[Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 8, Issue 40
by A G
OK. how can I disable the "cn=Directory Administrator" account?
Will I be able to enable easily so that in the normal operation it is
disabled for the security purposes?
On 1/25/06, fedora-directory-users-request(a)redhat.com <
fedora-directory-users-request(a)redhat.com> wrote:
>
> Send Fedora-directory-users mailing list submissions to
> fedora-directory-users(a)redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> or, via email, send a message with subject or body 'help' to
> fedora-directory-users-request(a)redhat.com
>
> You can reach the person managing the list at
> fedora-directory-users-owner(a)redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Fedora-directory-users digest..."
>
>
> Today's Topics:
>
> 1. How to enable "cn=Directory Administrator" to login from only
> specified hosts (G?khan Afacan)
> 2. How to lock/unlock "cn=Directory Administrator" user account?
> (G?khan Afacan)
> 3. Re: How to enable "cn=Directory Administrator" to login from
> only specified hosts (Richard Megginson)
> 4. Re: How to lock/unlock "cn=Directory Administrator" user
> account? (Richard Megginson)
> 5. How to enable "cn=Directory Administrator" to login from only
> specified hosts (A G)
> 6. How to lock/unlock "cn=Directory Administrator" user account?
> (A G)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 25 Jan 2006 17:44:31 +0200
> From: G?khan Afacan <gokhan.afacan(a)gmail.com>
> Subject: [Fedora-directory-users] How to enable "cn=Directory
> Administrator" to login from only specified hosts
> To: fedora-directory-users(a)redhat.com
> Message-ID:
> <2393d5a10601250744m7c2e0643mea5ee25a5658d4fc(a)mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hello,
> How can I enable "cn=Directory Administrator" to login from only
> specified hosts?
> I mean that cn=Directory Administrator user can only logon only from
> 10.1.3.110.
> How can I do that?
>
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 25 Jan 2006 17:46:03 +0200
> From: G?khan Afacan <gokhan.afacan(a)gmail.com>
> Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory
> Administrator" user account?
> To: fedora-directory-users(a)redhat.com
> Message-ID:
> <2393d5a10601250746hfae7d11t8526098605735d8d(a)mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> How can I lock and unlock the user cn=Directory Administrator user
> account?
>
>
> On 1/25/06, Gökhan Afacan <gokhan.afacan(a)gmail.com> wrote:
> > Hello,
> > How can I enable "cn=Directory Administrator" to login from only
> > specified hosts?
> > I mean that cn=Directory Administrator user can only logon only from
> 10.1.3.110.
> > How can I do that?
> >
>
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 25 Jan 2006 09:13:30 -0700
> From: Richard Megginson <rmeggins(a)redhat.com>
> Subject: Re: [Fedora-directory-users] How to enable "cn=Directory
> Administrator" to login from only specified hosts
> To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users(a)redhat.com>
> Message-ID: <43D7A3AA.2000208(a)redhat.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Gökhan Afacan wrote:
>
> >Hello,
> >How can I enable "cn=Directory Administrator" to login from only
> >specified hosts?
> >
> >
> I don't think that is possible.
>
> >I mean that cn=Directory Administrator user can only logon only from
> 10.1.3.110.
> >How can I do that?
> >
> >
> I don't think you can do that. If you are worried about Directory
> Manager access, you can create another account (like the console admin
> account) that has administrator privileges, then you can set up ACIs for
> that user, then you can disable the directory manager account.
>
> >--
> >Fedora-directory-users mailing list
> >Fedora-directory-users(a)redhat.com
> >https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3178 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> https://www.redhat.com/archives/fedora-directory-users/attachments/200601...
>
> ------------------------------
>
> Message: 4
> Date: Wed, 25 Jan 2006 09:14:11 -0700
> From: Richard Megginson <rmeggins(a)redhat.com>
> Subject: Re: [Fedora-directory-users] How to
> lock/unlock "cn=Directory
> Administrator" user account?
> To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users(a)redhat.com>
> Message-ID: <43D7A3D3.2050004(a)redhat.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Gökhan Afacan wrote:
>
> >How can I lock and unlock the user cn=Directory Administrator user
> account?
