[389-users] Password Policy not working fine
Shouben Zhou
Shouben.Zhou-1 at nasa.gov
Mon Dec 7 15:34:06 UTC 2009
You should choose pam_password clear on /etc/ldap.conf, then it will
work for password change with passwd. However my problem is that
password expiration policy never works for my client, even the
passwordexpwarned is set to 1 on the server. Does anybody has password
expiration works?
--
Shouben Zhou
Science Systems and Applications Inc.(SSAI)
1 Enterprise Pkwy, Hampton, VA 23666
Tel: (757)951-1905 Fax: (757)951-1900
Email: Shouben.Zhou at nasa.gov
Allan Gaston Hougham wrote:
> Hi Rich,
>
> thanks for you support, I will try it
> Do you have any white papper or guide for implementing LDAP server and
> client to use TLS?
> I read the Administration Guide but if you have any tutorial, better!
>
> Thanks!
>
> Allan
>
>
> > Date: Fri, 4 Dec 2009 13:25:34 -0700
> > From: rmeggins at redhat.com
> > To: fedora-directory-users at redhat.com
> > Subject: Re: [389-users] Password Policy not working fine
> >
> > Allan Gaston Hougham wrote:
> > > Hi Rich,
> > >
> > > Sorry, I saw you answer now..
> > > With our settings on ldap.conf the error is:
> > >
> > >
> > > > > > > Changing password for user testsi.
> > > > > > > Enter login(LDAP) password:
> > > > > > > New UNIX password:
> > > > > > > Retype new UNIX password:
> > > > > > > LDAP password information update failed: Confidentiality
> required
> > > > > > > Operation requires a secure connection.
> > > > > > > passwd: Permission denied
> > >
> > >
> > > What is the shorcut for to resolve this problem?
> > >
> > > 1 - We need run this command: ldappasswd -x to disable SASL auth
> > >
> > >
> > > 2- We need make this settings?
> > >
> > > Need to configure the directory server and nss_ldap/pam_ldap
> > > (/etc/ldap.conf) to use TLS
> > >
> > >
> > > Is not important have a secure conection in authentication
> > > We need that ours policies working fine
> > >
> > > I think that we aren´t using ldappasswd...
> > ldappasswd uses the password extended operation, just like pam_password
> > exop. In order to use this extended operation, you must use a secure
> > connection, which means TLS/SSL or SASL with a negotiated security
> layer.
> >
> > So you either need to configure your LDAP server and client to use TLS,
> > or use something like ldapmodify to change the userPassword attribute
> > directly (i.e. don't use the passwd command).
> > >
> > >
> > >
> > > Thanks in adavance!!
> > >
> > >
> > > Allan
> > >
> > >
> > >
> > >
> > >
> > > > Date: Fri, 4 Dec 2009 11:03:53 -0700
> > > > From: rmeggins at redhat.com
> > > > To: fedora-directory-users at redhat.com
> > > > Subject: Re: [389-users] Password Policy not working fine
> > > >
> > > > Allan Gaston Hougham wrote:
> > > > > Any sugesst??
> > > >
> > > > Did you not read my reply? See below
> > > > >
> > > > > Thanks!
> > > > >
> > > > > > Date: Thu, 3 Dec 2009 11:43:34 -0700
> > > > > > From: rmeggins at redhat.com
> > > > > > To: fedora-directory-users at redhat.com
> > > > > > Subject: Re: [389-users] Password Policy not working fine
> > > > > >
> > > > > > Allan Gaston Hougham wrote:
> > > > > > > I can´t .. We have two errors:
> > > > > > >
> > > > > > > [root at dblvm32 ~]# passwd testsi
> > > > > > > Changing password for user testsi.
> > > > > > > Enter login(LDAP) password:
> > > > > > > New UNIX password:
> > > > > > > Retype new UNIX password:
> > > > > > > LDAP password information update failed: Confidentiality
> required
> > > > > > > Operation requires a secure connection.
> > > > > > > passwd: Permission denied
> > > > [begin rmeggins reply]
> > > > > > Need to configure the directory server and nss_ldap/pam_ldap
> > > > > > (/etc/ldap.conf) to use TLS
> > > > [end rmeggins repl
> > > > > > >
> > > > > > > [root at dblvm32 ~]# ldappasswd testsi
> > > > > > > SASL/EXTERNAL authentication started
> > > > > > > ldap_sasl_interactive_bind_s: Unknown authentication
> method (-6)
> > > > > > > additional info: SASL(-4): no mechanism available:
> > > > > > > [root at dblvm32 ~]#
> > > > [begin rmeggins reply]
> > > > > > ldappasswd -x to disable SASL auth
> > > > [end rmeggins reply]
> > > > > > >
> > > > > > >
> > > > > > > What happend?? Thanks!!
