We Keep Coding

How to set up proper access directive in LDAP?

I'm new to LDAP and for a school project I have an access to part of my school LDAP. I can bind with users that are in a Organizational Unit.
When I bind, I am able to see my password and not any other passwords from other users (That's normal I guess for security reasons).
So I have exported the LDIF of this LDAP and imported it on my own LDAP server for leaning purposes.
ldapsearch commands works well and I retrieve all entries (excepted password and that's normal).
So now, I try to bind with any user, I've added password by Apache Directory Studio in each LDAP Users (inetorgPerson under the ou where I usually search).
However, I can't bind.
I guess that it is due to wrong access rights.
I know that I must use ldapmodify command and that I need to forge a directive like access to * by * read (with less rights than * but it could be great to begin with).
However, I cant find how to use this directive with ldapmodify.
I think that I must create an LDIF file to modify config but I don't understand which entry I should update.
Can anyone give me tips in order to modify the proper entry?
Thanks
Here id part of my config (Domain edited to domain.fr):
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by * write
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=domain,dc=fr
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRoot
dn: cn=admin,dc=domain,dc=fr
olcRootPW: {SSHA}YNGbI0zpbUoVLZggbKeZqFIlVdq+0ZJP
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
search: 2

• Since, you have imported the LDIF file in the new AD, all the users in the original AD are created afresh in your AD environment. Thus, you would need to create a DNS naming service identical to the original one in your environment as the suffix to which you want to add the entry should exist in the database. Also, the domain admin credentials used in the original LDAP directory will be required to bind with the credentials of a user in imported LDIF file.
To do this, you would need to modify the domain admin credentials using the following commands. Below shown script is a sample on how to modify the domain admin credentials and then try to bind the user using those credentials.
Create a new LDIF file with the following contents: -
‘ dn: uid=XYZ,ou=Domain Administrators,dc=example,dc=com
cn: XYZ
sn: XYZ
givenName: XYZ
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: XYZ
mail: XYZ#example.com
roomnumber: 5484
userpassword: Pass#123 ’
Then, add the entry using ‘ldapmodify’ with the ‘—defaultAdd’ option
‘ ldapmodify --hostname localhost --port 389 --bindDN "cn=Directory Manager" \
--bindPassword password --defaultAdd --filename /tmp/new.ldif ‘
With these commands, you would be able to modify the domain administrator credentials and then be able to bind the user in LDAP for sure. Just change the ldif file name with the one you have and change the entries in the ldif file with the actual ones from the original directory. Please find this link below for your reference: -
https://docs.oracle.com/cd/E22289_01/html/821-1273/adding-modifying-and-deleting-directory-data.html

LDAP, pwdpolicy does not exist

I am new to LDAP, and I want to add password policy using the class pwdpolicy, but every time I get the error :
ERR_04269 OBJECT_CLASS for OID pwdpolicy does not exist!
Here is the how i try to add it:
dn: cn=Default Password Policy,ou=pwpolicies,dc=example,dc=com
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn:Default Password Policy
pwdAttribute: userPassword
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdInHistory: 3
pwdCheckQuality: 1
pwdMinLength: 8
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 900
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
I changed the slapd.conf in WorkspaceLDAP\openldap\servers\slapd
maybe I configured wrong slapd file
Here is my slapd.conf :
include %SYSCONFDIR%/schema/core.schema
include #SCHEMADIR#/core.schema
include #SCHEMADIR#/cosine.schema
include #SCHEMADIR#/inetorgperson.schema
include #SCHEMADIR#/rfc2307bis.schema
include #SCHEMADIR#/yast.schema
pidfile %LOCALSTATEDIR%/run/slapd.pid
argsfile %LOCALSTATEDIR%/run/slapd.args
#######################################################################
# BDB database definitions
#######################################################################
database mdb
maxsize 1073741824
suffix "dc=example,dc=com"
checkpoint 1024
cachesize 10000
rootdn "cn=Administrator,dc=example,dc=com"
rootpw secret
directory %LOCALSTATEDIR%/openldap-data
# Indices to maintain
index objectClass eq
overlay ppolicy
ppolicy_default "cn=Default Password Policy,ou=pwpolicies,dc=example,dc=com"
ppolicy_hash_cleartext
ppolicy_use_lockout
Can i check somehow witch slapd file my server is using or if the configuration is correct?

You have to add and configure the ppolicy overlay in slapd.conf or your online configuration, whichever you're using.

LDAP with Cloudera hue integration

I have configured LDAP server in my ubuntu 12.04 in the same server Cloudera core hadoop service installed . Here i want to integrate cloudera hue with LDAP server.
Following is my LDAP users
root#ip-10-81-160-152:/home/ubuntu# ldapsearch -x -b "dc=gmps,dc=com"
# extended LDIF
#
# LDAPv3
# base <dc=gmps,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# gmps.com
dn: dc=gmps,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: gmps
dc: gmps
# admin, gmps.com
dn: cn=admin,dc=gmps,dc=com
cn: admin
description: LDAP administrator
objectClass: simpleSecurityObject
objectClass: organizationalRole
objectClass: uidObject
uid: admin
ou: admin
# aaryan aditya, students, users, gmps.com
dn: cn=aaryan aditya,cn=students,ou=users,dc=gmps,dc=com
cn: aaryan aditya
givenName: aaryan
gidNumber: 500
homeDirectory: /home/users/aditya
sn: aditya
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: aditya
i use phpldapadmin to login my LDAP server which was working fine ..
My Login DN: cn=admin,dc=gmps,dc=com
I have configured this ldap server in Hue cloudera as
ldap_url : ldap://75.101.250.10
LDAP Username Pattern : "uid=admin,ou=admin,dc=greycampus,dc=com"
user_name_attr: admin
After this i restarted HUE and i just logged into HUE web UI there if click on
Hue ---> Manage Users ---> Sync LDAP users and groups --> Sync
i am not getting any users syced from LDAP server ..
if i click Add/Sync LDAP user .. then enter username and ok .. i am getting
There was an error when communicating with LDAP
{'info': 'invalid DN', 'desc': 'Invalid DN syntax'}
i dont know where i did wrong .. and its still confusing where i have supply my LDAP password .. and how hue communicate with LDAP without password .. kindly any one please help

