Re: Password policy

[Emmanuel Lécharny]

Le 29/01/16 02:26, akary...@yahoo.gr a écrit :
> Hi,
> I'd like to enforce some rules for password values (such as use of at least 2 
> capitals, 1 number, 1 symbol, etc). Is it possible to do this with 
> configuration in the server? I've seen the password policy view in Apache 
> Directory Studio but it doesn't have anything like that.

No, it's not a policy you can enforce atm. That would require some
extension to the server.

> If it's not configurable out of the box, is there maybe an API that one could 
> use to write a custom "plugin" class that would be invoked whenever an 
> attempt to change the userPassword attribute's value is made?
You can replace the PasswordValidator hat is used by default. There is
an interface
(http://directory.apache.org/apacheds/gen-docs/2.0.0-M20/apidocs/org/apache/directory/server/core/api/authn/ppolicy/PasswordValidator.html)
that can be implemented (here is the code for the default impl :
http://directory.apache.org/apacheds/gen-docs/2.0.0-M20/xref/org/apache/directory/server/core/api/authn/ppolicy/DefaultPasswordValidator.html).

Once you have created your own validator, you have to modify the server
configuration to tell the server what class to use to run a custom
validator : feed the ads-pwdValidator attribute with your password
validator FQCN. The parameter is described on
http://directory.apache.org/apacheds/advanced-ug/2.1-config-description.html#password-policies

Re: DHCP using Apache directory server

[Emmanuel Lécharny]

Le 28/01/16 15:46, Sherman Lilly a écrit :
> How to do I do that?

Assuming that you have a backup of your database content in a LDIF
format, just delete the existing data from your disk (/instance//partitions/)

Typically, on my linux box :

/opt/apacheds-2.0.0-M22-SNAPSHOT/instances/default/partitions/example :
[root@brie example]# ll
total 620
-rw-r--r--. 1 root root 0 Jan 27 15:55 0.9.2342.19200300.100.1.1.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 0.9.2342.19200300.100.1.1.lg
-rw-r--r--. 1 root root   222 Jan 27 15:55 0.9.2342.19200300.100.1.1-uid.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 0.9.2342.19200300.100.1.25.db
-rw-r--r--. 1 root root   257 Jan 27 15:55 0.9.2342.19200300.100.1.25-dc.txt
-rw-r--r--. 1 root root 41362 Jan 27 15:55 0.9.2342.19200300.100.1.25.lg
-rw-r--r--. 1 root root   273 Jan 27 15:55
1.3.6.1.4.1.18060.0.4.1.2.3-apachePresence.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.3.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.3.lg
-rw-r--r--. 1 root root   264 Jan 27 15:55
1.3.6.1.4.1.18060.0.4.1.2.50-apacheRdn.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.50.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.50.lg
-rw-r--r--. 1 root root   211 Jan 27 15:55
1.3.6.1.4.1.18060.0.4.1.2.5-apacheOneAlias.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.5.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.5.lg
-rw-r--r--. 1 root root   208 Jan 27 15:55
1.3.6.1.4.1.18060.0.4.1.2.6-apacheSubAlias.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.6.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.6.lg
-rw-r--r--. 1 root root   204 Jan 27 15:55
1.3.6.1.4.1.18060.0.4.1.2.7-apacheAlias.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.7.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.7.lg
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.4203.666.1.7.db
-rw-r--r--. 1 root root   246 Jan 27 15:55
1.3.6.1.4.1.4203.666.1.7-entryCSN.txt
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.4203.666.1.7.lg
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.5322.10.1.1.db
-rw-r--r--. 1 root root   215 Jan 27 15:55
1.3.6.1.4.1.5322.10.1.1-krb5PrincipalName.txt
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.5322.10.1.1.lg
-rw-r--r--. 1 root root   148 Jan 27 15:55 2.5.18.5-administrativeRole.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 2.5.18.5.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 2.5.18.5.lg
-rw-r--r--. 1 root root 0 Jan 27 15:55 2.5.4.0.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 2.5.4.0.lg
-rw-r--r--. 1 root root   184 Jan 27 15:55 2.5.4.0-objectClass.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 2.5.4.11.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 2.5.4.11.lg
-rw-r--r--. 1 root root   257 Jan 27 15:55 2.5.4.11-ou.txt
-rw-r--r--. 1 root root 40960 Jan 27 15:55 master.db
-rw-r--r--. 1 root root 8 Jan 27 15:55 master.lg


Just get rid of all that. They will be recreated when you inject the
LDIF that contains your data.

