd(p_user => 'TEST_A', p_subscriber_nickname => null, p_newpwd => 'password1');
exec wwsso_oid_integration.reset_passwd(p_user => 'TEST_B', p_subscriber_nickname => null, p_newpwd => 'password1');
exit
EOF
[oracle@myhost bin]$ ldapbind -D cn=TEST_A,cn=Users,dc=myco,dc=com -w password1
bind successful
[oracle@myhost bin]$ ldapbind -D cn=TEST_B,cn=Users,dc=myco,dc=com -w password1
bind successful -
OpenLDAP and multiple users sharing same account
Hello.
I have been running an OpenLDAP directory for a while now and users' homes live on an NFS share, which causes problems when the same user is logged in to multiple computers at the same time.
I can tell which users are logged in to which computers and then disable the accounts that are used more than once.
Is there a way to disallow multiple logins or automatically log users out when they log in to different machines? I have 600+ users.Hi
You need 2 accounts.
Tony -
How can I find out which .pst or .ost file itunes referres to when synchronising with outlook
I´ve switched to iphone 4S from my 3Gs and would like to "clean" my itunes Sync before I use the new phone. Problem is, that the synchronisation with Outlook 2003 doesn´t work anymore. I guess the reason is that itunes refers to an old .ost or .pst file on my computer. I ve got several outlook profiles and changed from exchange to pop3. My question: How can I find out which .pst or .ost file itunes referres to?
Thanks a lot in advance :-)Select the tune and then - Get Info - in the dialog box is a note of the Apple ID used to purchase.
MJ -
[OIM 11g R1] OID 11.1.1.5.0 Connector with OpenLDAP: Errors in logs
I am using the Oracle Internet Directory 11.1.1.5.0 connector with OpenLDAP as my target system.
Every time I run the "LDAP Connector User search Reconciliation", I see the following error for each user.
<Feb 21, 2013 3:54:57 PM EST> <Error> <ORACLE.IAM.CONNECTORS.ICFCOMMON.RECON.SEARCHRECONTASK> <BEA-000000> <oracle.iam.connectors.icfcommon.recon.SearchReconTask : handle : Recon event skipped>
The reconciliation events do get generated in OIM and the reconciliation engine does link the account when a user match is found.
I am wondering what is causing that error to be thrown and whether if performance of the LDAP reconciliation is affected by this error.Any updates i am facing same problem.
thanks in advance
Maybe you are looking for
-
For the new iPhone 5s - is there not an option anymore to edit imessages without deleting the whole stream? There are some things I need to keep within a stream and some not necessary, and it looks as like no editing within a conversation?
-
Handling Error message in Module Pool screen
Hi Folks, I have developed a ALV report for table maintenace and I am calling the Dialog screen (small one) and Create and update the records of the Ztable through that screen. Presently I am handling the error message in the main ALV screen . My req
-
Credit memo (Customers) deletion
Hi One of the user created a credit memo for Customers and would like to delete the same as it is no longer required. Can any one suggest me whether we can delete the credit memo in PRD ? If yes, can you please expalin the process..! If no..! Is ther
-
Hi CRM Gurus, I have 2 questions. 1. In CRM config,(crmc_action_conf) , we have Time of Processing where we can tell when to process the action based on following options. 1. Immediate processing. 2. When Saving 3. Process using Selection Repor
-
Iexplorer setting that would cause export of xls error "Could not open ..."
We have a situation where the same user, on two different machines, gets two different results. The user is attempting to export to xls. We are using Discoverer 10g viewer. On machine one, the error (Could not open https://server.co.net/discoverer/ex