> >
> >
> You cannot do that. You can disable the directory manager account, but
> you cannot lock and unlock it as if it were a "normal" user account.
>
> >
> >On 1/25/06, Gökhan Afacan <gokhan.afacan(a)gmail.com> wrote:
> >
> >
> >>Hello,
> >>How can I enable "cn=Directory Administrator" to login from only
> >>specified hosts?
> >>I mean that cn=Directory Administrator user can only logon only from
> 10.1.3.110.
> >>How can I do that?
> >>
> >>
> >>
> >
> >--
> >Fedora-directory-users mailing list
> >Fedora-directory-users(a)redhat.com
> >https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/x-pkcs7-signature
> Size: 3178 bytes
> Desc: S/MIME Cryptographic Signature
> Url :
> https://www.redhat.com/archives/fedora-directory-users/attachments/200601...
>
> ------------------------------
>
> Message: 5
> Date: Wed, 25 Jan 2006 18:25:51 +0200
> From: A G <cino11(a)gmail.com>
> Subject: [Fedora-directory-users] How to enable "cn=Directory
> Administrator" to login from only specified hosts
> To: fedora-directory-users(a)redhat.com
> Message-ID: <408162380601250825y4e966611p(a)mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
> How can I enable "cn=Directory Administrator" to login from only
> specified hosts?
> I mean that cn=Directory Administrator user can only logon only from
> 10.1.3.110.
> How can I do that?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://www.redhat.com/archives/fedora-directory-users/attachments/200601...
>
> ------------------------------
>
> Message: 6
> Date: Wed, 25 Jan 2006 18:26:20 +0200
> From: A G <cino11(a)gmail.com>
> Subject: [Fedora-directory-users] How to lock/unlock "cn=Directory
> Administrator" user account?
> To: fedora-directory-users(a)redhat.com
> Message-ID: <408162380601250826r5dca4666q(a)mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> How can I lock and unlock the user cn=Directory Administrator user
> account?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://www.redhat.com/archives/fedora-directory-users/attachments/200601...
>
> ------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
> End of Fedora-directory-users Digest, Vol 8, Issue 40
> *****************************************************
>
18 years, 3 months
[Fedora-directory-users] How to lock/unlock "cn=Directory Administrator" user account?
by Gökhan Afacan
How can I lock and unlock the user cn=Directory Administrator user account?
On 1/25/06, Gökhan Afacan <gokhan.afacan(a)gmail.com> wrote:
> Hello,
> How can I enable "cn=Directory Administrator" to login from only
> specified hosts?
> I mean that cn=Directory Administrator user can only logon only from 10.1.3.110.
> How can I do that?
>
18 years, 3 months
RE: [Fedora-directory-users] Question on password changes
by Bliss, Aaron
I'm all set, in the fds on the consumer, I had to manually add the
supplier as a referral as part of the replication link (even though the
documentation says it will do this based upon replication link). Thanks
again very much for such a great product.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Bliss,
Aaron
Sent: Tuesday, January 24, 2006 2:11 PM
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] Question on password changes
Sorry, I meant to say that I don't see the MOD entry on the supplier's
log file; I agree with you, it doesn't seem that the client is listening
to the referral.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
Megginson
Sent: Tuesday, January 24, 2006 2:10 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Question on password changes
Bliss, Aaron wrote:
>I see the MOD request in the consumer, but do not see the MOD request
>in the client;
>
Where would you see the MOD request in the client? It just seems as
though PAM is not following the referral and I'm not sure why. Perhaps
there is some other PAM configuration required?
>here are the relevant entries from
>
>/etc/ldap.conf and
>host serverA serverB
>base dc=myorg,dc=org
>pam_lookup_policy yes
>pam_check_host_attr yes
>pam_password clear
>ssl start_tls
>
>/etc/openldap/ldap.conf
>BASE dc=myorg,dc=org
>HOST serverA serverB
>TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_REQCERT allow
>
>Any ideas? I've confirmed this behaviour on redhat 3 and redhat 4
>boxes, further this is the error that I get from redhat 4 boxes
>
>LDAP password information update failed: Can't contact LDAP server
>
>passwd: Permission denied
>
>Thanks again for your help.