> > > > > > >
> > > > > > >
> > > > > > > Allan
> > > > > > >
> > > > > > >
> > > > > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700
> > > > > > > > From: rmeggins at redhat.com
> > > > > > > > To: fedora-directory-users at redhat.com
> > > > > > > > Subject: Re: [389-users] Password Policy not working fine
> > > > > > > >
> > > > > > > > Allan Gaston Hougham wrote:
> > > > > > > > > Hi, thanks for you response,
> > > > > > > > >
> > > > > > > > > We have Fedora-ds 1.2.2 2009.237.2054
> > > > > > > > >
> > > > > > > > > Platform:
> > > > > > > > >
> > > > > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25
> 11:45:55
> > > EDT
> > > > > 2007
> > > > > > > > > x86_64 x86_64 x86_64 GNU/Linux
> > > > > > > > >
> > > > > > > > > In this time we can apply any policies, but is not working
> > > > > "user must
> > > > > > > > > change password after reset" and change password later
> > > that it
> > > > > exipire
> > > > > > > > >
> > > > > > > > > This is the error with this ldap.conf:
> > > > > > > > >
> > > > > > > > > [root at yblhp35 openldap]# cat ldap.conf
> > > > > > > > > #
> > > > > > > > > # LDAP Defaults
> > > > > > > > > #
> > > > > > > > > # See ldap.conf(5) for details
> > > > > > > > > # This file should be world readable but not world
> writable.
> > > > > > > > > #BASE dc=example, dc=com
> > > > > > > > > #URI ldap://ldap.example.com
> > > ldap://ldap-master.example.com:666
> > > > > > > > > #SIZELIMIT 12
> > > > > > > > > #TIMELIMIT 15
> > > > > > > > > #DEREF never
> > > > > > > > > #use_sasl on
> > > > > > > > > URI ldap://zblhp36.ml.com/
> > > > > > > > > BASE dc=ml,dc=com
> > > > > > > > > suffix
> > > "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > > > > > > > > suffix
> "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > > > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts
> > > > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
> > > > > > > > > TLS_REQCERT allow
> > > > > > > > > bind_policy soft
> > > > > > > > > ssl no
> > > > > > > > > TLS_CACERTDIR /etc/openldap/cacerts
> > > > > > > > > pam_password md5
> > > > > > > > >
> > > > > > > > > ERROR:
> > > > > > > > >
> > > > > > > > > WARNING: Your password has expired.
> > > > > > > > > You must change your password now and login again!
> > > > > > > > > Changing password for user testsi.
> > > > > > > > > Enter login(LDAP) password:
> > > > > > > > > LDAP Password incorrect: try again
> > > > > > > > > Enter login(LDAP) password:
> > > > > > > > > New UNIX password:
> > > > > > > > > Retype new UNIX password:
> > > > > > > > > LDAP password information update failed: Server is
> > > unwilling to
> > > > > > > > > perform user is not allowed to change password
> > > > > > > > > passwd: Permission denied
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > And this is the error with this ldap.conf:
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > [ahougham at dblvm32 ~]$ cat /etc/ldap.conf
> > > > > > > > > #
> > > > > > > > > # See ldap.conf(5) for details
> > > > > > > > > # This file should be world readable but not world
> writable.
> > > > > > > > > #BASE dc=example, dc=com
> > > > > > > > > #URI ldap://ldap.example.com
> > > ldap://ldap-master.example.com:666
> > > > > > > > > #SIZELIMIT 12
> > > > > > > > > #TIMELIMIT 15
> > > > > > > > > #DEREF never
> > > > > > > > > #use_sasl on
> > > > > > > > > HOST 172.16.100.186 172.16.102.49
> > > > > > > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49
> > > > > > > > > BASE dc=ml,dc=com
> > > > > > > > > suffix
> > > "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > > > > > > > > suffix
> "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > > > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts/
> > > > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
> > > > > > > > > TLS_REQCERT allow
> > > > > > > > > bind_policy soft
> > > > > > > > > ssl no
> > > > > > > > > tls_cacertdir /etc/openldap/cacerts
> > > > > > > > > pam_password md5
> > > > > > > > > uri ldap://zblhp36.ml.com/
> > > > > > > > > base dc=ml,dc=com
> > > > > > > > > # Search the root DSE for the password policy (works
> > > > > > > > > # with Netscape Directory Server)
> > > > > > > > > pam_lookup_policy yes
> > > > > > > > > # Use the OpenLDAP password change
> > > > > > > > > # extended operation to update the password.
