Configuration

OpenLDAP 2.4 上的 smbk5pwd 覆蓋

  • January 26, 2021

我有一個 OpenLDAP 伺服器,我想配置覆蓋以使smbk5pwdOpenLDAP在. 版本:sambaNTPassword``sambaLMPassword``userPassword

slapd           2.4.23-7.3
slapd-smbk5pwd  2.4.23-7.3

模組

dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModuleLoad: smbk5pwd
olcModulePath: /usr/lib/ldap

模組載入沒有錯誤。如果我嘗試添加疊加層,會發生以下情況:

#!RESULT ERROR
#!CONNECTION ldap://192.168.10.145:389
#!DATE 2014-03-07T09:55:49.078
#!ERROR [LDAP: error code 80 - <olcSmbK5PwdEnable> handler exited with 1]
dn: olcOverlay=smbk5pwd,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcSmbK5PwdConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: smbk5pwd
olcSmbK5PwdEnable: samba

LDAP 日誌

smbk5pwd: unable to find "krb5KDCEntry" objectClass.
olcSmbK5PwdEnable: value #0: <olcSmbK5PwdEnable> handler exited with 1!

我已經包含了以下模式:

cn={0}core.ldif
cn={1}cosine.ldif
cn={2}nis.ldif
cn={3}inetorgperson.ldif
cn={4}mozillaorgperson.ldif
cn={5}evolutionperson.ldif
cn={6}qmailuser.ldif
cn={7}samba.ldif

我錯過了什麼?我必須載入另一個模組或架構嗎?

編輯 -krb5-kdc.schema之前找到並包含samba.schema

對於那些也很難找到它的人來說,這裡是:

# $Id: krb5-kdc.schema,v 1.1 2004-03-22 17:25:05 quanah Exp $
# Definitions for a Kerberos V KDC schema

# OID Base is iso(1) org(3) dod(6) internet(1) private(4) enterprise(1) padl(5322) kdcSchema(10)
#
# Syntaxes are under 1.3.6.1.4.1.5322.10.0
# Attributes types are under 1.3.6.1.4.1.5322.10.1
# Object classes are under 1.3.6.1.4.1.5322.10.2

# Syntax definitions

#krb5KDCFlagsSyntax SYNTAX ::= {
#   WITH SYNTAX            INTEGER
#--        initial(0),             -- require as-req
#--        forwardable(1),         -- may issue forwardable
#--        proxiable(2),           -- may issue proxiable
#--        renewable(3),           -- may issue renewable
#--        postdate(4),            -- may issue postdatable
#--        server(5),              -- may be server
#--        client(6),              -- may be client
#--        invalid(7),             -- entry is invalid
#--        require-preauth(8),     -- must use preauth
#--        change-pw(9),           -- change password service
#--        require-hwauth(10),     -- must use hwauth
#--        ok-as-delegate(11),     -- as in TicketFlags
#--        user-to-user(12),       -- may use user-to-user auth
#--        immutable(13)           -- may not be deleted         
#   ID                     { 1.3.6.1.4.1.5322.10.0.1 }
#}

#krb5PrincipalNameSyntax SYNTAX ::= {
#   WITH SYNTAX            OCTET STRING
#-- String representations of distinguished names as per RFC1510
#   ID                     { 1.3.6.1.4.1.5322.10.0.2 }
#}

# Attribute type definitions

attributetype ( 1.3.6.1.4.1.5322.10.1.1
   NAME 'krb5PrincipalName'
   DESC 'The unparsed Kerberos principal name'
   EQUALITY caseExactIA5Match
   SINGLE-VALUE
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

attributetype ( 1.3.6.1.4.1.5322.10.1.2
   NAME 'krb5KeyVersionNumber'
   EQUALITY integerMatch
   SINGLE-VALUE
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.5322.10.1.3
   NAME 'krb5MaxLife'
   EQUALITY integerMatch
   SINGLE-VALUE
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.5322.10.1.4
   NAME 'krb5MaxRenew'
   EQUALITY integerMatch
   SINGLE-VALUE
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.5322.10.1.5
   NAME 'krb5KDCFlags'
   EQUALITY integerMatch
   SINGLE-VALUE
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.5322.10.1.6
   NAME 'krb5EncryptionType'
   EQUALITY integerMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