>
>Aaron
>
>-----Original Message-----
>From: fedora-directory-users-bounces(a)redhat.com
>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
>Megginson
>Sent: Tuesday, January 24, 2006 1:21 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Question on password changes
>
>Bliss, Aaron wrote:
>
>
>
>>I am not using the password extended operation to change passwords
i.e.
>>in /etc/ldap.conf pam_password exop is commented out; as such, what's
>>the best way to being to debug this?
>>
>>
>>
>I'm not sure. If I understand you correctly, it seems that the
>consumer is correctly sending the referral back to the client in
>response to the MOD request to change the password. Can you examine
>the supplier access log to see if the client is following the referral?
>You should see a MOD request in the supplier access log shortly after
>the MOD to the consumer that resulted in the err=10. If not, this
>means the client is not following the referral, which is either a bug
>or a mis-configuration of the client.
>
>
>
>>Also, what is the advantage of
>>using the extended operation to change passwords? Thanks again.
>>
>>
>>
>>
>The extended operation is meant to be used when you are not using a
>simple userPassword (e.g. some SASL mechs, Kerberos).
>
>
>
>>Aaron
>>
>>-----Original Message-----
>>From: fedora-directory-users-bounces(a)redhat.com
>>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of
>>Richard
>>
>>
>
>
>
>>Megginson
>>Sent: Tuesday, January 24, 2006 11:13 AM
>>To: General discussion list for the Fedora Directory server project.
>>Subject: Re: [Fedora-directory-users] Question on password changes
>>
>>Bliss, Aaron wrote:
>>
>>
>>
>>
>>
>>>Thanks for getting back to me so quickly; I've seen the error
>>>messages
>>>
>>>
>
>
>
>>>that you referenced below; I can then assume then my only alternative
>>>is to setup a multimaster environment? Thanks.
>>>
>>>
>>>
>>>
>>>
>>>
>>Which error messages have you seen? Are you saying that the client is
>>using the password modify extended operation? If so, then yes, you
>>will have to use multi master. If not, then single master should be
>>fine, and you'll need to debug the client to figure out why it's not
>>following the referral to the supplier.
>>
>>BTW, I believe we have a bug - the consumer should send back a
>>referral
>>
>>
>
>
>
>>to the supplier when it gets the password modify extended operation.
>>We need to add support for sending back referrals when certain
>>extended
>>
>>
>
>
>
>>operations that modify data are received.
>>
>>
>>
>>
>>
>>>Aaron
>>>
>>>-----Original Message-----
>>>From: fedora-directory-users-bounces(a)redhat.com
>>>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of
>>>Richard
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>Megginson
>>>Sent: Tuesday, January 24, 2006 10:35 AM
>>>To: General discussion list for the Fedora Directory server project.
>>>Subject: Re: [Fedora-directory-users] Question on password changes
>>>
>>>Bliss, Aaron wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>I have a quick question on password changes; my current setup is the
>>>>following: I have 2 directory servers, single master environment
>>>>(supplier and consumer); I understand that all changes to the
>>>>directory
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>>have to be made by the supplier and are then replicated to the
>>>>consumer; when a client server binds to the consumer and a user
>>>>attempts to change their password, they receive an unknown error
>>>>response from the server, and changes are not made; simply
>>>>configuring
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>>>the client's ldap.conf file to bind first with the supplier resolved
>>>>this issue, however I was wondering if it's possible to configure
>>>>the
>>>>
>>>>
>
>
>
>>>>consumer in such a way that he will refer the update to take place
>>>>on
>>>>
>>>>
>
>
>
>>>>the supplier instead of rejecting the change to the database?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Yes, that's what should be happening. When you send the modify
>>>password request to the consumer, it should send back a referral to
>>>the
>>>
>>>
>>>
>>>
>>supplier.
