We Keep Coding

How to set up proper access directive in LDAP?

I'm new to LDAP and for a school project I have an access to part of my school LDAP. I can bind with users that are in a Organizational Unit.
When I bind, I am able to see my password and not any other passwords from other users (That's normal I guess for security reasons).
So I have exported the LDIF of this LDAP and imported it on my own LDAP server for leaning purposes.
ldapsearch commands works well and I retrieve all entries (excepted password and that's normal).
So now, I try to bind with any user, I've added password by Apache Directory Studio in each LDAP Users (inetorgPerson under the ou where I usually search).
However, I can't bind.
I guess that it is due to wrong access rights.
I know that I must use ldapmodify command and that I need to forge a directive like access to * by * read (with less rights than * but it could be great to begin with).
However, I cant find how to use this directive with ldapmodify.
I think that I must create an LDIF file to modify config but I don't understand which entry I should update.
Can anyone give me tips in order to modify the proper entry?
Thanks
Here id part of my config (Domain edited to domain.fr):
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by * write
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=domain,dc=fr
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRoot
dn: cn=admin,dc=domain,dc=fr
olcRootPW: {SSHA}YNGbI0zpbUoVLZggbKeZqFIlVdq+0ZJP
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
search: 2

• Since, you have imported the LDIF file in the new AD, all the users in the original AD are created afresh in your AD environment. Thus, you would need to create a DNS naming service identical to the original one in your environment as the suffix to which you want to add the entry should exist in the database. Also, the domain admin credentials used in the original LDAP directory will be required to bind with the credentials of a user in imported LDIF file.
To do this, you would need to modify the domain admin credentials using the following commands. Below shown script is a sample on how to modify the domain admin credentials and then try to bind the user using those credentials.
Create a new LDIF file with the following contents: -
‘ dn: uid=XYZ,ou=Domain Administrators,dc=example,dc=com
cn: XYZ
sn: XYZ
givenName: XYZ
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: XYZ
mail: XYZ#example.com
roomnumber: 5484
userpassword: Pass#123 ’
Then, add the entry using ‘ldapmodify’ with the ‘—defaultAdd’ option
‘ ldapmodify --hostname localhost --port 389 --bindDN "cn=Directory Manager" \
--bindPassword password --defaultAdd --filename /tmp/new.ldif ‘
With these commands, you would be able to modify the domain administrator credentials and then be able to bind the user in LDAP for sure. Just change the ldif file name with the one you have and change the entries in the ldif file with the actual ones from the original directory. Please find this link below for your reference: -
https://docs.oracle.com/cd/E22289_01/html/821-1273/adding-modifying-and-deleting-directory-data.html

Add: Object class violation error on adding password policies

While adding the password policy in the openldap file it throws error While running from the command line
root#openldap-server:/etc/ldap/slapd.d# ldapadd -D cn=admin,dc=zariga,dc=com -w password -f passwordpolicy.ldif
adding new entry "cn=DefaultPPolicy,ou=Policies,dc=zariga,dc=com"
ldap_add: Object class violation (65)
additional info: no structural object class provided
This is the LDIF file
dn: cn=DefaultPPolicy,ou=Policies,dc=zariga,dc=com
cn: DefaultPPolicy
objectClass: pwdPolicy
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdExpireWarning: 1814400
pwdInHistory: 4
pwdCheckQuality: 1
pwdMinLength: 9
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE

You're trying to add an object to LDAP with only pwdPolicy objectClass which is defined as AUXILIARY (see Password Policy for LDAP Directories, ch. 5.1) and every object added to LDAP server must have a STRUCTURAL objectClass.
You need to change your LDIF file to include one STRUCTURAL objectClass like device (or any other that you fancy but it's type is STRUCTURAL).
For instance:
dn: cn=DefaultPPolicy,ou=Policies,dc=zariga,dc=com
cn: DefaultPPolicy
objectClass: device
objectClass: pwdPolicy
objectClass: top
...

How to test ldap ppolicy enforcement

I am using openldap 2.4. I have configured it with following configuration.
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/HFSchema.schema
include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
modulepath /usr/lib/ldap
moduleload back_hdb.la
moduleload ppolicy.la
database hdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}xzW0DfNFHahvm/C68ZR4YvbZGFQJjfz5
overlay ppolicy
ppolicy_default "cn=DefaultPwdPolicy,ou=Policies,dc=example,dc=com"
ppolicy_use_lockout
ppolicy_hash_cleartext
Also I added default password policy
# DefaultPwdPolicy, Policies, example.com
dn: cn=DefaultPwdPolicy,ou=Policies,dc=example,dc=com
cn: DefaultPwdPolicy
pwdAttribute: 2.5.4.35
objectClass: pwdPolicy
objectClass: top
objectClass: device
pwdAllowUserChange: TRUE
pwdMaxAge: 7776000
pwdInHistory: 5
pwdCheckQuality: 2
pwdMinLength: 8
pwdExpireWarning: 432000
pwdLockoutDuration: 900
pwdMaxFailure: 3
pwdMustChange: TRUE
pwdSafeModify: TRUE
pwdLockout: TRUE
But still admin is able to create users without these constraints. How will I confirm if my ppolicy overlay is working? How can I test if these constraint are actually been applied.?

The only user that is free from the password policy constraints is the internal rootdn user. You shouldn't use that yourself for anything. It is the user that slapd itself uses to update the DIT. You should define another admin user, in the DIT, with the necessary permissions. Using the rootdn user for admin tasks will bypass every constraint known to man.
To use the ppolicy fully, you have to use the password policy request control and check for the corresponding response control in your code so you can discover impending expiry, grace periods, etc.

