[Fedora-directory-users] SSH login and pwd expiration message
by Jo De Troy
Hello,
I've configured a RHEL3 as LDAP client to my FedoraDS 1.0.2 on RHEL4.
When I login via ssh with an LDAP account on the ldapclient I immediately get
You are required to change your password immediately (password aged)
Your password has expired, the session cannot proceed.
You must change your password now and login again!
After that I change the password and login again and I get the same error again.
Any idea what's causing this? Is it an ACL that's preventing some
attributes to be updates? Which attributes? If I just for testing
delete these attributes I should get rid of this message, shouldn't I?
Thanks in advance,
Jo
17 years, 4 months
[Fedora-directory-users] RE: Fedora-directory-users Digest, Vol 19, Issue 3
by t b
>From: fedora-directory-users-request(a)redhat.com
>Reply-To: fedora-directory-users(a)redhat.com
>To: fedora-directory-users(a)redhat.com
>Subject: Fedora-directory-users Digest, Vol 19, Issue 3
>Date: Sat, 2 Dec 2006 12:00:05 -0500 (EST)
>
>Send Fedora-directory-users mailing list submissions to
> fedora-directory-users(a)redhat.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>or, via email, send a message with subject or body 'help' to
> fedora-directory-users-request(a)redhat.com
>
>You can reach the person managing the list at
> fedora-directory-users-owner(a)redhat.com
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Fedora-directory-users digest..."
>
>
>Today's Topics:
>
> 1. Re: RE: Fedora-directory-users Digest, Vol 19, Issue 1
> (Richard Megginson)
> 2. Re: AD + FDS sync stops working? (To Ngan)
> 3. Re: Memory usage (koniczynek)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Fri, 01 Dec 2006 12:55:24 -0700
>From: Richard Megginson <rmeggins(a)redhat.com>
>Subject: Re: [Fedora-directory-users] RE: Fedora-directory-users
> Digest, Vol 19, Issue 1
>To: "General discussion list for the Fedora Directory server project."
> <fedora-directory-users(a)redhat.com>
>Message-ID: <457088AC.1030004(a)redhat.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>t b wrote:
> > My logs seem to indicate that the connection is being encrypted; I can
> > ssh to a client server and get the password prompt, but when I enter
> > the password it just returns me to the password prompt again
> >
> > [01/Dec/2006:19:47:44 -0500] conn=650 fd=69 slot=69 connection from
> > xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx
> > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 EXT
> > oid="1.3.6.1.4.1.1466.20037" name="startTLS"
> > [01/Dec/2006:19:47:44 -0500] conn=650 op=0 RESULT err=0 tag=120
> > nentries=0 etime=0
> > [01/Dec/2006:19:47:44 -0500] conn=650 SSL 256-bit AES
>All of this means the client was able to successfully perform the
>startTLS extended operation and start using SSL.
> > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 UNBIND
> > [01/Dec/2006:19:47:44 -0500] conn=650 op=1 fd=69 closed - U1
>The UNBIND means the client had a problem and closed the connection.
>Does the client print any errors? Are there any messages in the server
>error log?
On the client server it show,
sshd[24149]: Failed password for invalid user xxxxx from xxx.xxx.xxx.xxx
port xxx ssh2
> >
> > If I disable TLS everything works fine, the client server can query
> > the FDS and auth the client properly
> >
> > I am not sure if the problem has to do with the pam_ldap not properly
> > formatted or the cert file not in proper format
> >
> > Does anyone have an example of what the pam_ldap config should look
> > like? or suggestions on checking whether the cert file is in proper
> > format
>I'm not sure. PAM needs the ca cert of the CA that issued the directory
>server server cert. See
>http://directory.fedora.redhat.com/wiki/Howto:SSL for more information.
> >
That was the info I used to do the SSL setup, but I only see a part of the
log output they indicated,
Their logs,
[18/Jul/2005:20:33:36 -0400] conn=4 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
[18/Jul/2005:20:33:36 -0400] conn=4 op=0 RESULT err=0 tag=120 nentries=0
etime=0
[18/Jul/2005:20:33:36 -0400] conn=4 SSL 256-bit AES
[18/Jul/2005:20:33:36 -0400] conn=4 op=1 BIND dn="" method=128 version=3
[18/Jul/2005:20:33:36 -0400] conn=4 op=1 RESULT err=0 tag=97 nentries=0
etime=0 dn=""
[18/Jul/2005:20:33:36 -0400] conn=4 op=2 SRCH base="dc=example,dc=com"
scope=2 filter="(uid=testuser)" attrs=ALL
My Logs,
[04/Dec/2006:14:35:52 -0500] conn=757 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
name="startTLS"
[04/Dec/2006:14:35:52 -0500] conn=757 op=0 RESULT err=0 tag=120 nentries=0
etime=0
[04/Dec/2006:14:35:52 -0500] conn=757 SSL 256-bit AES
[04/Dec/2006:14:35:52 -0500] conn=757 op=1 UNBIND
[04/Dec/2006:14:35:52 -0500] conn=757 op=1 fd=71 closed - U1
For some reason my setup dies just before querying the FDS to determine user
details
Do you know of any tests that I can run just on the client server to
determine proper confuguration?
