Hi Dennis/All, I figured out that why password policies are not working. Th reason is that it did not got loaded successfully in ldap db. I am getting below error..
adding new entry "ou=Policies,dc=j,dc=example=,dc=com" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge What i read is that The error no global superior knowledge means that slapd doesn't know where to put your new entry. Not getting what it means and how to fix it. Please help!! Regards Sam On Thursday, 27 February 2014 10:22 AM, saurabh ohri <[email protected]> wrote: Hi Denis, I did following steps in order to get the password policy work, still nothing is working. 1) In my slapd.conf file added below lines: # Password Policy Configuration overlay ppolicy ppolicy_default "cn=default,ou=Policies,dc=j,dc=example,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext # ACL Entry for Password Policies access to attrs=userPassword by self write by anonymous auth by * none access to * by self write by * read 2) Loaded the password policy .ldif file into ldap by ldapadd. O/t of password policy .ldif files is: # Creates a Policies OU (Organizational Unit) dn: ou=Policies,dc=j,dc=cinglevue=,dc=com objectClass: organizationalUnit ou: Policies # Creates a Policy object in Policies OU (Organizational Unit) dn: cn=default,ou=Policies,dc=j,dc=cinglevue,dc=com objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAttribute: userPassword pwdMaxAge: 3888000 pwdExpireWarning: 604800 pwdInHistory: 3 pwdCheckQuality: 1 pwdMinLength: 8 pwdMaxFailure: 5 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdGraceAuthNLimit: 0 pwdFailureCountInterval: 0 pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdSafeModify: FALSE Regards Sam On Wednesday, 26 February 2014 8:02 PM, Dennis Leeuw <[email protected]> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have a look at the shadow* attributes from the shadowAccount class. Those should help you enforcing password related stuff. For self changes of passwords use an ACL like: access to attrs=userPassword by self write by anonymous auth by * none Greetings, Dennis On 02/26/2014 11:50 AM, Saurabh Ohri wrote: > Thanks Dennis. You ate right the problem is not related to ldap > but was looking for help against it. > > I am able to have successful authentication from ldap on both mac > and windows after trying 50 combinations of configuration 😄 > > But finally it worked and it our effort paid. > > Thanks again and will share the information/ document soon. > > Also it would be of great help if you could share some details on > enforcing password policies like self user password change, force > passed change after first login etc. I did some config but it is > not working even for Linux. > > Thanks Sam > > Sent from my iPhone > >> On 26 Feb 2014, at 4:40 pm, Dennis Leeuw <[email protected]> >> wrote: >> >>>> On 02/26/2014 05:26 AM, saurabh ohri wrote: Hi all, >>>> >>>> I am new to openldap and i manage dto install and configure >>>> the same. My linux client is working well but not able to >>>> authenticate windows and mac clients. >>>> >>>> Have been trying since past 2 days by google and other posts >>>> but still facing issue. Any help would be highly >>>> appreciated. >>>> >>>> Details: using openldap-2.4.23-34 on RHEL6.5 *Client >>>> details:* Mac 10.8.5 -- tried configuring the network account >>>> server but it is showing RED. Error This server is not >>>> responding. Windows 7 – tried installing GINA but it is >>>> giving me invalid credentials error. >>>> >>>> Configuration file on server: Password: # extended LDIF # # >>>> LDAPv3 # base <dc=j,dc=example,dc=com> (default) with scope >>>> subtree # filter: (objectclass=*) # requesting: ALL # >>>> >>>> # j.example.com dn: dc=j,dc=example,dc=com objectClass: top >>>> objectClass: dcObject objectClass: organization o: example >>>> Organization description: example Inc DIT dc: j >>>> >>>> # Users, j.example.com dn: ou=Users,dc=j,dc=example,dc=com >>>> objectClass: organizationalUnit ou: Users >>>> >>>> # Groups, j.example.com dn: ou=Groups,dc=j,dc=example,dc=com >>>> objectClass: organizationalUnit ou: Groups >>>> >>>> # Admins, j.example.com dn: ou=Admins,dc=j,dc=example,dc=com >>>> objectClass: