Ldap

OpenLDAP:更改密碼後未創建 pwdChangedTime 屬性?

  • January 30, 2013

我要將check_mk 的 Multisite 與 OpenLDAP集成。配置 LDAP 連接器後,打開“使用者和聯繫人”頁面時出現以下錯誤:

Error executing sync hook
The "Authentication Expiration" attribute (pwdchangedtime) could not
be fetchedfrom the LDAP server for user {u'cn': [u'noreply']}.

以下是我為實施密碼策略覆蓋所做的所有步驟:

為 OpenLDAP 伺服器安裝覆蓋模組:

yum install openldap-servers-overlays

將以下行添加到 /etc/openldap/slapd.conf:

include     /etc/openldap/schema/ppolicy.schema

modulepath  /usr/lib64/openldap
moduleload  ppolicy.la

然後我重新啟動 OpenLDAP 並嘗試更改密碼。我確定它已成功更改,但pwdChangedTime在執行時我沒有看到該屬性ldapsearch

$ ldapsearch -x -D "cn=Manager,dc=domain,dc=com" -y .passwd.cnf "cn=noreply"
dn: cn=noreply,ou=it,dc=domain,dc=com
cn: noreply
mail: noreply at domain.com
maildrop: noreply at domain.com
sn: No
uid: noreply
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: userPassword
pwdMaxAge: 31536000
pwdMinAge: 60
pwdAllowUserChange: TRUE
userPassword: {MD5}xx

我錯過了什麼?

實際上,該pwdChangedTime屬性已經創建,但由於它是一個操作屬性,預設情況下不返回。你必須ldapsearch用這個名字做:

$ ldapsearch -x -D "cn=Manager,dc=domain,dc=com" -W "cn=noreply"
pwdChangedTime
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: cn=noreply
# requesting: pwdChangedTime
#

# noreply, it, domain.com
dn: cn=noreply,ou=it,dc=domain,dc=com
pwdChangedTime: 20130128154849Z

或將加號 ( +) 附加到ldapsearch

# ldapsearch -x -D "cn=Manager,dc=domain,dc=com" -y .passwd.cnf "cn=noreply" +
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: cn=noreply
# requesting: + 
#

# noreply, it, domain.com
dn: cn=noreply,ou=it,dc=domain,dc=com
structuralObjectClass: inetOrgPerson
entryUUID: 047e7ce6-3b99-1031-83cb-afef2344189c
creatorsName: cn=Manager,dc=domain,dc=com
createTimestamp: 20120526161012Z
pwdChangedTime: 20130129032710Z
entryCSN: 20130129032710Z#00003a#00#000000
modifiersName: cn=Manager,dc=domain,dc=com
modifyTimestamp: 20130129032710Z
entryDN: cn=noreply,ou=it,dc=domain,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

要將此屬性添加到在實施密碼策略覆蓋之前創建的所有使用者,您可以簡單地userPassword使用相同的值更新:

ldapsearch -x -D cn=Manager,dc=domain,dc=com -W -y .passwd.txt -L
"(&(objectclass=person)(!(pwdChangedTime=*)))" userPassword
    | sed '/dn: /a\changetype: modify\nreplace: userPassword'
        | ldapmodify -x -D cn=Manager,dc=domain,dc=com -y .passwd.txt -W

引用自:https://serverfault.com/questions/473703