> > Also what's the UNBIND shown in the logs?
> >
> > Thanks
> >
> >> From: fedora-directory-users-request(a)redhat.com
> >> Reply-To: fedora-directory-users(a)redhat.com
> >> To: fedora-directory-users(a)redhat.com
> >> Subject: Fedora-directory-users Digest, Vol 19, Issue 1
> >> Date: Fri, 1 Dec 2006 12:00:06 -0500 (EST)
> >>
> >> Send Fedora-directory-users mailing list submissions to
> >> fedora-directory-users(a)redhat.com
> >>
> >> To subscribe or unsubscribe via the World Wide Web, visit
> >> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >> or, via email, send a message with subject or body 'help' to
> >> fedora-directory-users-request(a)redhat.com
> >>
> >> You can reach the person managing the list at
> >> fedora-directory-users-owner(a)redhat.com
> >>
> >> When replying, please edit your Subject line so it is more specific
> >> than "Re: Contents of Fedora-directory-users digest..."
> >>
> >>
> >> Today's Topics:
> >>
> >> 1. pam_ldap with SSL/TLS (t b)
> >> 2. RE: pam_ldap with SSL/TLS (Morris, Patrick)
> >> 3. Re: pam_ldap with SSL/TLS (Richard Megginson)
> >> 4. Problem with SSL console in X in specific circumstances
> >> (Philip Kime)
> >> 5. FW: [Fedora-directory-users] Extracting details from
> >> ActiveDirectoryto FDS (Paxton, Darren)
> >> 6. alias in fedora directory server (patrick ndjientcheu ngandjui)
> >> 7. Re: FW: [Fedora-directory-users] Extracting details from
> >> ActiveDirectoryto FDS (Nicholas Byrne)
> >> 8. Re: Memory usage (koniczynek)
> >> 9. Re: Memory usage (David Boreham)
> >> 10. Re: Memory usage (koniczynek)
> >>
> >>
> >> ----------------------------------------------------------------------
> >>
> >> Message: 1
> >> Date: Thu, 30 Nov 2006 12:31:50 -0500
> >> From: "t b" <mxheadroom(a)hotmail.com>
> >> Subject: [Fedora-directory-users] pam_ldap with SSL/TLS
> >> To: fedora-directory-users(a)redhat.com
> >> Message-ID: <BAY116-F322745E96D702ED748B1D0CDDB0(a)phx.gbl>
> >> Content-Type: text/plain; format=flowed
> >>
> >> I am trying to setup pam_ldap to use TLS to communicate with the FDS,
> >> but
> >> having lots of problems doing so; it works if I use the unencrypted
> >> way but
> >> not if I use ldaps ( port 636 )
> >>
> >> I used the instructions at,
> >> http://directory.fedora.redhat.com/wiki/Howto:PAM
> >>
> >> Has anyone gotten PAM to work TLS
> >>
> >>
> >> Thanks
> >>
> >> _________________________________________________________________
> >> Buy, Load, Play. The new Sympatico / MSN Music Store works seamlessly
> >> with
> >> Windows Media Player. Just Click PLAY.
> >>
>http://musicstore.sympatico.msn.ca/content/viewer.aspx?cid=SMS_Sept192006
> >>
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> Message: 2
> >> Date: Thu, 30 Nov 2006 13:00:56 -0500
> >> From: "Morris, Patrick" <patrick.morris(a)hp.com>
> >> Subject: RE: [Fedora-directory-users] pam_ldap with SSL/TLS
> >> To: "General discussion list for the Fedora Directory server project."
> >> <fedora-directory-users(a)redhat.com>
> >> Message-ID:
> >>
><CD18C81835E18A40A64C4A0D16A237BE05FE850D(a)ATAEXC01.americas.cpqcorp.net>
> >>
> >>
> >> Content-Type: text/plain; charset="US-ASCII"
> >>
> >> > I am trying to setup pam_ldap to use TLS to communicate with
> >> > the FDS, but having lots of problems doing so; it works if I
> >> > use the unencrypted way but not if I use ldaps ( port 636 )
> >>
> >> Someone should jump in here and correct me if I'm wrong, but I believe
> >> it's normal for TLS connections to happen on the standard LDAP port.