You can test password policy with ldap* commands (OpenLDAP LDAP clients), which allow to use LDAP controls.
You must know a valid DN and a password (not rootdn, which override password policy).
For example:
clement#ader-xps:~$ ldapwhoami -x -H ldap://localhost -D uid=coudot,ou=users,dc=example,dc=com -W -e ppolicy
Enter LDAP Password:
ldap_bind: Invalid credentials (49); Account locked

Foswiki and LDAP authentication

I have a problem with connecting foswiki to ldap. I want to authenticate users against LDAP directory (as it is stated in the requirements of school seminar work ). But it doesn't work. When I try to login with my name already saved in LDAP, it just writes "Oops: we could not recognize you. Try again or reset your password.". I will be thankful for any help and I will provide any further information necessary.
Foswiki config: http://pastebin.com/NRx4V9Ck
I am trying to login with name MarianBaca and here is the output of
ldapsearch -H ldap://localhost -b dc=bis01,dc=vse,dc=cz -x '(givenName=Marian)'
# extended LDIF
#
# LDAPv3
# base <dc=bis01,dc=vse,dc=cz> with scope subtree
# filter: (givenName=Marian)
# requesting: ALL
#
# MarianBaca, bis01.vse.cz
dn: cn=MarianBaca,dc=bis01,dc=vse,dc=cz
cn: MarianBaca
givenName: Marian
gidNumber: 500
sn: Baca
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: MarianBaca
homeDirectory: /home/MarianBaca
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Output of /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=bis01,dc=vse, dc=cz
URI ldap://bis01.vse.cz
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

Since your pasted foswiki configuration has been removed, I will try to answer to my best knowledge.
I am assuming you are using LdapContrib
Ensure your UserMappingManager is set to Foswiki::Users::LdapUserMapping.
Ensure your PasswordManager is set to something sensible, i.e. Foswiki::Users::LdapPasswduser

Enforcing ppolicy to openldap users

I am working with OpenLDAP and client browser as Apache directory Studio.
I did whatever required for enforcing ppolicies to the openLDAP users still I think its missing something and someware.
This is my ppolicy.ldif
dn: dc=maxcrc,dc=com
objectClass: top
objectClass: domain
dc: maxcrc
dn: ou=People,dc=maxcrc,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People
description: Container for user entries
dn: ou=policies,dc=maxcrc,dc=com
objectClass: top
objectClass: organizationalUnit
ou: policies
dn: cn=default,ou=policies,dc=maxcrc,dc=com
objectClass: pwdPolicy
objectClass: top
objectClass: device
cn: default
pwdAttribute: userPassword
pwdAllowUserChange: TRUE
pwdCheckQuality: 1
pwdExpireWarning: 86400
pwdInHistory: 6
pwdLockout: TRUE
pwdLockoutDuration: 1920
pwdMaxAge: 172800
pwdMaxFailure: 4
pwdMinLength: 6
pwdSafeModify: FALSE
dn: uid=jery,dc=maxcrc,dc=com
objectClass: pwdPolicy
objectClass: posixAccount
objectClass: top
objectClass: account
cn: maxcrc jery
gidNumber: 1011
homeDirectory: /home/jery
pwdAttribute: userPassword
uid: jery
uidNumber: 1011
pwdPolicySubentry:cn=strong,ou=policies,dc=maxcrc,dc=com
dn: cn=strong,ou=policies,dc=maxcrc,dc=com
objectClass: device
objectClass: top
objectClass: pwdPolicy
cn: strong
pwdAttribute: userPassword
pwdMaxAge: 1296000
pwdMinLength: 4
still it allows to add userPassword from apache directory studio with more than 4 character.can anyone tell me why is it so? Thanks in advance .
below is my sldap.config file
# BDB Backend configuration file
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
ucdata-path ./ucdata
include ./schema/core.schema
include ./schema/cosine.schema
include ./schema/nis.schema
include ./schema/inetorgperson.schema
include ./schema/openldap.schema
include ./schema/dyngroup.schema
include ./schema/ppolicy.schema
moduleload ppolicy.la
moduleload syncprov.la
moduleload back_bdb.la
moduleload back_ldap.la
pidfile ./run/slapd.pid
argsfile ./run/slapd.args
# Enable TLS if port is defined for ldaps
TLSVerifyClient never
TLSCipherSuite HIGH:MEDIUM:-SSLv2
TLSCertificateFile ./secure/certs/server.pem
TLSCertificateKeyFile ./secure/certs/server.pem
TLSCACertificateFile ./secure/certs/server.pem
#######################################################################
# bdb database definitions
#######################################################################
database monitor
database bdb
suffix "dc=maxcrc,dc=com"
# invokes password policies for this DIT only
overlay ppolicy
# Default ppolicy
ppolicy_default "cn=strong,ou=policies,dc=maxcrc,dc=com"
# Some ppolicy directives
ppolicy_use_lockout
ppolicy_hash_cleartext
# ACL1
#access to attrs=userPassword
# by self write
# by anonymous auth
# by group.exact="cn=Manager,dc=maxcrc,dc=com"
# write
# by * none
# ACL3
#access to *
# by self write
# by group.exact="cn=Manager,dc=maxcrc,dc=com"
# write
# by users read
# by * none
rootdn "cn=Manager,dc=maxcrc,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory ./data
dirtyread
searchstack 20
# Indices to maintain
index mail pres,eq
index objectclass pres
index default eq,sub
index sn eq,sub,subinitial
index telephonenumber
index cn

The password policy overlay requires you not to carry out the operation as the rootDN. You should use an admin login defined in the DIT that has the appropriate permissions.