LDAP Password Attribute Mapping

I am in the process of implementing the GroupLink eHelpdesk for my
company and would like to use LDAP authentication for my users.  I've
made it through the installation process and am at the point of
configuring LDAP, which according to the instructions I have done
correctly and I have imported my users.  Now when I try to sign in to my
helpdesk keep getting an invalid credentials message.  In digging into
things it looks like eHelpdesk is looking for the LDAP attribute
"userPassword" but I'm not easily finding which NDS attribute to map to
it.

I've read a few pages and posts that NDS uses a combination of Public
Key and Private Key attributes for its password but I have not found
anything describing how to translate the eDirectory password into
something that LDAP will understand.  Does anyone know what to do if
this is even possible?

Thanks!


-- 
marklar23
------------------------------------------------------------------------



0
marklar23
10/5/2011 8:56:01 PM
novell.edirectory.linux 3108 articles. 0 followers. Follow

14 Replies
1242 Views

Similar Articles

[PageSpeed] 33
Get it on Google Play
Get it on Apple App Store

userPassword is a pseduo attribute in eDir so no mapping is required. 
However, if the LDAP app tries to READ it, it will get a "surprise" since 
it doesn't really exist (thus the pseudo part). So, the question is, how 
does the app try to authenticate?

-- 


Peter
eDirectory Rules!
http://www.DreamLAN.com
0
Peter
10/5/2011 10:20:45 PM
On 10/5/2011 3:20 PM, Peter Kuo wrote:
> userPassword is a pseduo attribute in eDir so no mapping is required.
> However, if the LDAP app tries to READ it, it will get a "surprise"
> since it doesn't really exist (thus the pseudo part). So, the question
> is, how does the app try to authenticate?
>
as peter says,no LDAP directory normally exposes this as a readable 
attribute. (It can be WRITTEN if the correct rights are present).

Normally an app using LDAP does a bind or compare to authenticate a 
password.
0
Michael
10/6/2011 3:08:16 PM
On 10/6/2011 11:08 AM, Michael Bell wrote:
> On 10/5/2011 3:20 PM, Peter Kuo wrote:
>> userPassword is a pseduo attribute in eDir so no mapping is required.
>> However, if the LDAP app tries to READ it, it will get a "surprise"
>> since it doesn't really exist (thus the pseudo part). So, the question
>> is, how does the app try to authenticate?
>>
> as peter says,no LDAP directory normally exposes this as a readable
> attribute. (It can be WRITTEN if the correct rights are present).

Actually, SunOne I believe or OpenLDAP will return the encypted password.

For Active Directory over LDAP if you WRITE a password to userPassword 
(instead of unicodePassword) you can read back the userPassword as the 
hashed value written.  But not the 'usual' password hash via userPassword.



0
Geoffrey
10/6/2011 9:31:37 PM
Geoffrey Carman wrote:

> OpenLDAP will return the encypted password.

OpenLDAP is kind of a strange beast: it will store the password in 
whatever format you give it - cleartext, MD5 hash, SSHA hash, or whatever, 
unless you set a password using the Password Modify extended operation 
then it is stored encrypted. And since userPassword is a real attribute 
for OpenLDAP, you can read it back.

With Sun ONE, I think what you get back depends on what password 
encryption was selected as cleartext /is/ a valid option, from what I can 
recall.


-- 


Peter
eDirectory Rules!
http://www.DreamLAN.com
0
Peter
10/7/2011 2:28:04 PM
On Fri, 07 Oct 2011 14:28:04 +0000, Peter Kuo wrote:

> Geoffrey Carman wrote:
> 
>> OpenLDAP will return the encypted password.
> 
> OpenLDAP is kind of a strange beast: it will store the password in
> whatever format you give it - cleartext, MD5 hash, SSHA hash, or
> whatever, unless you set a password using the Password Modify extended
> operation then it is stored encrypted. And since userPassword is a real
> attribute for OpenLDAP, you can read it back.
> 
> With Sun ONE, I think what you get back depends on what password
> encryption was selected as cleartext /is/ a valid option, from what I
> can recall.

