timbeh
(usa Suse)
Enviado em 11/04/2018 - 12:38h
Masters,
comecei a mergulhar no mundo LDAP, e estou com um Suse Linux 10 SP2, rodando yast2-ldap-server-2.13.24-0.3.
Acontece que eu consigo inserir os usuários, autenticar, porém, preciso aplicar políticas de senha (expiração, tamanho, etc.).
Quando o usuário tenta trocar a senha (e eu aplicando overlay policy), identifico o seguinte erro nos logs:
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: bdb_dn2entry("cn=ancelmo boteon ldap,cn=huawei,ou=testbed,dc=sdptestbed,dc=com,dc=br")
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: => bdb_entry_get: found entry: "cn=ancelmo boteon ldap,cn=huawei,ou=testbed,dc=sdptestbed,dc=com,dc=br"
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: bdb_entry_get: rc=0
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: => bdb_entry_get: ndn: "cn=default policy,dc=sdptestbed,dc=com,dc=br"
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: => bdb_entry_get: oc: "(null)", at: "(null)"
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: bdb_dn2entry("cn=default policy,dc=sdptestbed,dc=com,dc=br")
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: => bdb_entry_get: found entry: "cn=default policy,dc=sdptestbed,dc=com,dc=br"
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: bdb_entry_get: rc=0
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: change password must use DELETE followed by ADD/REPLACE
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: send_ldap_result: conn=5 op=10 p=3
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: send_ldap_result: err=50 matched="" text="Must supply old password to be changed as well as new one"
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: send_ldap_response: msgid=11 tag=103 err=50
Apr 11 10:23:06 riobrsdpsee6 slapd[13448]: conn=5 op=10 RESULT tag=103 err=50 text=Must supply old password to be changed as well as new one
quando eu tiro a overlay policy no meu arquivo de configuração, o usuário pode trocar a senha, mas, sem critério (inclusive, pode repetir a mesma senha).
abaixo segue meu arquivo de configuração:
riobrsdpsee6:/etc/openldap # cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema//nis.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
#moduleload ppolicy.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
loglevel 0
#loglevel 0
TLSCertificateFile /etc/openldap/servercert.pem
TLSCACertificateFile /etc/openldap/cacert.pem
TLSCertificateKeyFile /etc/openldap/serverkey.pem
database bdb
suffix "dc=sdptestbed,dc=com,dc=br"
rootdn "cn=Administrator,dc=sdptestbed,dc=com,dc=br"
rootpw "{ssha}HsTz1jWHEXFi0l6Ylr6UbaPwd89VTVlOUw=="
directory /var/lib/ldap/
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
#overlay ppolicy
#ppolicy_default "cn=passwordDefault,ou=TestBed,dc=sdptestbed,dc=com,dc=br"
overlay ppolicy
ppolicy_default "cn=Default Policy,dc=sdptestbed,dc=com,dc=br"
ppolicy_hash_cleartext
se eu remover esta parte:
overlay ppolicy
ppolicy_default "cn=Default Policy,dc=sdptestbed,dc=com,dc=br"
ppolicy_hash_cleartext
o usuário conseguirá trocar a senha.
Alguém já passou por isso?
Obrigado!