[Fedora-directory-users] Question on password changes

Tue Jan 24 19:10:54 UTC 2006

Sorry, I meant to say that I don't see the MOD entry on the supplier's
log file; I agree with you, it doesn't seem that the client is listening
to the referral.

Aaron 

-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard
Megginson
Sent: Tuesday, January 24, 2006 2:10 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Question on password changes

Bliss, Aaron wrote:

>I see the MOD request in the consumer, but do not see the MOD request 
>in the client;
>
Where would you see the MOD request in the client?  It just seems as
though PAM is not following the referral and I'm not sure why.  Perhaps
there is some other PAM configuration required?

>here are the relevant entries from
>
>/etc/ldap.conf and
>host serverA serverB
>base dc=myorg,dc=org
>pam_lookup_policy yes
>pam_check_host_attr yes
>pam_password clear
>ssl start_tls
>
>/etc/openldap/ldap.conf
>BASE dc=myorg,dc=org
>HOST serverA serverB
>TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_REQCERT allow
>
>Any ideas?  I've confirmed this behaviour on redhat 3 and redhat 4 
>boxes, further this is the error that I get from redhat 4 boxes
>
>LDAP password information update failed: Can't contact LDAP server
>
>passwd: Permission denied
>
>Thanks again for your help.
>
>Aaron
>
>-----Original Message-----
>From: fedora-directory-users-bounces at redhat.com
>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard

>Megginson
>Sent: Tuesday, January 24, 2006 1:21 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Question on password changes
>
>Bliss, Aaron wrote:
>
>  
>
>>I am not using the password extended operation to change passwords
i.e.
>>in /etc/ldap.conf pam_password exop is commented out; as such, what's 
>>the best way to being to debug this?
>>
>>    
>>
>I'm not sure.  If I understand you correctly, it seems that the 
>consumer is correctly sending the referral back to the client in 
>response to the MOD request to change the password.  Can you examine 
>the supplier access log to see if the client is following the referral?

>You should see a MOD request in the supplier access log shortly after 
>the MOD to the consumer that resulted in the err=10.  If not, this 
>means the client is not following the referral, which is either a bug 
>or a mis-configuration of the client.
>
>  
>
>>Also, what is the advantage of
>>using the extended operation to change passwords?  Thanks again.
>> 
>>
>>    
>>
>The extended operation is meant to be used when you are not using a 
>simple userPassword (e.g. some SASL mechs, Kerberos).
>
>  
>
>>Aaron
>>
>>-----Original Message-----
>>From: fedora-directory-users-bounces at redhat.com
>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of 
>>Richard
>>    
>>
>
>  
>
>>Megginson
>>Sent: Tuesday, January 24, 2006 11:13 AM
>>To: General discussion list for the Fedora Directory server project.
>>Subject: Re: [Fedora-directory-users] Question on password changes
>>
>>Bliss, Aaron wrote:
>>
>> 
>>
>>    
>>
>>>Thanks for getting back to me so quickly; I've seen the error 
>>>messages
>>>      
>>>
>
>  
>
>>>that you referenced below; I can then assume then my only alternative

>>>is to setup a multimaster environment?  Thanks.
>>>
>>>
>>>   
>>>
>>>      
>>>
>>Which error messages have you seen?  Are you saying that the client is

>>using the password modify extended operation?  If so, then yes, you 
>>will have to use multi master.  If not, then single master should be 
>>fine, and you'll need to debug the client to figure out why it's not 
>>following the referral to the supplier.
>>
>>BTW, I believe we have a bug - the consumer should send back a 
>>referral
>>    
>>
>
>  
>
>>to the supplier when it gets the password modify extended operation.  
>>We need to add support for sending back referrals when certain 
>>extended
>>    
>>
>
>  
>
>>operations that modify data are received.
>>
>> 
>>
>>    
>>
>>>Aaron
>>>
>>>-----Original Message-----
>>>From: fedora-directory-users-bounces at redhat.com
>>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of 
>>>Richard
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>Megginson
>>>Sent: Tuesday, January 24, 2006 10:35 AM
>>>To: General discussion list for the Fedora Directory server project.
>>>Subject: Re: [Fedora-directory-users] Question on password changes
>>>
>>>Bliss, Aaron wrote:
>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>I have a quick question on password changes; my current setup is the
>>>>following: I have 2 directory servers, single master environment 
>>>>(supplier and consumer); I understand that all changes to the 
>>>>directory
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>   
>>>
>>>      
>>>
>>>>have to be made by the supplier and are then replicated to the 
>>>>consumer; when a client server binds to the consumer and a user 
>>>>attempts to change their password, they receive an unknown error 
>>>>response from the server, and changes are not made; simply 
>>>>configuring
>>>>     
>>>>
>>>>        
>>>>
>> 
>>
>>    
>>
>>>>the client's ldap.conf file to bind first with the supplier resolved

