Currently we are using OpenLDAP Version 2.4, From what I know is default password storage scheme is SSHA.
But is there anyway by which I can view it on console, I need to send screenshot where it is mentioned that password storage scheme of our OpenLDAP is SSHA.
UPDATE : olcPasswordHash attribute is not specified in any ldif files present under cn=config folder
Depending on the configuration mode, you can check if it's set :
Using slapd.conf file :
grep password-hash slapd.conf
Using on-line configuration (OLC) :
slapcat -n 0 -a olcPasswordHash=*
olcPasswordHash attribute is defined at the database level (like in olcDatabase={<n>}<name>,cn=config), so you won't find it directly in cn=config.ldif but in the corresponding ldif file. That's why you have better to use slapcat.
A password policy may also require cleartext passwords to be hashed. The ppolicy overlay enables this behavior via the ppolicy_hash_cleartext flag (cf. slapo-ppolicy) :
ppolicy_hash_cleartext : Specify that cleartext passwords present in Add and Modify requests
should be hashed before being stored in the database.
In this case, SSHA is used if no password storage scheme is explicitly set via password-hash or olcPasswordHash, so you would just check for the flag :
Using slapd.conf file :
grep ppolicy_hash_cleartext slapd.conf
Using on-line configuration (OLC) :
slapcat -n 0 -a olcPPolicyHashCleartext=*
If the attribute is not set : How do you set password-hash for OpenLDAP ?
Related
Our organization stores signing certificates in Active Directory. We are using anonymous bind to search for them at a base DN (e.g. OU=MY ORG,dc=mydc,dc=org). I have been trying to use the Spring LdapTemplate to look them up, but no matter what method I use, I get the cryptic InterruptedNamingException.
Assuming a cert subject of cn=mycert.myorg.com
My code looks like this
LdapContextSource contextSource = new LdapContextSource();
contextSource.setUrl(String.format(LDAP_URL_FORMAT, ldapCertStoreParameters.getServerName(),
ldapCertStoreParameters.getPort()));
contextSource.setBase(ldapCertStoreParameters.getBaseDn());
contextSource.setAnonymousReadOnly(true);
contextSource.afterPropertiesSet();
LdapTemplate ldapTemplate = new LdapTemplate(contextSource);
ldapTemplate.setIgnorePartialResultException(true);
ldapTemplate.afterPropertiesSet();
X500Principal principal = x509CertSelector.getSubject();
Object obj = ldapTemplate.lookup(new LdapName(principal.getName()));
The X500 principal's name is the whole dn. cn=mycert.myorg.com,OU=MY ORG,dc=mydc,dc=org
I have also tried the search using just the cn.
We have verified that the DN exists on the server using Apache Directory Studio.
• I would suggest you to please remove the call altogether or set the ‘userSearchBase’ either to an empty String (“”) as per the given example in the below community thread: -
Configure Spring security for Ldap connection
As in the ‘AbstractContextSource’, set the base suffix from which all operations should origin. If a base suffix is set, you will not have to (and, indeed, must not) specify the full distinguished names in any operations performed. Since you specified the full DN for the userDN/filter, you must not specify the base.
AD servers are apparently unable to handle referrals automatically, which causes a ‘PartialResultException’ to be thrown whenever a referral is encountered in a search. To avoid this, set the ‘ignorePartialResultException’ property to true. There is currently no way of manually handling these referrals in the form of ‘ReferralException’, i.e., either you get the exception (and your results are lost) or all referrals are ignored (if the server is unable to handle them properly). Neither is there any simple way to get notified that a ‘PartialResultException’ has been ignored.
For more details regarding the LDAP template search for Active Directory stored certificates, kindly refer to the link below: -
https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/core/LdapTemplate.html
• Also, please try to refer to the below documentation for configuration of Springboot LDAP template configuration through certificates stored in Active Directory: -
https://www.baeldung.com/x-509-authentication-in-spring-security
Do some of u guys have some experience with authentication in zabbix using lotus domino? Im not quite sure what to enter there. I know i made some authentication for IBM WebSphere but i cant get it working in zabbix. Can someone give me some tutorial? or explanations? :)
There is :
LDAP HOST : mydomino.local.address
Port : 389
Base DN : ???What is this???
Search attribute : cn;
Bind DN : ???my 'sudo'user / binduser???