Re: DHCP using Apache directory server

[Emmanuel Lécharny]

Le 29/01/16 00:45, Sherman Lilly a écrit :
> I haven't installed any relevant data that is important. So deleting the
> database is not important but how do I start a new and make that
> modification to the dhcp schema and the server startup properly. Since it
> wasn't working I did load any data yet. This is just to see if I can get it
> to work with DHCP lookup.
As soon as you have blanked your data, restarted the server, then you
should be able to modify your schema, stop and restart the server, and
then reinject the data into your started server.

Re: DHCP using Apache directory server

[Hal Deadman]

There may be an easier way to get an LDIF dump but I have this method run
nightly by a Spring task in an LDAP related web application. I haven't
switched over to ApacheDS in production but I use this against 389-ds in
production and ApacheDS in development. This dumps people, groups and
organization units to a daily rolling log file (configured via logback). It
helps me sleep easier with my current single directory server and it is
what is making me comfortable enough to switch to ApacheDS, knowing that if
there is a corruption I can recover from a recent backup. I don't recall
why I used ldaptive instead of ApacheDS ldif functionality. This wouldn't
handle a really large directory because it's reading the entire directory
into memory and writing everything to a String before logging it. The
directory I am using it on has less than 1500 entries, mostly people.


import java.io.IOException;
import java.io.StringWriter;
import java.util.Collection;
import java.util.Map;
import java.util.TreeMap;

import org.apache.commons.lang.StringUtils;
import org.ldaptive.Connection;
import org.ldaptive.DefaultConnectionFactory;
import org.ldaptive.LdapEntry;
import org.ldaptive.Response;
import org.ldaptive.SearchFilter;
import org.ldaptive.SearchRequest;
import org.ldaptive.SearchResult;
import org.ldaptive.control.util.PagedResultsClient;
import org.ldaptive.io.LdifWriter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class LdifDumper {
private static final Logger LDIF_BACKUP =
LoggerFactory.getLogger("LDIF_BACKUP");

private static final Logger logger =
LoggerFactory.getLogger(LdifDumper.class);
public void dumpLdif(DefaultConnectionFactory connectionFactory, String
baseDn) {

String[] objectClasses = { "domain", "organizationalunit",
"groupOfUniqueNames", "person" };

StringWriter writer = new StringWriter();
LdifWriter ldifWriter = new LdifWriter(writer);
try (Connection conn = connectionFactory.getConnection()) {
conn.open();
PagedResultsClient client = new PagedResultsClient(conn, 500);
for (int i = 0; i < objectClasses.length; i++) {
Map entryMap = new TreeMap();
SearchFilter filter = new SearchFilter("(objectclass=" + objectClasses[i] +
")");
SearchRequest request = new SearchRequest(baseDn, filter);
request.setSearchScope(org.ldaptive.SearchScope.SUBTREE);
Response response = client.executeToCompletion(request);
SearchResult result = response.getResult();
Collection entries = result.getEntries();
for (LdapEntry ldapEntry : entries) {
String key = ldapEntry.getDn();
// hack - count commas so higher level entities sort first
// (e.g. for nested OUs - create ou=Groups before ou=Groups,ou=App1 )
int commaCount = StringUtils.countMatches(key, ",");
key = commaCount + key;
entryMap.put(key, ldapEntry);
}
// print out sorted entries
for (Map.Entry mapEntry : entryMap.entrySet()) {
ldifWriter.write(new SearchResult(mapEntry.getValue()));
}
}
LDIF_BACKUP.info(writer.toString());
} catch (org.ldaptive.LdapException | IOException e) {
logger.error("Error dumping users to ldif: " + e.getMessage(),e);
}
}
}



