Information Security & US & Life & Love & Fashion & Hacking & Passion

'openLDAP'에 해당되는 글 3건

2008.10.29 OpenLDAP structure by CEOinIRVINE
2008.10.29 OpenLDAP password trouble shooting by CEOinIRVINE
2008.10.28 openLDAP replication manager password change by CEOinIRVINE

OpenLDAP structure

Hacking 2008. 10. 29. 03:39

A Technical Overview of OpenLDAP

This book is a practically oriented technical book. It is designed to help you get OpenLDAP up and running, and to help you integrate LDAP into your own applications.

We will now begin this transition from the high-level material presented earlier to a more practical examination of the OpenLDAP suite of packages. First, let's take a brief look at the technical structure of OpenLDAP.

The OpenLDAP suite can be broken up into four components:

Servers: Provide LDAP services
Clients: Manipulate LDAP data
Utilities: Support LDAP servers
Libraries: provide programming interfaces to LDAP

In the course of this book, we will look at all four of these categories. Here, we will just get an overview:

This diagram explains how these four elements relate to each other.

The Server

The main server in the LDAP suite is SLAPD (the Stand-Alone LDAP Daemon). This server provides access to one or more directory information trees. Clients connect to the server over the LDAP protocol, usually using a network-based connection (though SLAPD provides a UNIX socket listener, too).

A server can store directory data locally, or simply access (or proxy access) to external sources. Typically, it provides authentication and searching services, and may also support adding, removing, and modifying directory data. It provides fine-grained access control to the directory.

SLAPD is a major focus of this book, and we will discuss it in detail in the chapters to come.

Clients

Clients access LDAP servers over the LDAP network protocol. They function by requesting that the server performs operations on their behalf. Typically, a client will first connect to the directory server, then bind (authenticate), and then perform zero or more other operations (searches, modifications, additions, deletions, and so on) before finally unbinding and disconnecting.

Utilities

Unlike clients, utilities do not perform operations using the LDAP protocol. Instead, they manipulate data at a lower level, and without mediation by the server. They are used primarily to help maintain the server.

Libraries

There are several OpenLDAP libraries that are shared between LDAP applications. The libraries provide LDAP functions to these applications. The clients, utilities, and servers all share access to some of these libraries.

Application Programming Interfaces (APIs) are provided to allow software developers to write their own LDAP-aware applications without having to re-write fundamental LDAP code.

While the APIs provided with OpenLDAP are written in C, the OpenLDAP project also provides two Java APIs. These Java libraries are not included in the OpenLDAP suite, and are not covered in this book. Both however, can be retrieved from the OpenLDAP website: http://openldap.org.

As we move on through this book we will examine each of these components of the LDAP architecture in detail.

'Hacking' 카테고리의 다른 글

Basic of Reverse Engineering (0)	2008.11.06
CentOS Update Server and Local Repository (0)	2008.10.31
Linux open files (0)	2008.10.28
Microsoft Urgent Patch (0)	2008.10.25
SSH without PASSWORD (0)	2008.10.15

Posted by CEOinIRVINE

OpenLDAP password trouble shooting

IT 2008. 10. 29. 02:22

aioshin

Aug 8 2006, 03:37 AM

ok, I have the LDAP server reside at Centos, and client on Mandriva boxs... I am able to login from the client using the users defined at LDAP server... now I want to allow each LDAP users to change their password by the command

CODE

passwd

but when trying that, it just gave the below error

CODE

[ldapuser3@nixbox ~]$ passwd
Changing password for user ldapuser3.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
New password:
Re-enter new password:
LDAP password information update failed: Can't contact LDAP server

passwd: Permission denied
[ldapuser3@nixbox ~]$

ok, here's my /etc/openldap/slapd.conf for add info

CODE

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2
loglevel        296
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
#
database        ldbm
suffix          "dc=duriancity,dc=dvo"
rootdn          "cn=ldapadmin,dc=duriancity,dc=dvo"
rootpw                  {SSHA}POzRnaPcqsdffejfefedlacCVNuC7N99J3+u
directory       /var/lib/ldap/duriancity.dvo
mode            0600
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub

and here's the entries on client pc's /etc/pam.d/system-auth

CODE

#/etc/pam.d/system-auth
#%PAM-1.0

auth        required      pam_env.so
auth        sufficient    pam_unix.so
auth        sufficient    pam_ldap.so likeauth nullok use_first_pass
auth        required      pam_deny.so

account     sufficient    pam_unix.so
account     sufficient    pam_ldap.so use_first_pass
account     required      pam_deny.so

password    required      pam_cracklib.so retry=3 minlen=2  dcredit=0  ucredit=0
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    sufficient    pam_ldap.so
password    required      pam_deny.so

session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session     required      pam_limits.so
session     required      pam_unix.so
session     optional      pam_ldap.so

basically, by the above setup, the Mandriva Box allows local users and LDAP users to Login.
.

