OpenLDAP 2.4 上的 smbk5pwd 覆蓋
我有一個 OpenLDAP 伺服器,我想配置覆蓋以使
smbk5pwd
OpenLDAP在. 版本:sambaNTPassword``sambaLMPassword``userPassword
slapd 2.4.23-7.3 slapd-smbk5pwd 2.4.23-7.3
模組
dn: cn=module{1},cn=config objectClass: olcModuleList cn: module{1} olcModuleLoad: smbk5pwd olcModulePath: /usr/lib/ldap
模組載入沒有錯誤。如果我嘗試添加疊加層,會發生以下情況:
#!RESULT ERROR #!CONNECTION ldap://192.168.10.145:389 #!DATE 2014-03-07T09:55:49.078 #!ERROR [LDAP: error code 80 - <olcSmbK5PwdEnable> handler exited with 1] dn: olcOverlay=smbk5pwd,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcSmbK5PwdConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: smbk5pwd olcSmbK5PwdEnable: samba
LDAP 日誌:
smbk5pwd: unable to find "krb5KDCEntry" objectClass. olcSmbK5PwdEnable: value #0: <olcSmbK5PwdEnable> handler exited with 1!
我已經包含了以下模式:
cn={0}core.ldif cn={1}cosine.ldif cn={2}nis.ldif cn={3}inetorgperson.ldif cn={4}mozillaorgperson.ldif cn={5}evolutionperson.ldif cn={6}qmailuser.ldif cn={7}samba.ldif
我錯過了什麼?我必須載入另一個模組或架構嗎?
編輯 -
krb5-kdc.schema
之前找到並包含samba.schema
對於那些也很難找到它的人來說,這裡是:
# $Id: krb5-kdc.schema,v 1.1 2004-03-22 17:25:05 quanah Exp $ # Definitions for a Kerberos V KDC schema # OID Base is iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) padl(5322) kdcSchema(10) # # Syntaxes are under 1.3.6.1.4.1.5322.10.0 # Attributes types are under 1.3.6.1.4.1.5322.10.1 # Object classes are under 1.3.6.1.4.1.5322.10.2 # Syntax definitions #krb5KDCFlagsSyntax SYNTAX ::= { # WITH SYNTAX INTEGER #-- initial(0), -- require as-req #-- forwardable(1), -- may issue forwardable #-- proxiable(2), -- may issue proxiable #-- renewable(3), -- may issue renewable #-- postdate(4), -- may issue postdatable #-- server(5), -- may be server #-- client(6), -- may be client #-- invalid(7), -- entry is invalid #-- require-preauth(8), -- must use preauth #-- change-pw(9), -- change password service #-- require-hwauth(10), -- must use hwauth #-- ok-as-delegate(11), -- as in TicketFlags #-- user-to-user(12), -- may use user-to-user auth #-- immutable(13) -- may not be deleted # ID { 1.3.6.1.4.1.5322.10.0.1 } #} #krb5PrincipalNameSyntax SYNTAX ::= { # WITH SYNTAX OCTET STRING #-- String representations of distinguished names as per RFC1510 # ID { 1.3.6.1.4.1.5322.10.0.2 } #} # Attribute type definitions attributetype ( 1.3.6.1.4.1.5322.10.1.1 NAME 'krb5PrincipalName' DESC 'The unparsed Kerberos principal name' EQUALITY caseExactIA5Match SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 1.3.6.1.4.1.5322.10.1.2 NAME 'krb5KeyVersionNumber' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.3 NAME 'krb5MaxLife' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.4 NAME 'krb5MaxRenew' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.5 NAME 'krb5KDCFlags' EQUALITY integerMatch SINGLE-VALUE SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.6 NAME 'krb5EncryptionType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) attributetype ( 1.3.6.1.4.1.5322.10.1.7 NAME 'krb5ValidStart' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.5322.10.1.8 NAME 'krb5ValidEnd' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) attributetype ( 1.3.6.1.4.1.5322.10.1.9 NAME 'krb5PasswordEnd' EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) # this is temporary; keys will eventually # be child entries or compound attributes. attributetype ( 1.3.6.1.4.1.5322.10.1.10 NAME 'krb5Key' DESC 'Encoded ASN1 Key as an octet string' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 ) attributetype ( 1.3.6.1.4.1.5322.10.1.11 NAME 'krb5PrincipalRealm' DESC 'Distinguished name of krb5Realm entry' SUP distinguishedName ) attributetype ( 1.3.6.1.4.1.5322.10.1.12 NAME 'krb5RealmName' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) # Object class definitions objectclass ( 1.3.6.1.4.1.5322.10.2.1 NAME 'krb5Principal' SUP top AUXILIARY MUST ( krb5PrincipalName ) MAY ( cn $ krb5PrincipalRealm ) ) objectclass ( 1.3.6.1.4.1.5322.10.2.2 NAME 'krb5KDCEntry' SUP krb5Principal AUXILIARY MUST ( krb5KeyVersionNumber ) MAY ( krb5ValidStart $ krb5ValidEnd $ krb5PasswordEnd $ krb5MaxLife $ krb5MaxRenew $ krb5KDCFlags $ krb5EncryptionType $ krb5Key ) ) objectclass ( 1.3.6.1.4.1.5322.10.2.3 NAME 'krb5Realm' SUP top AUXILIARY MUST ( krb5RealmName ) )
slaptest
成功執行並且我能夠添加疊加層,但是如果我更改userPassword
,其他屬性將保持不變。userPassword
屬性包含 SHA1 雜湊。
您必須使用RFC 3062密碼修改擴展操作。請參閱
README
原始碼分發中的 (沒有手冊頁,AFAICT)。您可以使用 OpenLDAP 從命令行執行此操作ldappasswd
(這與slappasswd
僅以各種方式散列密碼值不同)。
userPassword
隨著時間的推移,已經發展出特殊的語義,這些都不是有意的(並且不嚴格符合規範)。具有“僅比較”(僅驗證)訪問權限或無讀取訪問權限,並具有依賴於客戶端或伺服器的轉換(例如,客戶端或伺服器端的內容散列)的情況並不少見。Password Modify 定義明確,只接受明文密碼,並且可以使用管理員定義的雜湊方法。此擴展為密碼提供了一個抽象層(並且還允許將密碼儲存與目錄完全分離)。密碼複雜性實施也需要它,如果允許客戶端直接將預散列值寫入userPassword
.例如(perl):http ://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/Extension/SetPassword.pm
您可以通過查詢 Root DSE (dn “”) 來確認支持,例如
$ ldapsearch -H ldaps://myldap/ [ -D user -w password ] \ -s base -b "" "(objectclass=*)" supportedExtension [...] dn: supportedExtension: 1.3.6.1.4.1.1466.20037 # STARTTLS supportedExtension: 1.3.6.1.4.1.4203.1.11.1 # password modify supportedExtension: 1.3.6.1.4.1.4203.1.11.3 # who am i supportedExtension: 1.3.6.1.1.8 # cancel request