[linux-baslangic] openldap


From: Fuat Altun (faltun@iso.org.tr)
Date: Mon 22 Dec 2003 - 07:17:18 EST

  • Next message: Mehmet Oruç: "[linux-baslangic] root Qifresi?= unuttum......"

    Mandrake 9.2 uzerinde openldap ile ugrasiyorum.

    Amacim ldap kullanarak kullanici auth. yapmak.


    Bu konuda bir kac sorum olacak.


    1- passwd komutu ile password degistirince sadece ldap server uzerindeki
    password degisiyor. Ancak ldap serveri stop edip shadow dosyasindaki
    passwordu passwd komutu ile degistirebiliyorum. Ne yapabilirim?


    2- ldap serveri stop ettigimde shadow fileindaki degere hic bakmadan sisteme
    login olmami engelliyor. Oysa passwd ve shadow dosyalarinda girmek istedigim
    account mevcut. Yani ldap server stop olunca hic bir sekilde login


    3- Kullandigim dagitimin kullandigi, passwordu encrypt veya hash etme
    yapisini (md5 des ....) nereden gorebilirim. Mandrake muhtemelen md5

    Oysa openldap icin referans olarak kullandigim dokumanda hash icin asagidaki
    gibi yapi onerilmisti.

    password-hash {crypt}

    password-crypt-salt-format "$1$%.8s"

    Bu dogru yapimi?


    4- x kullanicisinin passwordu shadow dosyasinda
    ($1$jyQZDCCe$TeMv081EkIZbcrgEoBKxM.) olarak gozukuyor. Plain text hali

    Fakat bu passwordu tekrardan degitirip yine "fuat" yaptigim zaman bu hash
    kodu degisiyor. Bu nasil oluyor? İkiside plain text olarak "fuat" ama hasah
    kodlari farkli?


    Şimdiden tesekkurler.

    Conf. Dosyalarimi asagidaki gibi.







    pidfile /var/run/ldap/slapd.pid

    argsfile /var/run/ldap/slapd.args


    modulepath /usr/lib/openldap

    #moduleload back_dnssrv.la

    #moduleload back_ldap.la

    #moduleload back_passwd.la

    #moduleload back_sql.la


    # SASL config

    #sasl-host ldap.example.com


    # To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem

    # and uncomment the following lines.

    #TLSRandFile /dev/random

    #TLSCipherSuite HIGH:MEDIUM:+SSLv2

    TLSCertificateFile /etc/ssl/openldap/ldap.pem

    TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem

    #TLSCACertificatePath /etc/ssl/openldap/

    TLSCACertificateFile /etc/ssl/openldap/ldap.pem

    #TLSVerifyClient 0




    database ldbm

    suffix "dc=mylan,dc=net"

    rootdn "cn=root,dc=mylan,dc=net"



    rootpw {MD5}a2LsnCOtDE3guPdGjj/FFw==


    directory /var/lib/ldap


    index objectClass,uid,uidNumber,gidNumber eq

    index cn,mail,surname,givenname eq,subinitial


    # logging

    loglevel 256


    # Basic ACL

    access to attr=userPassword

            by self write

            by anonymous auth

            by dn="uid=root,ou=People,dc=example,dc=com" write

            by * none


    access to *

            by dn="uid=root,ou=People,dc=example,dc=com" write

            by * read


    password-hash {crypt}

    password-crypt-salt-format "$1$%.8s"










    auth sufficient /lib/security/pam_ldap.so

    auth required /lib/security/pam_pwdb.so shadow nullok


    account sufficient /lib/security/pam_ldap.so

    account required /lib/security/pam_pwdb.so


    password required /lib/security/pam_cracklib.so retry=3 minlen=4
    dcredit=0 ucredit=0

    password required /lib/security/pam_pwdb.so use_authtok nullok md5

    password sufficient /lib/security/pam_ldap.so use_authtok









    auth required /lib/security/pam_env.so

    auth sufficient /lib/security/pam_pwdb.so likeauth nullok

    auth sufficient /lib/security/pam_ldap.so use_first_pass

    auth required /lib/security/pam_deny.so


    account required /lib/security/pam_unix.so

    account [default=bad success=ok user_unknown=ignore service_err=ignore
    system_err=ignore] /lib/security/pam_ldap.so


    password required /lib/security/pam_cracklib.so retry=3 minlen=2
    dcredit=0 ucredit=0

    password sufficient /lib/security/pam_unix.so nullok use_authtok md5

    password sufficient /lib/security/pam_ldap.so use_authtok

    password required /lib/security/pam_deny.so


    session required /lib/security/pam_mkhomedir.so skel=/etc/skel/

    session required /lib/security/pam_limits.so

    session required /lib/security/pam_unix.so

    session optional /lib/security/pam_ldap.so










    base dc=mylan,dc=net

    ldap_version 3

    scope one

    Filter to AND with uid=%s

    pam_filter objectclass=posixaccount


    # The user ID attribute (defaults to uid)

    pam_login_attribute uid


    # Search the root DSE for the password policy (works

    # with Netscape Directory Server)

    #pam_lookup_policy yes


    # Group to enforce membership of

    #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com


    # Group member attribute

    pam_member_attribute gid


    pam_password md5


    # RFC2307bis naming contexts

    # Syntax:

    # nss_base_XXX base?scope?filter

    # where scope is {base,one,sub}

    # and filter is a filter to be &'d with the

    # default filter.

    # You can omit the suffix eg:

    # nss_base_passwd ou=People,

    # to append the default base DN but this

    # may incur a small performance impact.

    nss_base_passwd ou=People,dc=mylan,dc=net?one

    nss_base_shadow ou=People,dc=mylan,dc=net?one

    nss_base_group ou=Group,dc=mylan,dc=net?one

    nss_base_hosts ou=Hosts,dc=mylan,dc=net?one

    ssl off






    passwd: files ldap

    shadow: files ldap

    group: files ldap


    #hosts: db files nisplus nis dns

    hosts: files ldap dns


    # Example - obey only what nisplus tells us...

    #services: nisplus [NOTFOUND=return] files

    #networks: nisplus [NOTFOUND=return] files

    #protocols: nisplus [NOTFOUND=return] files

    #rpc: nisplus [NOTFOUND=return] files

    #ethers: nisplus [NOTFOUND=return] files

    #netmasks: nisplus [NOTFOUND=return] files


    bootparams: nisplus [NOTFOUND=return] files


    ethers: files

    netmasks: files

    networks: files

    protocols: files

    rpc: files

    services: files


    netgroup: nisplus


    publickey: nisplus


    automount: files nisplus

    aliases: files nisplus




    linux-baslangic listesinden cikmak  ve tum listeci islemleri icin
    http://liste.linux.org.tr/   adresini kullanabilirisniz.
    Bu listeden cikmak icin
    <a href="mailto:linux-baslangic-request@liste.linux.org.tr?Subject=unsubscribe"> tiklayiniz</a>

  • Next message: Mehmet Oruç: "[linux-baslangic] root Qifresi?= unuttum......"


    Bu arsiv hypermail 2.1.6 tarafindan uretilmistir.