HPE Community
Operating System - HP-UX
1822150 Members
4102 Online
109640 Solutions
New Discussion юеВ

ldappasswd issue on HPUX 11i v1

 
Richard Hill_3
New Member

тАО03-12-2010 08:56 AM

тАО03-12-2010 08:56 AM

ldappasswd issue on HPUX 11i v1

Hi,

I have 9 HPUX 11i servers and have configured one as a RHDS master.

I have created self-signed CA certificates and also configured a proxy user to read name service data. I've migrated the /etc/passwd and /etc/group files on the master and setup LDAPUX on the master to use SSL. I have now created a test user account in RHDS. I can switch user to this account on all of the other servers.

The following commands all work:

ldapsearch -D 'uid=proxyuser,ou=special users,dc=a,dc=b,dc=c' -b 'dc=a,dc=b,dc=c' uid=testuser

nsquery passwd testuser ldap

pwget -n testuser

I am trying to change the test users password with the following command:

/opt/ldapux/bin/ldappasswd -p 636 -D "cn=directory manager" -l testuser

The command returns with:
Changing LDAP password for testuser
Old password:
New password:
Retype new password:
Updating password in LDAP...
Password unchanged.

I am new to RHDS and LDAP and can't figure out what I am doing wrong.

0 Kudos
4 REPLIES 4
Bob Neal-Joslin
Trusted Contributor

тАО03-15-2010 02:51 PM

тАО03-15-2010 02:51 PM

Re: ldappasswd issue on HPUX 11i v1

Hi Richard,

The usability of ldappasswd is not up to par with the rest of the LDAP-UX product. There could be several issues causing the problem you're encountering.

First, some usage issues:

It appears you are attempting to use SSL, since you specified -p 636. In order to use SSL, you must also specify the -Z and -P options. -Z enables SSL, and -P points you your certificate database where you have a CA or Server certificate stored.

Second, some usability issues.

ldappasswd is not fully integrated with LDAP-UX client configuration. So even though you have configured the LDAP-UX client, you must still pass in the ldap server host name as well as default search base, using the -b and -h otions.

Third, some limitations.

ldappasswd only supports up to 8 character passwords. This is a limitation in the getpass() API on HP-UX.

I think if you can address all of the above, you can get ldappasswd to work. So here's an example. In this example, we assume you have installed your CA or Server certificate in the default location for LDAP-UX (in the /etc/opt/ldapux/cert8.db file). And your default search base is dc=a,dc=b,dc=c.

ldappasswd -Z -p 636 -P /etc/opt/ldapux/cert8.db -b "dc=a,dc=b,dc=c" -h localhost -D "cn=Directory Manager" -l testuser

The "Old Password" prompt is mis-named, since in this case, it would be prompting for the password of the Directory Manager instead of the user.

If you need assitance on how to copy the CA or server certificate from the directory server to your client, refer to http://directory.fedoraproject.org/wiki/Howto:SSL#Script for more information. A summary of the steps would be...

List the certificates used...

cd /etc/opt/dirsvr/slapd-
/opt/dirsrv/bin/certutil -d . -L

Find the either the CA certificate's or the server certificate's name, from the list.

Export that certificate.

/opt/dirsrv/bin/certutil -d . -L -n "" -a > /tmp/serverorcacert.crt

Import that certificate into LDAP-UX' certificate database

cd /etc/opt/ldapux

If you don't have a cert8.db or key3.db file already in that directory, use certutil to create it with "/opt/ldapux/contrib/bin/certutil -d . -N". You should not need a password, since you should only be storing public certificates in the LDAP-UX cert8.db file.

Import the server or CA certificate using certutil.

/opt/ldapux/contrib/bin/certutil -d . -A -a -n "" -t "" < /tmp/serverorcacert.crt

Use the same "" that was displayed by the certutil -L command at the beginning.
0 Kudos
Richard Hill_3
New Member

тАО03-22-2010 01:52 AM

тАО03-22-2010 01:52 AM

Re: ldappasswd issue on HPUX 11i v1

Thanks for the advice Bob, but it still doesn't seem to work.