>>
>>
>>
>>
>>>You can see this in the access log - a MOD request followed by a
>>>response with err=10 (referral). If however the client is using the
>>>password modify extended operation, I don't think that is referred to
>>>the supplier. In this case, you will see EXT as the operation type
>>>in
>>>
>>>
>
>
>
>>>the access log for the request.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>I would have thought that the
>>>>consumer would simply refer changes automatically to the supplier,
>>>>but
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>>>that doesn't seem to be the case. Any thoughts?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Check the access logs, as above.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>I do know that I can
>>>>configure both servers to be masters, but I was hoping to avoid this
>>>>(I've read thru some of the directory server documentation citing
>>>>errors and so forth in a multi-master environment) Thanks.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate
>>>
>>>However, I don't think we chain the password change extended
>>>
>>>
>operation.
>
>
>>>
>>>
>>>
>>>
>>>
>>>>Aaron
>>>>
>>>>www.preferredcare.org
>>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J.
D.
>>>>
>>>>
>
>
>
>>>>Power and Associates
>>>>
>>>>Confidentiality Notice:
>>>>The information contained in this electronic message is intended for
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>the exclusive use of the individual or entity named above and may
>>>contain privileged or confidential information. If the reader of
>>>this
>>>
>>>
>
>
>
>>>message is not the intended recipient or the employee or agent
>>>responsible to deliver it to the intended recipient, you are hereby
>>>notified that dissemination, distribution or copying of this
>>>information is prohibited. If you have received this communication
>>>in
>>>
>>>
>
>
>
>>>error, please notify the sender immediately by telephone and destroy
>>>the copies you received.
>>>
>>>
>>>
>>>
>>>
>>>
>>>>--
>>>>Fedora-directory-users mailing list
>>>>Fedora-directory-users(a)redhat.com
>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>www.preferredcare.org
>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>>Power and Associates
>>>
>>>Confidentiality Notice:
>>>The information contained in this electronic message is intended for
>>>
>>>
>>>
>>>
>>the exclusive use of the individual or entity named above and may
>>contain privileged or confidential information. If the reader of this
>>message is not the intended recipient or the employee or agent
>>responsible to deliver it to the intended recipient, you are hereby
>>notified that dissemination, distribution or copying of this
>>information is prohibited. If you have received this communication in
>>error, please notify the sender immediately by telephone and destroy
>>the copies you received.
>>
>>
>>
>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users(a)redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>
>>>
>>>
>>>
>>www.preferredcare.org
>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>Power and Associates
>>
>>Confidentiality Notice:
>>The information contained in this electronic message is intended for
>>
>>
>the exclusive use of the individual or entity named above and may
>contain privileged or confidential information. If the reader of this
>message is not the intended recipient or the employee or agent
>responsible to deliver it to the intended recipient, you are hereby
>notified that dissemination, distribution or copying of this
>information is prohibited. If you have received this communication in
>error, please notify the sender immediately by telephone and destroy
>the copies you received.
>
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>
>
>www.preferredcare.org
>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>Power and Associates
>
>Confidentiality Notice:
>The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information. If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain
privileged or confidential information. If the reader of this message
is not the intended recipient or the employee or agent responsible to
deliver it to the intended recipient, you are hereby notified that
dissemination, distribution or copying of this information is
prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 3 months
RE: [Fedora-directory-users] Question on password changes
by Bliss, Aaron
Sorry, I meant to say that I don't see the MOD entry on the supplier's
log file; I agree with you, it doesn't seem that the client is listening
to the referral.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
Megginson
Sent: Tuesday, January 24, 2006 2:10 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Question on password changes
Bliss, Aaron wrote:
>I see the MOD request in the consumer, but do not see the MOD request
>in the client;
>
Where would you see the MOD request in the client? It just seems as
though PAM is not following the referral and I'm not sure why. Perhaps
there is some other PAM configuration required?
>here are the relevant entries from
>
>/etc/ldap.conf and
>host serverA serverB
>base dc=myorg,dc=org
>pam_lookup_policy yes
>pam_check_host_attr yes
>pam_password clear
>ssl start_tls
>
>/etc/openldap/ldap.conf
>BASE dc=myorg,dc=org
>HOST serverA serverB
>TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_REQCERT allow
>
>Any ideas? I've confirmed this behaviour on redhat 3 and redhat 4
>boxes, further this is the error that I get from redhat 4 boxes
>
>LDAP password information update failed: Can't contact LDAP server
>
>passwd: Permission denied
>
>Thanks again for your help.