Bind password : binduser.password
Ok so I tried it. Also i can easily telnet "mydomino.local.address" on 389 port. So there is nothing bad with connection. Maybe Base DN. Is this something special - unique for each LDAP server like "mycompany DomainName?" or can it be something universal? Alsosearch attribute. I know cn; or uid; or mail; works in WAS.
I would be really glad if someone could just help me with this.
In Domino there are different "Base DNs". For a user search the Base DN typically is o=YourOrganizer, so if your Notesnames look like CN=MartinFric/OU1=IT/O=YourCompany, then the base DN would be o=YourCompany.
Groups do NOT have a Base- DN. If you search for groups, then the Base DN has to be empty.
Bind- DN depends on the configuration of your Domino. Your mail- address will always work as well as your CN- name. So this might be "Martin Fric" or "martin.fric#yourcompany.com". Other variations might work as well. The bind password is the Internet- Password of the bind user (HTTP Password in person document in domino directory).
Usually one creates a specific LDAPBind user in the directory with an internet password to not expose user- passwords to any external program.
The search- attributes depend on what you want to achieve.
Open the Lotus- Notes- Program- Directory of any installed Lotus Notes client in a CMD and type the following:
ldapsearch.exe -h mydomino.local.address -p 389 -D "Martin Fric"
-w YourInternetPassword "(CN=Martin Fric)"
In this query the parameters are:
-h = LDAP HOST
-p = Port
-D = Bind DN
-w = Bind Password
"(cn=Martin Fric)" = Query that sais: Search in (Search attribute) cn for an entry with value "Martin Fric"
If this query succeeeds and the query returns values, then the parameters for zabbix are correct. In that case someone knowing zabbix has to help you further in debugging that.
If this query does NOT succeed, then you need to fix your domino -> Come back with the error mmessage you get for help.
I'd like to get preferred domain controller name/adress on Mac, joined to Active Directory (MS Windows Server with Domain Controller) programmatically with C/Objective-C. The better solution for now is parsing output of dsconfigad -show commandline utility where are such lines:
Advanced Options - Administrative
Preferred Domain controller = 192.168.XXX.XXX
I already tried Open Directory API, as adviced here, but it fails to access nodes far than full name of domain:
// domainNode: "/Active Directory/MYDOMAIN/mydomain.local"
NSArray *domainSubNodes = [domainNode subnodeNamesAndReturnError:&err];
[domainSubNodes count]; // count is 0
Do I need to perform some kind of authorization to access subnodes of domain and how to perform it?
Is there any posix/BSD functions that can obtain domain controller name from pure C code?
I have installed memcached and drupal module memcache and in linux command line :
-bash-4.1# netstat -tap | grep memcached
tcp 0 0 *:memcache : LISTEN 8431/memcached
tcp 0 0 *:memcache : LISTEN 8431/memcached
Seems like it is listening to IP and Port but now the part where I get it to work with drupal 7.18 so I can see what is going on?
Following these instruction:
$conf['cache_backends'][] = 'sites/all/modules/memcache/memcache.inc';
$conf['cache_default_class'] = 'MemCacheDrupal';
$conf['memcache_key_prefix'] = 'something_unique';
/* note : Replace the "something_unique" in the last line with your own unique memcache key prefix. */
Where do I find "your own unique memcache key prefix"?
The documentation for the module says:
If you want to have multiple Drupal installations share memcached instances, you need to include a unique prefix for each Drupal installation in the $confarray of settings.php:
$conf['memcache_key_prefix'] = 'something_unique';
You need that parameter only if you have more than one Drupal installation using the same memcached instance; in the case there is just a Drupal installation, you don't need it.
As long as you use a different value for each Drupal installation, you can use the value you want. You could also use the domain name (including the sub-domain name).
In CakePHP config.php the salt is blank '' , so during saving password which mechanism cakephp use to produce password?
Which core file contains that procedure to generate hashed/md5 password?
I think it uses something like Security::hash(password);
If you search for ".salt" in the core files you should be able to find out that it is used in several places like so:
$check = Security::hash(serialize($fieldList) . $unlocked . Configure::read('Security.salt'));
(SecurityComponent)
and so:
$this->key = Configure::read('Security.salt');
(CookieComponent)
So an empty salt would simply have the affect of "no salt" for saving passwords.
although this can have sideeffects with cookies. An empty key might cause trouble.
Why would you want to omit the salt here, anyway?