Re: Not able to authenticate Windows and MAC client

Hi Denis,

I did following steps in order to get the password policy work, still nothing is working.

1) In my slapd.conf file added below lines:

# Password Policy Configuration

overlay ppolicy

ppolicy_default "cn=default,ou=Policies,dc=j,dc=example,dc=com"

ppolicy_use_lockout

ppolicy_hash_cleartext

# ACL Entry for Password Policies

access to attrs=userPassword

by self write

by anonymous auth

by * none

access to *

by self write

by * read

2) Loaded the password policy .ldif file into ldap by ldapadd. O/t of password policy .ldif files is:

# Creates a Policies OU (Organizational Unit)

dn: ou=Policies,dc=j,dc=cinglevue=,dc=com

objectClass: organizationalUnit

ou: Policies

# Creates a Policy object in Policies OU (Organizational Unit)

dn: cn=default,ou=Policies,dc=j,dc=cinglevue,dc=com

objectClass: top

objectClass: device

objectClass: pwdPolicy

cn: default

pwdAttribute: userPassword

pwdMaxAge: 3888000

pwdExpireWarning: 604800

pwdInHistory: 3

pwdCheckQuality: 1

pwdMinLength: 8

pwdMaxFailure: 5

pwdLockout: TRUE

pwdLockoutDuration: 1800

pwdGraceAuthNLimit: 0

pwdFailureCountInterval: 0

pwdMustChange: TRUE

pwdAllowUserChange: TRUE

pwdSafeModify: FALSE

Regards
Sam

On Wednesday, 26 February 2014 8:02 PM, Dennis Leeuw <D.Leeuw@umcutrecht.nl> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have a look at the shadow* attributes from the shadowAccount class.
Those should help you enforcing password related stuff. For self
changes of passwords use an ACL like:
access to attrs=userPassword
by self write
by anonymous auth
by * none