>
>Aaron
>
>-----Original Message-----
>From: fedora-directory-users-bounces(a)redhat.com
>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
>Megginson
>Sent: Tuesday, January 24, 2006 1:21 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Question on password changes
>
>Bliss, Aaron wrote:
>
>
>
>>I am not using the password extended operation to change passwords
i.e.
>>in /etc/ldap.conf pam_password exop is commented out; as such, what's
>>the best way to being to debug this?
>>
>>
>>
>I'm not sure. If I understand you correctly, it seems that the
>consumer is correctly sending the referral back to the client in
>response to the MOD request to change the password. Can you examine
>the supplier access log to see if the client is following the referral?
>You should see a MOD request in the supplier access log shortly after
>the MOD to the consumer that resulted in the err=10. If not, this
>means the client is not following the referral, which is either a bug
>or a mis-configuration of the client.
>
>
>
>>Also, what is the advantage of
>>using the extended operation to change passwords? Thanks again.
>>
>>
>>
>>
>The extended operation is meant to be used when you are not using a
>simple userPassword (e.g. some SASL mechs, Kerberos).
>
>
>
>>Aaron
>>
>>-----Original Message-----
>>From: fedora-directory-users-bounces(a)redhat.com
>>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of
>>Richard
>>
>>
>
>
>
>>Megginson
>>Sent: Tuesday, January 24, 2006 11:13 AM
>>To: General discussion list for the Fedora Directory server project.
>>Subject: Re: [Fedora-directory-users] Question on password changes
>>
>>Bliss, Aaron wrote:
>>
>>
>>
>>
>>
>>>Thanks for getting back to me so quickly; I've seen the error
>>>messages
>>>
>>>
>
>
>
>>>that you referenced below; I can then assume then my only alternative
>>>is to setup a multimaster environment? Thanks.
>>>
>>>
>>>
>>>
>>>
>>>
>>Which error messages have you seen? Are you saying that the client is
>>using the password modify extended operation? If so, then yes, you
>>will have to use multi master. If not, then single master should be
>>fine, and you'll need to debug the client to figure out why it's not
>>following the referral to the supplier.
>>
>>BTW, I believe we have a bug - the consumer should send back a
>>referral
>>
>>
>
>
>
>>to the supplier when it gets the password modify extended operation.
>>We need to add support for sending back referrals when certain
>>extended
>>
>>
>
>
>
>>operations that modify data are received.
>>
>>
>>
>>
>>
>>>Aaron
>>>
>>>-----Original Message-----
>>>From: fedora-directory-users-bounces(a)redhat.com
>>>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of
>>>Richard
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>Megginson
>>>Sent: Tuesday, January 24, 2006 10:35 AM
>>>To: General discussion list for the Fedora Directory server project.
>>>Subject: Re: [Fedora-directory-users] Question on password changes
>>>
>>>Bliss, Aaron wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>I have a quick question on password changes; my current setup is the
>>>>following: I have 2 directory servers, single master environment
>>>>(supplier and consumer); I understand that all changes to the
>>>>directory
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>>have to be made by the supplier and are then replicated to the
>>>>consumer; when a client server binds to the consumer and a user
>>>>attempts to change their password, they receive an unknown error
>>>>response from the server, and changes are not made; simply
>>>>configuring
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>>>the client's ldap.conf file to bind first with the supplier resolved
>>>>this issue, however I was wondering if it's possible to configure
>>>>the
>>>>
>>>>
>
>
>
>>>>consumer in such a way that he will refer the update to take place
>>>>on
>>>>
>>>>
>
>
>
>>>>the supplier instead of rejecting the change to the database?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Yes, that's what should be happening. When you send the modify
>>>password request to the consumer, it should send back a referral to
>>>the
>>>
>>>
>>>
>>>
>>supplier.