attributetype ( 1.3.6.1.4.1.5322.10.1.7
   NAME 'krb5ValidStart'
   EQUALITY generalizedTimeMatch
   ORDERING generalizedTimeOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.8
   NAME 'krb5ValidEnd'
   EQUALITY generalizedTimeMatch
   ORDERING generalizedTimeOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.5322.10.1.9
   NAME 'krb5PasswordEnd'
   EQUALITY generalizedTimeMatch
   ORDERING generalizedTimeOrderingMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
   SINGLE-VALUE )

# this is temporary; keys will eventually
# be child entries or compound attributes.
attributetype ( 1.3.6.1.4.1.5322.10.1.10
   NAME 'krb5Key'
   DESC 'Encoded ASN1 Key as an octet string'
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

attributetype ( 1.3.6.1.4.1.5322.10.1.11
   NAME 'krb5PrincipalRealm'
   DESC 'Distinguished name of krb5Realm entry'
   SUP distinguishedName )

attributetype ( 1.3.6.1.4.1.5322.10.1.12
   NAME 'krb5RealmName'
   EQUALITY octetStringMatch
   SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )

# Object class definitions

objectclass ( 1.3.6.1.4.1.5322.10.2.1
   NAME 'krb5Principal'
   SUP top
   AUXILIARY
   MUST ( krb5PrincipalName )
   MAY ( cn $ krb5PrincipalRealm ) )

objectclass ( 1.3.6.1.4.1.5322.10.2.2
   NAME 'krb5KDCEntry'
   SUP krb5Principal
   AUXILIARY
   MUST ( krb5KeyVersionNumber )
   MAY ( krb5ValidStart $ krb5ValidEnd $ krb5PasswordEnd $
         krb5MaxLife $ krb5MaxRenew $ krb5KDCFlags $
         krb5EncryptionType $ krb5Key ) )

objectclass ( 1.3.6.1.4.1.5322.10.2.3
   NAME 'krb5Realm'
   SUP top
   AUXILIARY
   MUST ( krb5RealmName ) )

slaptest成功執行並且我能夠添加疊加層,但是如果我更改userPassword,其他屬性將保持不變。userPassword屬性包含 SHA1 雜湊。

必須使用RFC 3062密碼修改擴展操作。請參閱README原始碼分發中的 (沒有手冊頁,AFAICT)。您可以使用 OpenLDAP 從命令行執行此操作ldappasswd(這與slappasswd僅以各種方式散列密碼值不同)。

userPassword隨著時間的推移,已經發展出特殊的語義,這些都不是有意的(並且不嚴格符合規範)。具有“僅比較”(僅驗證)訪問權限或無讀取訪問權限,並具有依賴於客戶端或伺服器的轉換(例如,客戶端或伺服器端的內容散列)的情況並不少見。Password Modify 定義明確,只接受明文密碼,並且可以使用管理員定義的雜湊方法。此擴展為密碼提供了一個抽象層(並且還允許將密碼儲存與目錄完全分離)。密碼複雜性實施也需要它,如果允許客戶端直接將預散列值寫入userPassword.

例如(perl):http ://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/Extension/SetPassword.pm

您可以通過查詢 Root DSE (dn “”) 來確認支持,例如

$ ldapsearch -H ldaps://myldap/ [ -D user -w password ] \
-s base -b "" "(objectclass=*)" supportedExtension 
[...]
dn:
supportedExtension: 1.3.6.1.4.1.1466.20037    # STARTTLS
supportedExtension: 1.3.6.1.4.1.4203.1.11.1   # password modify
supportedExtension: 1.3.6.1.4.1.4203.1.11.3   # who am i
supportedExtension: 1.3.6.1.1.8               # cancel request

引用自:https://serverfault.com/questions/580460