Archive for the ‘LDAP’ Category

Securing OpenLDAP – userPassword issue

Tuesday, June 26th, 2007

Unsecured OpenLDAP (slapd) server…

Output from Solaris 10 box:

-bash-3.00# ldaplist -l passwd test5
dn: uid=test5,ou=People,dc=lab1
uid: test5
cn: Johnny Doe
[..]
homeDirectory: /export/home/test5
userPassword: {MD5}DMF1ucDxtqgxw5niaXcmYQ==

After adding following snippet to OpenLDAP’s slapd.conf file we are preventing anyone from viewing user password(including Solaris LDAP proxy bind, excluding logging in user and admin/Manager of slapd):

access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=lab1" write
by anonymous auth
by self write
by * read


-bash-3.00# ldaplist -l passwd test5
dn: uid=test5,ou=People,dc=lab1
uid: test5
cn: Johnny Doe
[..]
gecos: Johnny Doe,none,0,1,Johnny Doe
homeDirectory: /export/home/test5
-bash-3.00#

Solaris 10 as a LDAP client of OpenLDAP (slapd)

Sunday, May 27th, 2007

It took me almost three hours to learn basics of LDAP and understand why native Solaris LDAP client doesn’t work with OpenLDAP slapd service…

Good links to start with:
Solaris LDAP client with OpenLDAP server

Solaris 8 OpenLDAP: Configuring

Some screenshots:
GQ LDAP schema dc=lab1

GQ schema view on “Kowalski” username

GQ schema view of “Solaris” profile used by ldapclient(1M) to configure LDAP on solaris OS

Output of ldapclient on solaris box after configuration