>>
>>
>>
>>
>>>You can see this in the access log - a MOD request followed by a
>>>response with err=10 (referral). If however the client is using the
>>>password modify extended operation, I don't think that is referred to
>>>the supplier. In this case, you will see EXT as the operation type
>>>in
>>>
>>>
>
>
>
>>>the access log for the request.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>I would have thought that the
>>>>consumer would simply refer changes automatically to the supplier,
>>>>but
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>>>that doesn't seem to be the case. Any thoughts?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Check the access logs, as above.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>I do know that I can
>>>>configure both servers to be masters, but I was hoping to avoid this
>>>>(I've read thru some of the directory server documentation citing
>>>>errors and so forth in a multi-master environment) Thanks.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate
>>>
>>>However, I don't think we chain the password change extended
>>>
>>>
>operation.
>
>
>>>
>>>
>>>
>>>
>>>
>>>>Aaron
>>>>
>>>>www.preferredcare.org
>>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J.
D.
>>>>
>>>>
>
>
>
>>>>Power and Associates
>>>>
>>>>Confidentiality Notice:
>>>>The information contained in this electronic message is intended for
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>the exclusive use of the individual or entity named above and may
>>>contain privileged or confidential information. If the reader of
>>>this
>>>
>>>
>
>
>
>>>message is not the intended recipient or the employee or agent
>>>responsible to deliver it to the intended recipient, you are hereby
>>>notified that dissemination, distribution or copying of this
>>>information is prohibited. If you have received this communication
>>>in
>>>
>>>
>
>
>
>>>error, please notify the sender immediately by telephone and destroy
>>>the copies you received.
>>>
>>>
>>>
>>>
>>>
>>>
>>>>--
>>>>Fedora-directory-users mailing list
>>>>Fedora-directory-users(a)redhat.com
>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>www.preferredcare.org
>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>>Power and Associates
>>>
>>>Confidentiality Notice:
>>>The information contained in this electronic message is intended for
>>>
>>>
>>>
>>>
>>the exclusive use of the individual or entity named above and may
>>contain privileged or confidential information. If the reader of this
>>message is not the intended recipient or the employee or agent
>>responsible to deliver it to the intended recipient, you are hereby
>>notified that dissemination, distribution or copying of this
>>information is prohibited. If you have received this communication in
>>error, please notify the sender immediately by telephone and destroy
>>the copies you received.
>>
>>
>>
>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users(a)redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>
>>>
>>>
>>>
>>www.preferredcare.org
>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>Power and Associates
>>
>>Confidentiality Notice:
>>The information contained in this electronic message is intended for
>>
>>
>the exclusive use of the individual or entity named above and may
>contain privileged or confidential information. If the reader of this
>message is not the intended recipient or the employee or agent
>responsible to deliver it to the intended recipient, you are hereby
>notified that dissemination, distribution or copying of this
>information is prohibited. If you have received this communication in
>error, please notify the sender immediately by telephone and destroy
>the copies you received.
>
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>
>
>www.preferredcare.org
>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>Power and Associates
>
>Confidentiality Notice:
>The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information. If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
18 years, 3 months
RE: [Fedora-directory-users] Question on password changes
by Bliss, Aaron
I see the MOD request in the consumer, but do not see the MOD request in
the client; here are the relevant entries from
/etc/ldap.conf and
host serverA serverB
base dc=myorg,dc=org
pam_lookup_policy yes
pam_check_host_attr yes
pam_password clear
ssl start_tls
/etc/openldap/ldap.conf
BASE dc=myorg,dc=org
HOST serverA serverB
TLS_CACERT /etc/openldap/cacerts/cacert.pem
TLS_REQCERT allow
Any ideas? I've confirmed this behaviour on redhat 3 and redhat 4
boxes, further this is the error that I get from redhat 4 boxes
LDAP password information update failed: Can't contact LDAP server
passwd: Permission denied
Thanks again for your help.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
Megginson
Sent: Tuesday, January 24, 2006 1:21 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Question on password changes
Bliss, Aaron wrote:
>I am not using the password extended operation to change passwords i.e.
>in /etc/ldap.conf pam_password exop is commented out; as such, what's
>the best way to being to debug this?
>
I'm not sure. If I understand you correctly, it seems that the consumer
is correctly sending the referral back to the client in response to the
MOD request to change the password. Can you examine the supplier access
log to see if the client is following the referral? You should see a
MOD request in the supplier access log shortly after the MOD to the
consumer that resulted in the err=10. If not, this means the client is
not following the referral, which is either a bug or a mis-configuration
of the client.