On Thu, Jan 28, 2016 at 12:00 PM, Emmanuel Lécharny 
wrote:

> Le 28/01/16 15:46, Sherman Lilly a écrit :
> > How to do I do that?
>
> Assuming that you have a backup of your database content in a LDIF
> format, just delete the existing data from your disk ( root>/instance//partitions/)
>
> Typically, on my linux box :
>
> /opt/apacheds-2.0.0-M22-SNAPSHOT/instances/default/partitions/example :
> [root@brie example]# ll
> total 620
> -rw-r--r--. 1 root root 0 Jan 27 15:55 0.9.2342.19200300.100.1.1.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 0.9.2342.19200300.100.1.1.lg
> -rw-r--r--. 1 root root   222 Jan 27 15:55
> 0.9.2342.19200300.100.1.1-uid.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 0.9.2342.19200300.100.1.25.db
> -rw-r--r--. 1 root root   257 Jan 27 15:55
> 0.9.2342.19200300.100.1.25-dc.txt
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 0.9.2342.19200300.100.1.25.lg
> -rw-r--r--. 1 root root   273 Jan 27 15:55
> 1.3.6.1.4.1.18060.0.4.1.2.3-apachePresence.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.3.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.3.lg
> -rw-r--r--. 1 root root   264 Jan 27 15:55
> 1.3.6.1.4.1.18060.0.4.1.2.50-apacheRdn.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.50.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.50.lg
> -rw-r--r--. 1 root root   211 Jan 27 15:55
> 1.3.6.1.4.1.18060.0.4.1.2.5-apacheOneAlias.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.5.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.5.lg
> -rw-r--r--. 1 root root   208 Jan 27 15:55
> 1.3.6.1.4.1.18060.0.4.1.2.6-apacheSubAlias.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.6.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 

Re: DHCP using Apache directory server

[Sherman Lilly]

I haven't installed any relevant data that is important. So deleting the
database is not important but how do I start a new and make that
modification to the dhcp schema and the server startup properly. Since it
wasn't working I did load any data yet. This is just to see if I can get it
to work with DHCP lookup.
On Jan 28, 2016 12:00 PM, "Emmanuel Lécharny"  wrote:

> Le 28/01/16 15:46, Sherman Lilly a écrit :
> > How to do I do that?
>
> Assuming that you have a backup of your database content in a LDIF
> format, just delete the existing data from your disk ( root>/instance//partitions/)
>
> Typically, on my linux box :
>
> /opt/apacheds-2.0.0-M22-SNAPSHOT/instances/default/partitions/example :
> [root@brie example]# ll
> total 620
> -rw-r--r--. 1 root root 0 Jan 27 15:55 0.9.2342.19200300.100.1.1.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 0.9.2342.19200300.100.1.1.lg
> -rw-r--r--. 1 root root   222 Jan 27 15:55
> 0.9.2342.19200300.100.1.1-uid.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 0.9.2342.19200300.100.1.25.db
> -rw-r--r--. 1 root root   257 Jan 27 15:55
> 0.9.2342.19200300.100.1.25-dc.txt
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 0.9.2342.19200300.100.1.25.lg
> -rw-r--r--. 1 root root   273 Jan 27 15:55
> 1.3.6.1.4.1.18060.0.4.1.2.3-apachePresence.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.3.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.3.lg
> -rw-r--r--. 1 root root   264 Jan 27 15:55
> 1.3.6.1.4.1.18060.0.4.1.2.50-apacheRdn.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.50.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.50.lg
> -rw-r--r--. 1 root root   211 Jan 27 15:55
> 1.3.6.1.4.1.18060.0.4.1.2.5-apacheOneAlias.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.5.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.5.lg
> -rw-r--r--. 1 root root   208 Jan 27 15:55
> 1.3.6.1.4.1.18060.0.4.1.2.6-apacheSubAlias.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.6.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.6.lg
> -rw-r--r--. 1 root root   204 Jan 27 15:55
> 1.3.6.1.4.1.18060.0.4.1.2.7-apacheAlias.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.7.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.7.lg
> -rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.4203.666.1.7.db
> -rw-r--r--. 1 root root   246 Jan 27 15:55
> 1.3.6.1.4.1.4203.666.1.7-entryCSN.txt
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.4203.666.1.7.lg
> -rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.5322.10.1.1.db
> -rw-r--r--. 1 root root   215 Jan 27 15:55
> 1.3.6.1.4.1.5322.10.1.1-krb5PrincipalName.txt
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.5322.10.1.1.lg
> -rw-r--r--. 1 root root   148 Jan 27 15:55 2.5.18.5-administrativeRole.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 2.5.18.5.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 2.5.18.5.lg
> -rw-r--r--. 1 root root 0 Jan 27 15:55 2.5.4.0.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 2.5.4.0.lg
> -rw-r--r--. 1 root root   184 Jan 27 15:55 2.5.4.0-objectClass.txt
> -rw-r--r--. 1 root root 0 Jan 27 15:55 2.5.4.11.db
> -rw-r--r--. 1 root root 41362 Jan 27 15:55 2.5.4.11.lg
> -rw-r--r--. 1 root root   257 Jan 27 15:55 2.5.4.11-ou.txt
> -rw-r--r--. 1 root root 40960 Jan 27 15:55 master.db
> -rw-r--r--. 1 root root 8 Jan 27 15:55 master.lg
>
>
> Just get rid of all that. They will be recreated when you inject the
> LDIF that contains your data.
>
>
>