>>>>this issue, however I was wondering if it's possible to configure 
>>>>the
>>>>        
>>>>
>
>  
>
>>>>consumer in such a way that he will refer the update to take place 
>>>>on
>>>>        
>>>>
>
>  
>
>>>>the supplier instead of rejecting the change to the database?
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>Yes, that's what should be happening.  When you send the modify 
>>>password request to the consumer, it should send back a referral to 
>>>the
>>>   
>>>
>>>      
>>>
>>supplier.
>> 
>>
>>    
>>
>>>You can see this in the access log - a MOD request followed by a 
>>>response with err=10 (referral).  If however the client is using the 
>>>password modify extended operation, I don't think that is referred to

>>>the supplier.  In this case, you will see EXT as the operation type 
>>>in
>>>      
>>>
>
>  
>
>>>the access log for the request.
>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>I would have thought that the
>>>>consumer would simply refer changes automatically to the supplier, 
>>>>but
>>>>     
>>>>
>>>>        
>>>>
>> 
>>
>>    
>>
>>>>that doesn't seem to be the case.  Any thoughts?
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>Check the access logs, as above.
>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>I do know that I can
>>>>configure both servers to be masters, but I was hoping to avoid this

>>>>(I've read thru some of the directory server documentation citing 
>>>>errors and so forth in a multi-master environment) Thanks.
>>>>
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate
>>>
>>>However, I don't think we chain the password change extended
>>>      
>>>
>operation.
>  
>
>>>
>>>   
>>>
>>>      
>>>
>>>>Aaron
>>>>
>>>>www.preferredcare.org
>>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J.
D.
>>>>        
>>>>
>
>  
>
>>>>Power and Associates
>>>>
>>>>Confidentiality Notice:
>>>>The information contained in this electronic message is intended for
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>the exclusive use of the individual or entity named above and may 
>>>contain privileged or confidential information.  If the reader of 
>>>this
>>>      
>>>
>
>  
>
>>>message is not the intended recipient or the employee or agent 
>>>responsible to deliver it to the intended recipient, you are hereby 
>>>notified that dissemination, distribution or copying of this 
>>>information is prohibited.  If you have received this communication 
>>>in
>>>      
>>>
>
>  
>
>>>error, please notify the sender immediately by telephone and destroy 
>>>the copies you received.
>>>
>>>
>>>   
>>>
>>>      
>>>
>>>>--
>>>>Fedora-directory-users mailing list
>>>>Fedora-directory-users at redhat.com
>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>>  
>>>>
>>>>     
>>>>
>>>>        
>>>>
>>>www.preferredcare.org
>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.

>>>Power and Associates
>>>
>>>Confidentiality Notice:
>>>The information contained in this electronic message is intended for
>>>   
>>>
>>>      
>>>
>>the exclusive use of the individual or entity named above and may 
>>contain privileged or confidential information.  If the reader of this

>>message is not the intended recipient or the employee or agent 
>>responsible to deliver it to the intended recipient, you are hereby 
>>notified that dissemination, distribution or copying of this 
>>information is prohibited.  If you have received this communication in

>>error, please notify the sender immediately by telephone and destroy 
>>the copies you received.
>> 
>>
>>    
>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users at redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>   
>>>
>>>      
>>>
>>www.preferredcare.org
>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. 
>>Power and Associates
>>
>>Confidentiality Notice:
>>The information contained in this electronic message is intended for
>>    
>>
>the exclusive use of the individual or entity named above and may 
>contain privileged or confidential information.  If the reader of this 
>message is not the intended recipient or the employee or agent 
>responsible to deliver it to the intended recipient, you are hereby 
>notified that dissemination, distribution or copying of this 
>information is prohibited.  If you have received this communication in 
>error, please notify the sender immediately by telephone and destroy 
>the copies you received.
>  
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> 
>>
>>    
>>
>
>
>www.preferredcare.org
>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. 
>Power and Associates
>
>Confidentiality Notice:
>The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information.  If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited.  If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates

Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information.  If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited.  If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.