Greetings,

Dennis

On 02/26/2014 11:50 AM, Saurabh Ohri wrote:
> Thanks Dennis. You ate right the problem is not related to ldap
> but was looking for help against it.
>
> I am able to have successful authentication from ldap on both mac
> and windows after trying 50 combinations of configuration ð
>
> But finally it worked and it our effort paid.
>
> Thanks again and will share the information/ document soon.
>
> Also it would be of great help if you could share some details on
> enforcing password policies like self user password change, force
> passed change after first login etc. I did some config but it is
> not working even for Linux.
>
> Thanks Sam
>
> Sent from my iPhone
>
>> On 26 Feb 2014, at 4:40 pm, Dennis Leeuw <D.Leeuw@umcutrecht.nl>
>> wrote:
>>
>>>> On 02/26/2014 05:26 AM, saurabh ohri wrote: Hi all,
>>>>
>>>> I am new to openldap and i manage dto install and configure
>>>> the same. My linux client is working well but not able to
>>>> authenticate windows and mac clients.
>>>>
>>>> Have been trying since past 2 days by google and other posts
>>>> but still facing issue. Any help would be highly
>>>> appreciated.
>>>>
>>>> Details: using openldap-2.4.23-34 on RHEL6.5 *Client
>>>> details:* Mac 10.8.5 -- tried configuring the network account
>>>> server but it is showing RED. Error This server is not
>>>> responding. Windows 7 â tried installing GINA but it is
>>>> giving me invalid credentials error.
>>>>
>>>> Configuration file on server: Password: # extended LDIF # #
>>>> LDAPv3 # base <dc=j,dc=example,dc=com> (default) with scope
>>>> subtree # filter: (objectclass=*) # requesting: ALL #
>>>>
>>>> # j.example.com dn: dc=j,dc=example,dc=com objectClass: top
>>>> objectClass: dcObject objectClass: organization o: example
>>>> Organization description: example Inc DIT dc: j
>>>>
>>>> # Users, j.example.com dn: ou=Users,dc=j,dc=example,dc=com
>>>> objectClass: organizationalUnit ou: Users
>>>>
>>>> # Groups, j.example.com dn: ou=Groups,dc=j,dc=example,dc=com
>>>> objectClass: organizationalUnit ou: Groups
>>>>
>>>> # Admins, j.example.com dn: ou=Admins,dc=j,dc=example,dc=com
>>>> objectClass: organizationalUnit ou: Admins
>>>>
>>>> # sohri, Users, j.example.com dn:
>>>> uid=sohri,ou=Users,dc=j,dc=example,dc=com uid: sohri cn:
>>>> sohri sn: 1 objectClass: top objectClass: posixAccount
>>>> objectClass: inetOrgPerson loginShell: /bin/bash
>>>> homeDirectory: /home/sohri uidNumber: 15000 gidNumber: 10000
>>>> userPassword::
>>>> e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkcg mail:
>>>> sam.ohri@example.com gecos: Local User
>>>>
>>>> # tpearce, Users, j.example.com dn:
>>>> uid=tpearce,ou=Users,dc=j,dc=example,dc=com uid: tpearce cn:
>>>> tpearce sn: 2 objectClass: top objectClass: posixAccount
>>>> objectClass: inetOrgPerson loginShell: /bin/bash
>>>> homeDirectory: /home/tpearce uidNumber: 15001 gidNumber:
>>>> 10000 userPassword::
>>>> e1NTSEF9eWdkWExpZUdIT01YRytRM3ZmZWdNY3QwSmd2bFNqSkc= mail:
>>>> tony.pearce@example.com gecos: local User
>>>>
>>>> # ldapusers, Groups, j.example.com dn:
>>>> cn=ldapusers,ou=Groups,dc=j,dc=example,dc=com objectClass:
>>>> posixGroup objectClass: top cn: ldapusers userPassword::
>>>> e2NyeXB0fXg= gidNumber: 10000 memberUid: uid=sohri memberUid:
>>>> uid=tpearce
>>>>
>>>> # search result search: 2 result: 0 Success
>>>>
>>>> # numResponses: 8 # numEntries: 7
>>>>
>>>>
>>>> Regards Sam
>
> Windows is created to work against an Active Directory system,
> meaning you have an LDAP authorization and Kerberos
> authentication. Connecting Windows to a LDAP for both is
> problematic to say the least. The easiest solution is using SAMBA
> against LDAP and make the Windows systems login against the SAMBA
> server. If you like to make it work with GINA, contact them, and to
> understand what is going on you might want to read:
> http://pig.made-it.com/win-boot-test.html No guarantees, I did my
> best to document what is happening. Hope I did it right.
>
> Mac OS X did once work against LDAP, I have no idea what the
> current state is. On 10.6.5 go to Preferences, Accounts. Click
> Login Options go to Account Server and click Join. Select
> OpenDirectory utility. Click LDAPv3 and click the edit button.
> Click show options, click New, type the address of your ldap
> server. Give your account credentias, pick template RFC 2307, set
> search base. And your done...
>
> And finaly: None of your problems is OpenLDAP related since it
> works on your Linux machine.
>
> Greetings,
>
> Dennis
>>
>> ------------------------------------------------------------------------------
>>
>>
>>
>>
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
>> uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
>> onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken
>> en de afzender direct te informeren door het bericht te
>> retourneren. Het Universitair Medisch Centrum Utrecht is een
>> publiekrechtelijke rechtspersoon in de zin van de W.H.W. (Wet
>> Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat
>> geregistreerd bij de Kamer van Koophandel voor Midden-Nederland
>> onder nr. 30244197.
>>
>> Denk s.v.p aan het milieu voor u deze e-mail afdrukt.
>>
>> ------------------------------------------------------------------------------
>>
>>
>>
>>
This message may contain confidential information and is intended
exclusively
>> for the addressee. If you receive this message unintentionally,
>> please do not use the contents but notify the sender immediately
>> by return e-mail. University Medical Center Utrecht is a legal
>> person by public law and is registered at the Chamber of Commerce
>> for Midden-Nederland under no. 30244197.
>>
>> Please consider the environment before printing this e-mail.
>>

- --
ICT Medewerker
Divisie Biomedische Genetica
UMC Utrecht
Heidelberglaan 100 STR2.126
3584 CX Utrecht
The Netherlands
06 27744048
intern: 64048
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTDczPAAoJEMVYYpdbQscom+AH/j3irlTH6Fh5hM0yncYXJ8dk
0jhwMdNRTl1TXwGm1Bl+30Vff/WGzGElPtZ9ob/UnhRmHvyhZXihm7WbOv5t9lYv
fiKEJUB2zp0jdigIvLPFI7ScGtXuBuSmndiuPVGDkaeELhIHyvTNAXxNnZ0SXal6
PZVNxP0qzMaYAGpO9V5m/GJuvFta/z7M1p5id6NYSzsrzfWbcJJNCkMLoYjIGRBo
eoUUFTVRxZLSdnUu5UPrxSj76F537KIx1x5s7OVhlj7mZpI4bCr9Tk/hdd3+TRJS
kQpkeKdrCc/A/fKXTaLl2SLu48ELkwdZHLwmc0O8/ZEaECLyIAsDduGfY+wNm4E=
=fYo2

-----END PGP SIGNATURE-----