Yeah, I was thinking the same thing about both OpenLDAP and Sun ONE - I 
want to say Fedora Directory Server (formerly NetScape's product) does 
return values for userPassword as well.

With eDir, it *probably* could be done using simple password or universal 
password, couldn't it?  (I've not spent a lot of time playing with those 
features myself)

Jim
-- 
 Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
0
Jim
10/7/2011 6:31:03 PM
On 10/7/2011 2:31 PM, Jim Henderson wrote:
> On Fri, 07 Oct 2011 14:28:04 +0000, Peter Kuo wrote:
>
>> Geoffrey Carman wrote:
>>
>>> OpenLDAP will return the encypted password.
>>
>> OpenLDAP is kind of a strange beast: it will store the password in
>> whatever format you give it - cleartext, MD5 hash, SSHA hash, or
>> whatever, unless you set a password using the Password Modify extended
>> operation then it is stored encrypted. And since userPassword is a real
>> attribute for OpenLDAP, you can read it back.
>>
>> With Sun ONE, I think what you get back depends on what password
>> encryption was selected as cleartext /is/ a valid option, from what I
>> can recall.
>
> Yeah, I was thinking the same thing about both OpenLDAP and Sun ONE - I
> want to say Fedora Directory Server (formerly NetScape's product) does
> return values for userPassword as well.
>
> With eDir, it *probably* could be done using simple password or universal
> password, couldn't it?  (I've not spent a lot of time playing with those
> features myself)

To summarize then:  Reading back userPassword is not going to be greatly 
useful!

0
Geoffrey
10/7/2011 7:22:04 PM
On Fri, 07 Oct 2011 19:22:04 +0000, Geoffrey Carman wrote:

> On 10/7/2011 2:31 PM, Jim Henderson wrote:
>> On Fri, 07 Oct 2011 14:28:04 +0000, Peter Kuo wrote:
>>
>>> Geoffrey Carman wrote:
>>>
>>>> OpenLDAP will return the encypted password.
>>>
>>> OpenLDAP is kind of a strange beast: it will store the password in
>>> whatever format you give it - cleartext, MD5 hash, SSHA hash, or
>>> whatever, unless you set a password using the Password Modify extended
>>> operation then it is stored encrypted. And since userPassword is a
>>> real attribute for OpenLDAP, you can read it back.
>>>
>>> With Sun ONE, I think what you get back depends on what password
>>> encryption was selected as cleartext /is/ a valid option, from what I
>>> can recall.
>>
>> Yeah, I was thinking the same thing about both OpenLDAP and Sun ONE - I
>> want to say Fedora Directory Server (formerly NetScape's product) does
>> return values for userPassword as well.
>>
>> With eDir, it *probably* could be done using simple password or
>> universal password, couldn't it?  (I've not spent a lot of time playing
>> with those features myself)
> 
> To summarize then:  Reading back userPassword is not going to be greatly
> useful!

Well, it depends on the app.  I have heard of some apps (not many, 
admittedly) that try to read the userPassword value and do the compare 
themselves rather than letting the directory handle the authentication 
through a bind success/fail.

Jim
-- 
 Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
0
Jim
10/7/2011 8:58:01 PM
Jim Henderson wrote:

> With eDir, it probably could be done using simple password or universal
> password, couldn't it?  (I've not spent a lot of time playing with those
> features myself)

No, fortunately or unfortunately depending on your view point. SP and UP 
are handled by NMAS and to get them you need to use NMAS-based LDAP APIs 
which something like the standard ldapsearch tool does not support.

-- 


Peter
eDirectory Rules!
http://www.DreamLAN.com
0
Peter
10/7/2011 9:17:27 PM
Geoffrey Carman wrote:

> To summarize then:  Reading back userPassword is not going to be greatly 
useful!