Now, any idea what should I put on my config to allow the user to change their password using the command passwd?

TIA!

ianw1974

Aug 8 2006, 05:37 AM

Maybe try:

CODE

ldappasswd

instead.

aioshin

Aug 8 2006, 06:35 AM

it wont, I still get this when doin ldappaswd

CODE

ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

actually, the server is not yet configured to use ssl...
should I have to configure ldap to use ssl first before I can allow users to password change?

ianw1974

Aug 8 2006, 06:38 AM

I think if it's trying to communicate over SSL, it would need to be able to accept that type of connection.

I'm presuming it's saslauthd service, so should be some sort of option within saslauthd config or even ldap config to ensure that SSL type connections are allowed.

Unfortunately, I've not used ldap extensively, but I believe this would be the cause, from when I've had similar issues trying to get mysqld to authenticate logins with my postfix server.

aioshin

Aug 8 2006, 06:47 AM

here's the ldap.conf on my client mandriva box, part that pertains to ssl

CODE

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert

thus are commented, which means, ssl or whatever above has no effect since not in use...

thanks ian.. maybe I should ggogle more for an answer

ianw1974

Aug 8 2006, 06:50 AM

Once you've removed the comments, use:

CODE

netstat -tan

to make sure it's listening on port 636. I think you should only need to uncomment the OpenLDAP section.

The way I read it you have two options. One to use SSL on the standard port with tls, or to use SSL with ldaps.

aioshin

Aug 11 2006, 01:05 AM

ok, the problem has been solved

how?

its an ACL issue. on my slapd.con, I added the ff:

CODE

access to attr=userPassword
            by self write
            by anonymous auth
            by dn.base="cn=Manager,dc=duriancity,dc=dvo" write
            by * none
access to *
            by self write
            by dn.base="cn=Manager,dc=duriancity,dc=dvo" write
            by * read

Details below for the ACL above, taken from openldap docs - link

QUOTE

As this is the first database, the controls also apply to entries not held in any database (such as the Root DSE). For all applicable entries, the userPassword attribute is writable by the entry itself and by the "admin" entry. It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the "admin" entry, but may be read by all users (authenticated or not).

the on the client box, I change /etc/pam.d/passwd:

original file on mandrivaLE2005

CODE

#%PAM-1.0
auth       required    pam_stack.so service=system-auth
account    required    pam_stack.so service=system-auth
password   required    pam_stack.so service=system-auth

though with the above input on /etc/pam.d/passwd, the ldap user will be able to change its password using the passwd command but it will prompt to enter the password many times which is not normal... see below

CODE

[ldapuser1001@nixbox ken]$ passwd
Changing password for user ldapuser1001.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
New password:
Re-enter new password:
LDAP password information changed for ldapuser1001
passwd: all authentication tokens updated successfully.

then, i found out by googling that I have to change /etc/pam.d/passwd to something like below:

CODE

password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8

then when ldapuser1001 try to change its password by the passwd command:

CODE

[ldapuser1001@nixbox ken]$ passwd
Changing password for user ldapuser1001.
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for ldapuser1001
passwd: all authentication tokens updated successfully.

its now behaving normally..

note that its a basic install... no tls, no ssl.. so all ldap traffic uses port 389... and Im really new unto it, so basically, not yet secure

'IT' 카테고리의 다른 글

Final Glance: Internet companies (0)	2008.11.05
10 best features in Windows 7 for IT professionals (0)	2008.10.29
openLDAP replication manager password change (0)	2008.10.28
Robots Get Housetrained (0)	2008.10.28
CenturyTel to acquire Embarq in $5.8B deal (0)	2008.10.28

Posted by CEOinIRVINE

openLDAP replication manager password change

IT 2008. 10. 28. 06:42

ldappasswd -h localhost -D "cn=Manager,dc=ijji,dc=com" -W -vv -S "cn=Replication Manager,dc=ijji,dc=com"

'IT' 카테고리의 다른 글

10 best features in Windows 7 for IT professionals (0)	2008.10.29
OpenLDAP password trouble shooting (0)	2008.10.29
Robots Get Housetrained (0)	2008.10.28
CenturyTel to acquire Embarq in $5.8B deal (0)	2008.10.28
Virtual Reality Golf Takes Off in Korea (0)	2008.10.28

Posted by CEOinIRVINE

◀ 이전페이지 1 다음페이지 ▶

일	월	화	수	목	금	토
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Information Security & US & Life & Love & Fashion & Hacking & Passion

'openLDAP'에 해당되는 글 3건

OpenLDAP structure

A Technical Overview of OpenLDAP

The Server

Clients

Utilities

Libraries

'Hacking' 카테고리의 다른 글

OpenLDAP password trouble shooting

'IT' 카테고리의 다른 글

openLDAP replication manager password change

'IT' 카테고리의 다른 글

최근에 올라온 글

공지사항

카테고리

태그목록

달력

링크

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

티스토리툴바