I have also setup multimaster replication, which works fine when using simple authentication but does not work over SSL.

I'm now wondering if there is an issue with SSL on the servers that is causing both issues.
0 Kudos
Richard Hill_3
New Member

тАО03-22-2010 08:30 AM

тАО03-22-2010 08:30 AM

Re: ldappasswd issue on HPUX 11i v1

This is how I've set it up so far:

Setup RHDS on the Supplier server (/opt/dirsrv/sbin/setup-ds-admin.pl)

Next I set up the CA certificate on the supplier server:
1) Created /tmp/pwdfile containing the password

2) Created new certificate:
# certutil -N -d . -f /tmp/pwdfile

3) Created a self-signed certificate:
# certutil -S -n "CA certificate" -s "cn=Airwave CA cert, dc=airsys,dc=o2,dc=com" -x -t "CT,," -m $COUNT -v 120 -d . -k rsa -z
/var/adm/syslog/syslog.log -f /tmp/pwdfile -2

4) Created a server certificate from the self-signed certificate:
# certutil -S -n "Server-Cert" -s "cn=,cn=Directory Server" -c "CA certificate" -t "u,u,u" -m $COUNT -v
120 -d . -k rsa -z /var/adm/syslog/syslog.log -f /tmp/pwdfile

On all subsequent hosts:
1) Export CA certificate to a file:
# certutil -d . -L -n "CA certificate" -a -i /tmp/cacert.asc

2) Created new cert database and import the CA certificate:
# certutil -N -d . -f /tmp/pwdfile
# scp :/tmp/cacert.asc /tmp/
# certutil -A -n "CA certificate" -t "C,," -d . -a -i /tmp/cacert.asc

3) Created certificate request and copied it to supplier server:
# certutil -R -s "cn=" -k rsa -d . -o /tmp/certreq
# scp /tmp/certreq :/tmp/

4) Created certificate on supplier from request:
# certutil -C -c "CA certificate" -f /tmp/pwdfile -i /tmp/certreq -o /tmp/newcert.asc -m $COUNT -v 120 -d .

5) And finally installed the certificate and modified it's attributes:
# scp :/tmp/newcert.asc /tmp/
# certutil -A -n "Server-cert" -t "p,p,p" -i /tmp/newcert.asc -d .
# certutil -M -n "Server-cert" -t "u,u,u" -d .

Next I enable encryption via the GUI and create a proxy user.

I am then able to migrate the /etc/group and /etc/passwd files and create a test user in RHDS (on the supplier server) and switch user to it from every other server. So I guess, up to this point, it is working.

Then I run the /opt/ldapux/config/setup script on the supplier server, choosing to use SSL to download the profile and answering "yes" to the prompt: Do you want to use SSL?

Then I copy the following files from the supplier server to all other hosts:
/etc/opt/ldapux/ldapux_client.conf
/etc/opt/ldapux/pcred
/etc/pam.conf
/etc/nsswitch.conf

and download the profile from the server:
# /sbin/init.d/ldapclientd.rc stop # /sbin/init.d/ldapclientd.rc start
# cd /opt/ldapux/config
# ./get_profile_entry -s nss
# /sbin/init.d/ldapclientd.rc stop # /sbin/init.d/ldapclientd.rc start

Then the pwget and ldap_proxy_config commands are successful. So, again, I presume it has been successful up to this point.

Next, I setup RHDS on the replica server (using setup-ds-admin.pl again). I answer "no" to the question "Do you want to register this software with an existing configuration directory server?"

Then, finally, I create a supplier bind on both servers and try to set up multi-master replication between the supplier server and the replica server, but this only seems to work using simple authentication and not encrypted over SSL.

Sorry if this seems a bit like "War and Peace" but I thought I'd say exactly what I did.
0 Kudos
Richard Hill_3
New Member

тАО06-25-2010 02:17 AM

тАО06-25-2010 02:17 AM

Re: ldappasswd issue on HPUX 11i v1

.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.