organizationalUnit ou: Admins >>>> >>>> # sohri, Users, j.example.com dn: >>>> uid=sohri,ou=Users,dc=j,dc=example,dc=com uid: sohri cn: >>>> sohri sn: 1 objectClass: top objectClass: posixAccount >>>> objectClass: inetOrgPerson loginShell: /bin/bash >>>> homeDirectory: /home/sohri uidNumber: 15000 gidNumber: 10000 >>>> userPassword:: >>>> e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkcg mail: >>>> [email protected] gecos: Local User >>>> >>>> # tpearce, Users, j.example.com dn: >>>> uid=tpearce,ou=Users,dc=j,dc=example,dc=com uid: tpearce cn: >>>> tpearce sn: 2 objectClass: top objectClass: posixAccount >>>> objectClass: inetOrgPerson loginShell: /bin/bash >>>> homeDirectory: /home/tpearce uidNumber: 15001 gidNumber: >>>> 10000 userPassword:: >>>> e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkc= mail: >>>> [email protected] gecos: local User >>>> >>>> # ldapusers, Groups, j.example.com dn: >>>> cn=ldapusers,ou=Groups,dc=j,dc=example,dc=com objectClass: >>>> posixGroup objectClass: top cn: ldapusers userPassword:: >>>> e2NyeXB0fXg= gidNumber: 10000 memberUid: uid=sohri memberUid: >>>> uid=tpearce >>>> >>>> # search result search: 2 result: 0 Success >>>> >>>> # numResponses: 8 # numEntries: 7 >>>> >>>> >>>> Regards Sam > > Windows is created to work against an Active Directory system, > meaning you have an LDAP authorization and Kerberos > authentication. Connecting Windows to a LDAP for both is > problematic to say the least. The easiest solution is using SAMBA > against LDAP and make the Windows systems login against the SAMBA > server. If you like to make it work with GINA, contact them, and to > understand what is going on you might want to read: > http://pig.made-it.com/win-boot-test.html No guarantees, I did my > best to document what is happening. Hope I did it right. > > Mac OS X did once work against LDAP, I have no idea what the > current state is. On 10.6.5 go to Preferences, Accounts. Click > Login Options go to Account Server and click Join. Select > OpenDirectory utility. Click LDAPv3 and click the edit button. > Click show options, click New, type the address of your ldap > server. Give your account credentias, pick template RFC 2307, set > search base. And your done... > > And finaly: None of your problems is OpenLDAP related since it > works on your Linux machine. > > Greetings, > > Dennis >> >> ------------------------------------------------------------------------------ >> >> >> >> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is >> uitsluitend bestemd voor de geadresseerde. Indien u dit bericht >> onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken >> en de afzender direct te informeren door het bericht te >> retourneren. Het Universitair Medisch Centrum Utrecht is een >> publiekrechtelijke rechtspersoon in de zin van de W.H.W. (Wet >> Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat >> geregistreerd bij de Kamer van Koophandel voor Midden-Nederland >> onder nr. 30244197. >> >> Denk s.v.p aan het milieu voor u deze e-mail afdrukt. >> >> ------------------------------------------------------------------------------ >> >> >> >> This message may contain confidential information and is intended exclusively >> for the addressee. If you receive this message unintentionally, >> please do not use the contents but notify the sender immediately >> by return e-mail. University Medical Center Utrecht is a legal >> person by public law and is registered at the Chamber of Commerce >> for Midden-Nederland under no. 30244197. >> >> Please consider the environment before printing this e-mail. >> - -- ICT Medewerker Divisie Biomedische Genetica UMC Utrecht Heidelberglaan 100 STR2.126 3584 CX Utrecht The Netherlands 06 27744048 intern: 64048 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTDczPAAoJEMVYYpdbQscom+AH/j3irlTH6Fh5hM0yncYXJ8dk 0jhwMdNRTl1TXwGm1Bl+30Vff/WGzGElPtZ9ob/UnhRmHvyhZXihm7WbOv5t9lYv fiKEJUB2zp0jdigIvLPFI7ScGtXuBuSmndiuPVGDkaeELhIHyvTNAXxNnZ0SXal6 PZVNxP0qzMaYAGpO9V5m/GJuvFta/z7M1p5id6NYSzsrzfWbcJJNCkMLoYjIGRBo eoUUFTVRxZLSdnUu5UPrxSj76F537KIx1x5s7OVhlj7mZpI4bCr9Tk/hdd3+TRJS kQpkeKdrCc/A/fKXTaLl2SLu48ELkwdZHLwmc0O8/ZEaECLyIAsDduGfY+wNm4E= =fYo2 -----END PGP SIGNATURE-----