I can't understand neither your LDAP configuration nor your Hue configuration.
firstly you define your LDAP root, dc=gmps,dc=com, ok.
Next, you define an admin role, which is definitly not a user, just a role.
dn: cn=admin,dc=gmps,dc=com
Finally you define a user, which doesn't seem to be linked to the admin role.
If you don't have any relation defined between a user and a role, it'll be difficult for hue to grant something to your user.
Next, about yourr Hue configuration:
The user should be a parameter of the pattern.
If a user DN is dn: cn=aaryan aditya,cn=students,ou=users,dc=gmps,dc=com, your pattern should be at least something like cn=
Hue webapp substitute by the typed login and make a first request to validate the authentification of your user (aka username/password against the LDAP user information).
To perform the search, you need to define the LDAP base search (dc=gmps,dc=com) and a bind user, authorized user DN to look into your LDAP (for instance, cn=aaryan aditya,cn=students,ou=users,dc=gmps,dc=com)
If you want to limit the global access to just a portion of your LDAP, you can specify an additional filter. When you'll define a relation between users and roles, you'll can restrict the access to the users by their roles.
You have to specify what's the attribute you're considerating to identify the user (in your case, it seems to be cn, so user_name_attr = cn)
To do the mapping between LDAP and Hue permissions, you have to tell Hue which roles are considerated, throw the group_filter. Next you have to specify the attribute of the role which allow to identify the role (in your case, it seems to be cn)
Finally, you have to tell to hue which attribute allows you to link a role to a user (which doesn't seem to be undefined in your configuration)
Next, restarting your cluster, everything should be ok. Syncing your users/group will load users and roles from your LDAP to Hue, next step will be configure each role in HUE to give it the expected permissions.

Password History check in openldap

Password History check in openldap not working when I am using SHA-256 password hashing in openldap.
So I am sending clear text password from my java application to openLDAP and it is storing as SHA-256 hashed form on its own.
whenever I am changing password, openLDAP is storing the previous password in pwdHistory.
There is no problem in that but when I am changing password with the same password previously used it is taking up without throwing any error.
I am struggling to make it work for few weeks. Please somebody help me.
My environment details:
OpenLDAP 2.4.38
RHEL 6
Following details also mentioned in slapd.conf
include ../etc/openldap/schema/ppolicy.schema
password-hash {SHA256}
overlay ppolicy
ppolicy_default "cn=default,ou=pwdpolicies,dc=my-domain,dc=com"
ppolicy_hash_cleartext
my password policy:
dn: cn=Default,ou=pwdpolicies,dc=my-domain,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: Default
sn: Default
pwdAttribute: userPassword
pwdMinAge: 0
pwdInHistory: 5
pwdFailureCountInterval: 0
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdAllowUserChange: TRUE
pwdExpireWarning: 0
pwdGraceAuthNLimit: 0
pwdMustChange: FALSE
pwdSafeModify: FALSE
Kindly let me know if I have to give me more information to nail down the issue. Please Please Please someone help me on this. I am badly need a solution on this.

Foswiki and LDAP authentication

I have a problem with connecting foswiki to ldap. I want to authenticate users against LDAP directory (as it is stated in the requirements of school seminar work ). But it doesn't work. When I try to login with my name already saved in LDAP, it just writes "Oops: we could not recognize you. Try again or reset your password.". I will be thankful for any help and I will provide any further information necessary.
Foswiki config: http://pastebin.com/NRx4V9Ck
I am trying to login with name MarianBaca and here is the output of
ldapsearch -H ldap://localhost -b dc=bis01,dc=vse,dc=cz -x '(givenName=Marian)'
# extended LDIF
#
# LDAPv3
# base <dc=bis01,dc=vse,dc=cz> with scope subtree
# filter: (givenName=Marian)
# requesting: ALL
#
# MarianBaca, bis01.vse.cz
dn: cn=MarianBaca,dc=bis01,dc=vse,dc=cz
cn: MarianBaca
givenName: Marian
gidNumber: 500
sn: Baca
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: MarianBaca
homeDirectory: /home/MarianBaca
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Output of /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=bis01,dc=vse, dc=cz
URI ldap://bis01.vse.cz
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

Since your pasted foswiki configuration has been removed, I will try to answer to my best knowledge.
I am assuming you are using LdapContrib
Ensure your UserMappingManager is set to Foswiki::Users::LdapUserMapping.
Ensure your PasswordManager is set to something sensible, i.e. Foswiki::Users::LdapPasswduser