Personally I would say No (ie agreeing with your summary). Unless it is 
for password sync, reading back userPassword is a "bad" idea. For 
authentication, it is better to do a bind instead as that would also 
trigger any other account restrictions for a "better" authentication 
control.


-- 


Peter
eDirectory Rules!
http://www.DreamLAN.com
0
Peter
10/7/2011 9:19:14 PM
On Fri, 07 Oct 2011 21:17:27 +0000, Peter Kuo wrote:

> Jim Henderson wrote:
> 
>> With eDir, it probably could be done using simple password or universal
>> password, couldn't it?  (I've not spent a lot of time playing with
>> those features myself)
> 
> No, fortunately or unfortunately depending on your view point. SP and UP
> are handled by NMAS and to get them you need to use NMAS-based LDAP APIs
> which something like the standard ldapsearch tool does not support.

Good to know. :)

Jim



-- 
 Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
0
Jim
10/7/2011 9:38:04 PM
Jim Henderson wrote:

>  No, fortunately or unfortunately depending on your view point. SP and UP
> > are handled by NMAS and to get them you need to use NMAS-based LDAP 
APIs
> > which something like the standard ldapsearch tool does not support.
>
> Good to know.

On the other hand, my ldapSearch gadget would since it has the NMAS calls 
integrated so you can get UP as userPassword if enabled ... <g>


-- 


Peter
eDirectory Rules!
http://www.DreamLAN.com
0
Peter
10/8/2011 2:54:04 AM
On Sat, 08 Oct 2011 02:54:04 +0000, Peter Kuo wrote:

> Jim Henderson wrote:
> 
>>  No, fortunately or unfortunately depending on your view point. SP and
>>  UP
>> > are handled by NMAS and to get them you need to use NMAS-based LDAP
> APIs
>> > which something like the standard ldapsearch tool does not support.
>>
>> Good to know.
> 
> On the other hand, my ldapSearch gadget would since it has the NMAS
> calls integrated so you can get UP as userPassword if enabled ... <g>

That's also good to know. :)

Jim



-- 
 Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
0
Jim
10/8/2011 3:33:16 AM
We're using eHelpDesk, with LDAP authentication, and I didn't have to do 
anything special to get it working. One thought. Are you using anonymous 
binding? If so, does it make any difference if you use an actual user? 
(The LDAP User and LDAP password boxes in the LDAP configuration screen.)

Rob

On 06/10/2011 7:56 AM, marklar23 wrote:
>
> I am in the process of implementing the GroupLink eHelpdesk for my
> company and would like to use LDAP authentication for my users.  I've
> made it through the installation process and am at the point of
> configuring LDAP, which according to the instructions I have done
> correctly and I have imported my users.  Now when I try to sign in to my
> helpdesk keep getting an invalid credentials message.  In digging into
> things it looks like eHelpdesk is looking for the LDAP attribute
> "userPassword" but I'm not easily finding which NDS attribute to map to
> it.
>
> I've read a few pages and posts that NDS uses a combination of Public
> Key and Private Key attributes for its password but I have not found
> anything describing how to translate the eDirectory password into
> something that LDAP will understand.  Does anyone know what to do if
> this is even possible?
>
> Thanks!
>
>

0
Robert
10/10/2011 5:01:15 PM
We've set up quite a few LDAP-enabled authentication things, and have
never had to do any mapping of the userPassword attribute. I don't know
if GroupLink supports defining a bind username ans password - i.e. an
account that binds to the directory and searches for the user, rather
than using anonymous access - but I'd recommend using that if it's
available. It doesn't have to be a super-powerful account, just one that
can search the directory and read any attributes being passed.

I do believe it maps differently if you are using universal password
rather than otherwise, but the LDAP side doesn't have to deal with that
(thank goodness!)


