[389-users] Password Policy not working fine

Rich Megginson rmeggins at redhat.com
Thu Dec 3 16:58:49 UTC 2009 

Allan Gaston Hougham wrote:
> Hi, thanks for you response,
>  
> We have Fedora-ds 1.2.2  2009.237.2054
>  
> Platform:
>  
> Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 EDT 2007 
> x86_64 x86_64 x86_64 GNU/Linux
>
> In this time we can apply any policies, but is not working "user must 
> change password after reset" and change password later that it exipire
>  
> This is the error with this ldap.conf:
>  
> [root at yblhp35 openldap]# cat ldap.conf
> #
> # LDAP Defaults
> #
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> #BASE   dc=example, dc=com
> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
> #use_sasl on
> URI ldap://zblhp36.ml.com/
> BASE dc=ml,dc=com
> suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina"
> suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina"
> #TLS_CACERTDIR /etc/openldap/cacerts
> #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
> TLS_REQCERT allow
> bind_policy soft
> ssl no
> TLS_CACERTDIR /etc/openldap/cacerts
> pam_password md5
>  
> ERROR:
>  
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user testsi.
> Enter login(LDAP) password:
> LDAP Password incorrect: try again
> Enter login(LDAP) password:
> New UNIX password:
> Retype new UNIX password:
> LDAP password information update failed: Server is unwilling to 
> perform user is not allowed to change password
> passwd: Permission denied
>  
>  
> And this is the error with this ldap.conf:
>  
>  
> [ahougham at dblvm32 ~]$ cat /etc/ldap.conf
> #
> # See ldap.conf(5) for details
> # This file should be world readable but not world writable.
> #BASE   dc=example, dc=com
> #URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
> #SIZELIMIT      12
> #TIMELIMIT      15
> #DEREF          never
> #use_sasl on
> HOST 172.16.100.186 172.16.102.49
> URI ldaps://172.16.100.186 ldaps://172.16.102.49
> BASE dc=ml,dc=com
> suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina"
> suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina"
> #TLS_CACERTDIR /etc/openldap/cacerts/
> #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
> TLS_REQCERT allow
> bind_policy soft
> ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
> uri ldap://zblhp36.ml.com/
> base dc=ml,dc=com
> # Search the root DSE for the password policy (works
> # with Netscape Directory Server)
> pam_lookup_policy yes
> # Use the OpenLDAP password change
> # extended operation to update the password.
> pam_password exop
>
>  
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user testsi.
> Enter login(LDAP) password:
> New UNIX password:
> Retype new UNIX password:
> LDAP password information update failed: Confidentiality required 
> Operation requires a secure connection.
Ah.  By default, newer versions of the server require a secure 
connection for password changes, since the password is sent in clear text.
>  
>  
>  
> Thanks in advance!!!
>  
>  
> Allan
>  
>  
> > Date: Mon, 30 Nov 2009 08:11:51 -0700
> > From: rmeggins at redhat.com
> > To: fedora-directory-users at redhat.com
> > Subject: Re: [389-users] Password Policy not working fine
> >
> > Allan Gaston Hougham wrote:
> > > Dears,
> > >
> > > I have a problem with my passwords policies, I enabled "Enable
> > > fine-grained password policy", I apply this but is not working fine.
> > > I followed the steps of Administration Guide pag 364 -
> > >
> > > *7.1.1.2. Configuring a Subtree/User Password Policy Using the 
> Console*
> > >
> > > But it´s not working, i have that setting any more?
> > > Can you help me?
> > >
> > What is your platform? What version of directory server? rpm -qi
> > 389-ds-base (or fedora-ds-base)
> > >
> > > Thanks a lot in advance!
> > >
> > > Allan Hougham
> > >
> > >
> > > 
> ------------------------------------------------------------------------
> > > Internet Explorer 8 especial para MSN - ¡Gratis! Descargalo ahora
> > > haciendo clic aquí
> > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx>
> > > 
> ------------------------------------------------------------------------
> > >
> > > --
> > > 389 users mailing list
> > > 389-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> >
> >
>
> ------------------------------------------------------------------------
> ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá carpetas 
> para todos tus correos! <http://mail.live.com/>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20091203/e9b5ecf0/attachment.bin>

More information about the Fedora-directory-users mailing list