>Also, what is the advantage of
>using the extended operation to change passwords? Thanks again.
>
>
The extended operation is meant to be used when you are not using a
simple userPassword (e.g. some SASL mechs, Kerberos).
>Aaron
>
>-----Original Message-----
>From: fedora-directory-users-bounces(a)redhat.com
>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
>Megginson
>Sent: Tuesday, January 24, 2006 11:13 AM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Question on password changes
>
>Bliss, Aaron wrote:
>
>
>
>>Thanks for getting back to me so quickly; I've seen the error messages
>>that you referenced below; I can then assume then my only alternative
>>is to setup a multimaster environment? Thanks.
>>
>>
>>
>>
>Which error messages have you seen? Are you saying that the client is
>using the password modify extended operation? If so, then yes, you
>will have to use multi master. If not, then single master should be
>fine, and you'll need to debug the client to figure out why it's not
>following the referral to the supplier.
>
>BTW, I believe we have a bug - the consumer should send back a referral
>to the supplier when it gets the password modify extended operation.
>We need to add support for sending back referrals when certain extended
>operations that modify data are received.
>
>
>
>>Aaron
>>
>>-----Original Message-----
>>From: fedora-directory-users-bounces(a)redhat.com
>>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of
>>Richard
>>
>>
>
>
>
>>Megginson
>>Sent: Tuesday, January 24, 2006 10:35 AM
>>To: General discussion list for the Fedora Directory server project.
>>Subject: Re: [Fedora-directory-users] Question on password changes
>>
>>Bliss, Aaron wrote:
>>
>>
>>
>>
>>
>>>I have a quick question on password changes; my current setup is the
>>>following: I have 2 directory servers, single master environment
>>>(supplier and consumer); I understand that all changes to the
>>>directory
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>have to be made by the supplier and are then replicated to the
>>>consumer; when a client server binds to the consumer and a user
>>>attempts to change their password, they receive an unknown error
>>>response from the server, and changes are not made; simply
>>>configuring
>>>
>>>
>
>
>
>>>the client's ldap.conf file to bind first with the supplier resolved
>>>this issue, however I was wondering if it's possible to configure the
>>>consumer in such a way that he will refer the update to take place on
>>>the supplier instead of rejecting the change to the database?
>>>
>>>
>>>
>>>
>>>
>>Yes, that's what should be happening. When you send the modify
>>password request to the consumer, it should send back a referral to
>>the
>>
>>
>supplier.
>
>
>>You can see this in the access log - a MOD request followed by a
>>response with err=10 (referral). If however the client is using the
>>password modify extended operation, I don't think that is referred to
>>the supplier. In this case, you will see EXT as the operation type in
>>the access log for the request.
>>
>>
>>
>>
>>
>>>I would have thought that the
>>>consumer would simply refer changes automatically to the supplier,
>>>but
>>>
>>>
>
>
>
>>>that doesn't seem to be the case. Any thoughts?
>>>
>>>
>>>
>>>
>>>
>>Check the access logs, as above.
>>
>>
>>
>>
>>
>>>I do know that I can
>>>configure both servers to be masters, but I was hoping to avoid this
>>>(I've read thru some of the directory server documentation citing
>>>errors and so forth in a multi-master environment) Thanks.
>>>
>>>
>>>
>>>
>>>
>>>
>>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate
>>
>>However, I don't think we chain the password change extended
operation.
>>
>>
>>
>>
>>
>>>Aaron
>>>
>>>www.preferredcare.org
>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>>Power and Associates
>>>
>>>Confidentiality Notice:
>>>The information contained in this electronic message is intended for
>>>
>>>
>>>
>>>
>>the exclusive use of the individual or entity named above and may
>>contain privileged or confidential information. If the reader of this
>>message is not the intended recipient or the employee or agent
>>responsible to deliver it to the intended recipient, you are hereby
>>notified that dissemination, distribution or copying of this
>>information is prohibited. If you have received this communication in
>>error, please notify the sender immediately by telephone and destroy
>>the copies you received.