-- 
kborecky
------------------------------------------------------------------------
kborecky's Profile: http://forums.novell.com/member.php?userid=10469
View this thread: http://forums.novell.com/showthread.php?t=446016

0
kborecky
10/20/2011 2:46:01 PM
Reply:

Similar Artilces:

One or more eDir to LDAP attribute mappings appear to be incorrect. Change attribute mappings through the LDAP
--____IYZLTTEASTICDGWKXZWG____ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Content-Disposition: inline; modification-date="Fri, 6 Nov 2008 16:52:05 +0100" SGkuDQoNClJ1bm5pbmcgWkVOd29ya3MgTWlncmF0aW9uIFV0aWxpdHkgdjEwLjEuMS4wIGFuZCB0 cnlpbmcgdG8gTWlncmF0ZSBBcHBsaWNhdGlvbnMuDQoNCkJ1dCBqdXN0IGdldHMgdGhpcyBFcnJv ci4uLg0KT25lIG9yIG1vcmUgZURpciB0byBMREFQIGF0dHJpYnV0ZSBtYXBwaW5ncyBhcHBlYXIg dG8gYmUgaW5jb3JyZWN0LiBDaGFuZ2UgYXR0cmlidXRlIG1hcHBpbmdzIHRocm91Z2ggdGhlIExE QVAgDQoNCldpdGNoIHNob3VsZCBiZSBmaXhlZCBpbiB2ZXJzaW9uIDEwLjAuMyByZWdhcmRpbmcg dG8gV...

LDAP attribute Map / LIst / extend the LDAP attributes
we are use ladp on netware 65, is there a list of the LDAP attributes avaliable that are used for eDirectory 8.7? is it possible to create a ldap attribute that contains more that one edirectory attribute content and extend it with a static variable? any ideas HELGE -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Most eDirectory attributes are available natively by their name (minus spaces and special characters). For example fullname works to retrieve the 'Full Name' and givenname works for 'Given Name' and sasloginconfiguration works for 'SAS:...

LDAP export
I am trying to do an ldap export of certain user attribute fields, one of them being department. I can not find the ldap attribute mapping for the nds attribute called department. Is there a more extensive list out there, other than the one you see in ConsoleOne? Or does anyone know how the nds attribute: department maps to an ldap attribute? Thanks lhines@flir.com, The NDS attribute for Department is 'OU' and that should map to the LDAP attribute 'ou'. If you need more help with LDAP, please post to the novell.support.ds.ldap forum. -- //N...

LDAP Attribute Mappings
Hi there , i'm searching for the possiblity to check the existence of a email address through ldap through a third party spamming software . it works with users , the mail attribute is the right one , but working with groupwise distribution list there is no mail attribute. i'm using nw6.5 and gw 6.5 searching with softerra ldap browser i don't see any attribute , where the complete email address of a distribution list is returned. any suggestions ? Regards W. Hackl Many of GW's attributes are not found in DS but are stored in the GW domain database ... su...

ldap attribute mapping
I mapped 2 ldap attributes in the ldap group earlier. I'm now trying to import via c1, ldif's to change those values but I get an error. I can do it with existing attributes but not the newly mapped ones. It seems to think they don't exist. Do I have to do something before this takes effect? I tried unloading/reloading nldap, but so far no good. Patrick Farrell wrote: > I mapped 2 ldap attributes in the ldap group earlier. > > I'm now trying to import via c1, ldif's to change those values but I get > an error. I can do it with existing a...

eDirectory, LDAP, and passwords.
Here is a screenshot of the current problem: <a href="http://www.wayneschools.org/~joelfe01/media/edirectory_prob.JPG"> Is there any way to set seperate eDirectory and LDAP passwords? There's no such thing as an LDAP password. LDAP is not a directory, just a directory access protocol. The password you supply to LDAP is so it can access eDir; if that's the only dir service you have then there is only one password per user. As you have GW, you may possibly have eDir and GW passwords for one user. But I don't understand from your screenshot what your...

