Ldap
OpenLDAP:更改密碼後未創建 pwdChangedTime 屬性?
我要將check_mk 的 Multisite 與 OpenLDAP集成。配置 LDAP 連接器後,打開“使用者和聯繫人”頁面時出現以下錯誤:
Error executing sync hook The "Authentication Expiration" attribute (pwdchangedtime) could not be fetchedfrom the LDAP server for user {u'cn': [u'noreply']}.
以下是我為實施密碼策略覆蓋所做的所有步驟:
為 OpenLDAP 伺服器安裝覆蓋模組:
yum install openldap-servers-overlays
將以下行添加到 /etc/openldap/slapd.conf:
include /etc/openldap/schema/ppolicy.schema modulepath /usr/lib64/openldap moduleload ppolicy.la
然後我重新啟動 OpenLDAP 並嘗試更改密碼。我確定它已成功更改,但
pwdChangedTime
在執行時我沒有看到該屬性ldapsearch
:$ ldapsearch -x -D "cn=Manager,dc=domain,dc=com" -y .passwd.cnf "cn=noreply" dn: cn=noreply,ou=it,dc=domain,dc=com cn: noreply mail: noreply at domain.com maildrop: noreply at domain.com sn: No uid: noreply objectClass: inetOrgPerson objectClass: mailUser objectClass: organizationalPerson objectClass: person objectClass: top objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAttribute: userPassword pwdMaxAge: 31536000 pwdMinAge: 60 pwdAllowUserChange: TRUE userPassword: {MD5}xx
我錯過了什麼?
實際上,該
pwdChangedTime
屬性已經創建,但由於它是一個操作屬性,預設情況下不返回。你必須ldapsearch
用這個名字做:$ ldapsearch -x -D "cn=Manager,dc=domain,dc=com" -W "cn=noreply" pwdChangedTime Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: cn=noreply # requesting: pwdChangedTime # # noreply, it, domain.com dn: cn=noreply,ou=it,dc=domain,dc=com pwdChangedTime: 20130128154849Z
或將加號 (
+
) 附加到ldapsearch
:# ldapsearch -x -D "cn=Manager,dc=domain,dc=com" -y .passwd.cnf "cn=noreply" + # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: cn=noreply # requesting: + # # noreply, it, domain.com dn: cn=noreply,ou=it,dc=domain,dc=com structuralObjectClass: inetOrgPerson entryUUID: 047e7ce6-3b99-1031-83cb-afef2344189c creatorsName: cn=Manager,dc=domain,dc=com createTimestamp: 20120526161012Z pwdChangedTime: 20130129032710Z entryCSN: 20130129032710Z#00003a#00#000000 modifiersName: cn=Manager,dc=domain,dc=com modifyTimestamp: 20130129032710Z entryDN: cn=noreply,ou=it,dc=domain,dc=com subschemaSubentry: cn=Subschema hasSubordinates: FALSE
要將此屬性添加到在實施密碼策略覆蓋之前創建的所有使用者,您可以簡單地
userPassword
使用相同的值更新:ldapsearch -x -D cn=Manager,dc=domain,dc=com -W -y .passwd.txt -L "(&(objectclass=person)(!(pwdChangedTime=*)))" userPassword | sed '/dn: /a\changetype: modify\nreplace: userPassword' | ldapmodify -x -D cn=Manager,dc=domain,dc=com -y .passwd.txt -W