>>
>>
>>
>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users(a)redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>
>>>
>>>
>>>
>>www.preferredcare.org
>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>Power and Associates
>>
>>Confidentiality Notice:
>>The information contained in this electronic message is intended for
>>
>>
>the exclusive use of the individual or entity named above and may
>contain privileged or confidential information. If the reader of this
>message is not the intended recipient or the employee or agent
>responsible to deliver it to the intended recipient, you are hereby
>notified that dissemination, distribution or copying of this
>information is prohibited. If you have received this communication in
>error, please notify the sender immediately by telephone and destroy
>the copies you received.
>
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>
>
>www.preferredcare.org
>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>Power and Associates
>
>Confidentiality Notice:
>The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information. If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
18 years, 3 months
RE: [Fedora-directory-users] Question on password changes
by Bliss, Aaron
I am not using the password extended operation to change passwords i.e.
in /etc/ldap.conf pam_password exop is commented out; as such, what's
the best way to being to debug this? Also, what is the advantage of
using the extended operation to change passwords? Thanks again.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
Megginson
Sent: Tuesday, January 24, 2006 11:13 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Question on password changes
Bliss, Aaron wrote:
>Thanks for getting back to me so quickly; I've seen the error messages
>that you referenced below; I can then assume then my only alternative
>is to setup a multimaster environment? Thanks.
>
>
Which error messages have you seen? Are you saying that the client is
using the password modify extended operation? If so, then yes, you will
have to use multi master. If not, then single master should be fine,
and you'll need to debug the client to figure out why it's not following
the referral to the supplier.
BTW, I believe we have a bug - the consumer should send back a referral
to the supplier when it gets the password modify extended operation. We
need to add support for sending back referrals when certain extended
operations that modify data are received.
>Aaron
>
>-----Original Message-----
>From: fedora-directory-users-bounces(a)redhat.com
>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
>Megginson
>Sent: Tuesday, January 24, 2006 10:35 AM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Question on password changes
>
>Bliss, Aaron wrote:
>
>
>
>>I have a quick question on password changes; my current setup is the
>>following: I have 2 directory servers, single master environment
>>(supplier and consumer); I understand that all changes to the
>>directory
>>
>>
>
>
>
>>have to be made by the supplier and are then replicated to the
>>consumer; when a client server binds to the consumer and a user
>>attempts to change their password, they receive an unknown error
>>response from the server, and changes are not made; simply configuring
>>the client's ldap.conf file to bind first with the supplier resolved
>>this issue, however I was wondering if it's possible to configure the
>>consumer in such a way that he will refer the update to take place on
>>the supplier instead of rejecting the change to the database?
>>
>>
>>
>Yes, that's what should be happening. When you send the modify
>password request to the consumer, it should send back a referral to the
supplier.
>You can see this in the access log - a MOD request followed by a
>response with err=10 (referral). If however the client is using the
>password modify extended operation, I don't think that is referred to
>the supplier. In this case, you will see EXT as the operation type in
>the access log for the request.
>
>
>
>>I would have thought that the
>>consumer would simply refer changes automatically to the supplier, but
>>that doesn't seem to be the case. Any thoughts?
>>
>>
>>
>Check the access logs, as above.
>
>
>
>>I do know that I can
>>configure both servers to be masters, but I was hoping to avoid this
>>(I've read thru some of the directory server documentation citing
>>errors and so forth in a multi-master environment) Thanks.
>>
>>
>>
>>
>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate
>
>However, I don't think we chain the password change extended operation.
>
>
>
>>Aaron
>>
>>www.preferredcare.org
>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>Power and Associates
>>
>>Confidentiality Notice:
>>The information contained in this electronic message is intended for
>>
>>
>the exclusive use of the individual or entity named above and may
>contain privileged or confidential information. If the reader of this
>message is not the intended recipient or the employee or agent
>responsible to deliver it to the intended recipient, you are hereby
>notified that dissemination, distribution or copying of this
>information is prohibited. If you have received this communication in
>error, please notify the sender immediately by telephone and destroy
>the copies you received.
>
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>
>
>www.preferredcare.org
>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>Power and Associates
>
>Confidentiality Notice:
>The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information. If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
18 years, 3 months