> >> You should be able to tell from your logs whether the connection is
> >> encrypted or not.
> >>
> >>
> >>
> >> ------------------------------
> >>
> >> Message: 3
> >> Date: Thu, 30 Nov 2006 11:08:08 -0700
> >> From: Richard Megginson <rmeggins(a)redhat.com>
> >> Subject: Re: [Fedora-directory-users] pam_ldap with SSL/TLS
> >> To: "General discussion list for the Fedora Directory server project."
> >> <fedora-directory-users(a)redhat.com>
> >> Message-ID: <456F1E08.40601(a)redhat.com>
> >> Content-Type: text/plain; charset="iso-8859-1"
> >>
> >> Morris, Patrick wrote:
> >> >> I am trying to setup pam_ldap to use TLS to communicate with
> >> >> the FDS, but having lots of problems doing so; it works if I
> >> >> use the unencrypted way but not if I use ldaps ( port 636 )
> >> >>
> >> >
> >> > Someone should jump in here and correct me if I'm wrong, but I
>believe
> >> > it's normal for TLS connections to happen on the standard LDAP port.
> >> > You should be able to tell from your logs whether the connection is
> >> > encrypted or not.
> >> >
> >> Yes. The LDAP "preferred" way is to use the startTLS extended
>operation
> >> which starts a TLS session on the non-secure port. This will be logged
> >> in the access log.
> >> > --
> >> > Fedora-directory-users mailing list
> >> > Fedora-directory-users(a)redhat.com
> >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >> >
> >>
17 years, 4 months
RE: [Fedora-directory-users] insufficient acces error (50)
by Jo De Troy
Hi Rich,
certainly no replication was set up.
The last thing I could do was disable a user, soon afterwards the
helpdesk tried resetting a password via a perl script and we got this
error.
What would we the best and/or quickest way to get back to an
operational directory service?
A restore from a directory backup?
Could I enable more logging to find out what is causing this behavior?
Thanks again,
Jo
17 years, 4 months
[Fedora-directory-users] access permissions
by patrick ndjientcheu ngandjui
hi,
I want to access a permission to a user so that he can create, in the entry he belongs to (say ou=SalesDept,ou=Employee,ou=example,ou=com),entries which are an instance of a particular object class say ExamplePerson. But, he must not have the right to modify or delete entries he has created.
How can I resolve this problem?
Thanks.
---------------------------------
Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
17 years, 4 months
RE: [Fedora-directory-users] insufficient acces error (50)
by Jo De Troy
Hi,
I'm using the directory manager, he should have enough permissions.
It has always worked just now it stopped working.
I even tried adding an ou attribute and I get the message:
LDAP server is unwilling to perform; database is read-only.
Any ideas?
Thans again,
Jo
17 years, 4 months
Re:[Fedora-directory-users] insufficient access (50) error
by Renato Ribeiro da Silva
Hi,
Does the user that bind to the Directory is the same that is trying to change password ? By default FDS gives to the user rights to change his own password, but maybe the script is binding with another user.
> Hello,
>
> suddenly when I try to change a password for a user via a perl script
> I get the error above. Any ideas what could be causing this?
> I'm running Fedora DS 1.0.2 on RHEL4.
>
> Thanks in advance,
> Jo
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
17 years, 4 months
RE: [Fedora-directory-users] insufficient acces error (50)
by Jo De Troy
Hi,
I've enabled heavy error logging by putting nsslapd-errorlog-level to
128 under cn=config
When I try to change a password of an existing user (even from within
the console) I get
NSACLPlugin - conn=128 op=2 (main): Deny write on
entry(uid=jdoe,ou=people,dc=example,dc=com): readonly backend
Where should I be looking the entry nsslapd-readonly is false.
I have tried restarting the directory server, without result.
Thanks in advance,
Jo
17 years, 4 months
[Fedora-directory-users] ACI Design
by Radek Hladik
I'm designing new directory for keeping records about our company
computers, accounts, etc... I would like to have number of different
access levels like support, management, network technician,... Every
entry would have multivalued attribute named for example accessclass to
determine its access and there would be role for every access level.
What is the best way to implement ACIs like "allow access to every entry
with attribute accessclass=support for every member of role support"?
I've found out that there are 3 options:
1) Create separate ACI for each access class
2) Create Macro ACI using something like
roledn = "ldap:///($attr.accessclass),ou=roles,dc=....."
But it seems, that this macro expands to accessclass=support,ou=roles,..
and thus my roles would need to be named using accessclass attribute
instead of common name...
3) Create ACI using userattr like this:
userattr = "accessclass#ROLEDN"
but this would require to have complete role RDN in user accessclass
attribute.
Which way would you suggest?
Radek
17 years, 4 months