superreview granted: [Bug 309400] LDAP attribute map only allows a maximum of one attribute to be zero-length : [Attachment 196855] patch, v1
David Bienvenu <bienvenu@nventure.com> has granted Dan Mosedale <dmose@mozilla.org>'s request for superreview: Bug 309400: LDAP attribute map only allows a maximum of one attribute to be zero-length https://bugzilla.mozilla.org/show_bug.cgi?id=309400 Attachment 196855: patch, v1 https://bugzilla.mozilla.org/attachment.cgi?id=196855&action=edit ...

superreview requested: [Bug 309400] LDAP attribute map only allows a maximum of one attribute to be zero-length : [Attachment 196855] patch, v1
Dan Mosedale <dmose@mozilla.org> has asked David Bienvenu <bienvenu@nventure.com> for superreview: Bug 309400: LDAP attribute map only allows a maximum of one attribute to be zero-length https://bugzilla.mozilla.org/show_bug.cgi?id=309400 Attachment 196855: patch, v1 https://bugzilla.mozilla.org/attachment.cgi?id=196855&action=edit ...

LDAP attribute mapping issue
We have an application querys the LDAP attribute "distinguishedName". This is something native to Active Directory. So, we're trying to do a simple attribute mapping to the eDir dn using the LDAP Group Attribute Map. When I create the mapping, the "eDirectory Attribute" 'dn' is a valid selection. But the result never makes that attribute available? I can map "distringuishedName" to other attributes, just not dn. If I can't do an LDAP attribute mapping to 'dn', why is it one of the selectable attributes? I know, I know...

Hide eDirectory attributes from LDAP
I've got a customer with an interesting question; I've not played deeply enough with LDAP to provide him with an answer. They would like to use the EmployeeID field in iManager, in the Business Profile. However, they have noticed that anyone can login using an LDAP browser and see that field in the user accounts. So...is there a way to NOT expose a field in LDAP? Thanks! Jacques -- jsauve ------------------------------------------------------------------------ * jsauve (Fri, 26 Nov 2010 18:06:03 GMT) > I've got a customer with an interesting quest...

Ldap edirectory password problems
--____JUKRQCPBYUULONBULDUM____ Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline; modification-date="Tue, 13 Nov 2006 03:48:29 -0600" Ok We are running Ldap edirectory 8.7.3 on a netware 6.5 server with the = latest sp... When we change a users password in console one 1.3.6, that user can still = login into groupwise client and webmail using his/her old password and new = password for a little while. It seems to be indeterminate as to when the = old password stops working. What I would like is if we...

LDAP attribute for expired password
Hey, does anyone know the LDAP attribute name that determines if a user's NDS password is expired? I see the passwordExpirationInterval, passwordExpirationTime, pwdChangedTime, but I need the attribute that tells me whether or not a user's passord is expired, not the date on which it will expire. -- mkelley_25 ------------------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 passwordExpirationTime is it. It would be a huge waste of resources if the server were to scan all objects every second or so to find ...

Attribute Mapping between eDirectory and Groupwise
I am wanting to know where to look (documentation or live) for the attribute mapping table between Groupwise and eDirectory. For example it looks like "L" in Groupwise is the same as your Surname in eDirectory. The one I really need to know please is: what is the Groupwise Attribute for "Location" or "L" in eDirectory. Help appreciated -- pcoombs ------------------------------------------------------------------------ There is some LDAP-NDS mapping information in the form of a spreadsheet (which you may already have found) at 'Cool Solu...

Using LDAP Attribut Mapping
Hi there, need a little help again. I am using a second LDAP User Store in which a whole lot of consumers are in. The communicaten between the Service Provider and the User Store works fine. ( Means: The Login-Dialog works with consumers out of the LDAP store ) My Problem is: The cn-entry which is used at the moment for the username is kind of difficult, looks something like: lala-1234555. Nobybody in the production environment would like to use this kind of cryptic username. Instead i like to use the uid entry which says the real name of the user, something like: breynol...