Password policy

[akarypid]

Hi,
I'd like to enforce some rules for password values (such as use of at least 2 
capitals, 1 number, 1 symbol, etc). Is it possible to do this with 
configuration in the server? I've seen the password policy view in Apache 
Directory Studio but it doesn't have anything like that.
If it's not configurable out of the box, is there maybe an API that one could 
use to write a custom "plugin" class that would be invoked whenever an attempt 
to change the userPassword attribute's value is made?
Thank you!

Re: DHCP using Apache directory server

[Emmanuel Lécharny]

Le 28/01/16 14:50, Sherman Lilly a écrit :
> Adding the above ldif resulted in the server not able to start. Running
> server in console mode shows this error.
>
> ERR_134 Cannot deserialize the entry : ERR_04269 ATTRIBUTE_TYPE for OID
> 2.16.840.1.113719.1.203.4.19 does not exist!

Yes, you need to celanup the server and reinject the full entries,
because the schema has changed and it impacts the existing entries.

Re: DHCP using Apache directory server

[Sherman Lilly]

How to do I do that?

On Thu, Jan 28, 2016 at 9:33 AM, Emmanuel Lécharny 
wrote:

> Le 28/01/16 14:50, Sherman Lilly a écrit :
> > Adding the above ldif resulted in the server not able to start. Running
> > server in console mode shows this error.
> >
> > ERR_134 Cannot deserialize the entry : ERR_04269 ATTRIBUTE_TYPE for OID
> > 2.16.840.1.113719.1.203.4.19 does not exist!
>
> Yes, you need to celanup the server and reinject the full entries,
> because the schema has changed and it impacts the existing entries.
>
>

Re: DHCP using Apache directory server

[Sherman Lilly]

Adding the above ldif resulted in the server not able to start. Running
server in console mode shows this error.

ERR_134 Cannot deserialize the entry : ERR_04269 ATTRIBUTE_TYPE for OID
2.16.840.1.113719.1.203.4.19 does not exist!


On Tue, Jan 26, 2016 at 5:38 PM, Stefan Seelmann 
wrote:

> On 01/26/2016 07:56 PM, Sherman Lilly wrote:
> > Can I fix the schema in my current version 2.0.0? If so how do I do this?
>
> Yes, you can change the syntax of dhcpOption attribute, e.g. you can
> apply the following LDIF:
>
> dn: m-oid=2.16.840.1.113719.1.203.4.7,
>  ou=attributeTypes,cn=dhcp,ou=schema
> changetype: modify
> replace: m-syntax
> m-syntax: 1.3.6.1.4.1.1466.115.121.1.26
> -
>
> Afterwards you need to restart the server.
>
> HTH,
> Stefan
>
>