> > > > > > > > > pam_password exop
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > WARNING: Your password has expired.
> > > > > > > > > You must change your password now and login again!
> > > > > > > > > Changing password for user testsi.
> > > > > > > > > Enter login(LDAP) password:
> > > > > > > > > New UNIX password:
> > > > > > > > > Retype new UNIX password:
> > > > > > > > > LDAP password information update failed: Confidentiality
> > > required
> > > > > > > > > Operation requires a secure connection.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Thanks in advance!!!
> > > > > > > > Does it work if you use the ldappasswd command line tool?
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Allan
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700
> > > > > > > > > > From: rmeggins at redhat.com
> > > > > > > > > > To: fedora-directory-users at redhat.com
> > > > > > > > > > Subject: Re: [389-users] Password Policy not working
> fine
> > > > > > > > > >
> > > > > > > > > > Allan Gaston Hougham wrote:
> > > > > > > > > > > Dears,
> > > > > > > > > > >
> > > > > > > > > > > I have a problem with my passwords policies, I
> enabled
> > > "Enable
> > > > > > > > > > > fine-grained password policy", I apply this but is not
> > > > > working
> > > > > > > fine.
> > > > > > > > > > > I followed the steps of Administration Guide pag 364 -
> > > > > > > > > > >
> > > > > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy
> > > Using the
> > > > > > > > > Console*
> > > > > > > > > > >
> > > > > > > > > > > But it´s not working, i have that setting any more?
> > > > > > > > > > > Can you help me?
> > > > > > > > > > >
> > > > > > > > > > What is your platform? What version of directory
> server?
> > > rpm -qi
> > > > > > > > > > 389-ds-base (or fedora-ds-base)
> > > > > > > > > > >
> > > > > > > > > > > Thanks a lot in advance!
> > > > > > > > > > >
> > > > > > > > > > > Allan Hougham
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > >
> ------------------------------------------------------------------------
> > > > > > > > > > > Internet Explorer 8 especial para MSN - ¡Gratis!
> > > > > Descargalo ahora
> > > > > > > > > > > haciendo clic aquí
> > > > > > > > > > >
> > > > > > >
> > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx>
> > > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > >
> ------------------------------------------------------------------------
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > 389 users mailing list
> > > > > > > > > > > 389-users at redhat.com
> > > > > > > > > > >
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > >
> ------------------------------------------------------------------------
> > > > > > > > > ¿Te llegan demasiados emails? Organizate con Hotmail.
> ¡Creá
> > > > > carpetas
> > > > > > > > > para todos tus correos! <http://mail.live.com/>
> > > > > > > > >
> > > > > > >
> > > > >
> > >
> ------------------------------------------------------------------------
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > 389 users mailing list
> > > > > > > > > 389-users at redhat.com
> > > > > > > > >
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > >
> > >
> ------------------------------------------------------------------------
> > > > > > > ¡Revisá de un vistazo si tenés correos nuevos! Ingresá a tu
> > > Hotmail
> > > > > > > desde tu Messenger. ¡Probalo ahora!
> > > > > > >
> <http://www.microsoft.com/latam/windows/windowslive/default.aspx>
> > > > > > >
> > > > >
> > >
> ------------------------------------------------------------------------
> > > > > > >
> > > > > > > --
> > > > > > > 389 users mailing list
> > > > > > > 389-users at redhat.com
> > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > > >
> > > > > >
> > > > > > --
> > > > > > 389 users mailing list
> > > > > > 389-users at redhat.com
> > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > >
> > > > >
> > >
> ------------------------------------------------------------------------
> > > > > Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí
> > > > >
> <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx>
> > > > >
> > >
> ------------------------------------------------------------------------
> > > > >
> > > > > --
> > > > > 389 users mailing list
> > > > > 389-users at redhat.com
> > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > >
> > > >
> > > > --
> > > > 389 users mailing list
> > > > 389-users at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> > >
> ------------------------------------------------------------------------
> > > ¿Cansado de borrar spam de tu bandea de entrada? ¡Ganá tiempo con el
> > > nuevo filtro anti spam de Hotmail! <http://mail.live.com>
> > >
> ------------------------------------------------------------------------
> > >
> > > --
> > > 389 users mailing list
> > > 389-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> >
> > --
> > 389 users mailing list
> > 389-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> ------------------------------------------------------------------------
> Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí
> <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx>
More information about the Fedora-directory-users
mailing list