RE: [Fedora-directory-users] Some password policy enforcement information questions
by Bliss, Aaron
Well, out of fear of not getting this work (and due to the fact that fds
is now completely in production in my environment), I had to find a way
that will always work; so I put together a script that will query the
directory server to see if passwordExpWarned=1, which means that there
is a global password policy and that the system would have sent the user
a password warning; as such, if this attribute=1, warn the user that
their password is going to expire; in my environment, this means their
password is going to expire in less than 2 weeks; so I'll tell them
that, and also tell them exactly when their password will expire; I
didn't see any easy way to deal with new years and what not, so I didn't
try to get fancy and subtract today's date from passwordexpiration date
(although I included the date and formatted in preparation for this),
although I'm sure you guys are much better than I am at programming and
whatnot and can improve upon this. At any rate, it's better than
nothing for my users.
Aaron
#!/bin/bash
#use this script in order to figure out when the users
#password is going to expire and give them a heads up about it
myvar1=`date +%Y`
myvar2=`date +%m`
myvar3=`date +%d`
myvar4=$myvar1$myvar2$myvar3
#figure out who the user is
mynam=`whoami`
#figure out exactly when their password is going to expire
pswar=`ldapsearch -x "(uid=$mynam)" passwordexpirationtime | grep
passwordexpirationtime | grep -v '#' | awk '{print $2}' | cut -c 1-8`
pswarn1=`ldapsearch -x "(uid=$mynam)" passwordExpWarned | grep
passwordExpWarned | grep -v '#' | awk '{print $2}'`
if [ $pswarn1=1 ] ; then
# echo "your in trouble"
echo "Your password is going to expire in less than 2 weeks"
echo "It's set to expire on $pswar"
fi
#it might be desirable later on to subtract todays formatted date myvar4
from
#pswar however i'm not to confident in dealing with year changes
#echo $pswarn1
#echo $pswar
#echo $myvar4
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Bliss,
Aaron
Sent: Sunday, February 19, 2006 5:46 PM
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] Some password policy enforcement
information questions
Some more trouble with password expiration warnings; I have passwords
warnings being displayed to users when they use passwords, however users
configured to use key authentication do not receive this warnings; has
anyone seen this before? This is of course going to be a very big
problem for me. Any ideas? Thanks again.
Aaron
-----Original Message-----
From: Bliss, Aaron
Sent: Wednesday, January 25, 2006 7:48 PM
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] Some password policy enforcement
information questions
Turns out the issue I was having was with my clients; I'm not sure why,
but the administrator before me had "UseLogin Yes" set in
/etc/ssh/sshd_config; commenting this out immediately started generating
password warnings to users (as configured by the directory server); does
anyone know what the UseLogin option is used for? Thanks.
Aaron
-----Original Message-----
From: Bliss, Aaron
Sent: Thursday, January 19, 2006 3:15 PM
To: 'General discussion list for the Fedora Directory server project.'
Subject: RE: [Fedora-directory-users] Some password policy enforcement
information questions
Thanks very much for the explanation; makes much sense to me now; I did
some playing around, and got the directory server to spit out to me that
your password is going to expire in x amount of days. Thanks again.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
Megginson
Sent: Thursday, January 19, 2006 2:35 PM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Some password policy enforcement
information questions
It looks like the way it works is this:
When you have enabled password warning, an operational attribute called
"passwordExpWarned" is created in the user's entry. The value will be 0
until the user does a successful BIND operation and the time between now
and the configured password expiration time is less than or equal to the
configured password warning time. When this happens, the warning will
be sent, the value of passwordExpWarned will be changed to 1, and the
operational attribute passwordExpirationTime in the user's entry will be
set to the time at which the password will expire. When the user
changes the password, passwordExpWarned will be reset to 0 and
passwordExpirationTime will be set to the new expiration time.
Bliss, Aaron wrote:
>If I've configured a correct password policy and the warning attribute
>is not getting updated, should this be considered a bug?
>
>Aaron
>
>-----Original Message-----
>From: fedora-directory-users-bounces(a)redhat.com
>[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Richard
>Megginson
>Sent: Thursday, January 19, 2006 1:48 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Some password policy enforcement
>information questions
>
>Bliss, Aaron wrote:
>
>
>
>>Please forgive me if I'm asking silly newbie questions, however I'm
>>trying to understand exactly what I'm seeing thru fds; first the
>>policy
>>
>>
>
>
>
>>I've configured on the directory using the fds console:
>>I've enabled fine-grain password policy for the data unit, including
>>password history enforcement, password expiration after 90 days,
>>password warning 14 days before password expires, check password
>>syntax, account lockout policy enabled after 3 login failures for 120
>>minutes and reset failure count after 15 minutes.
>>
>>Everything seems to be working except for send password warning; in
the
>>client's ldap.conf file, I've enabled pam_lookup_policy yes.
>>
>>Looking at account information attributes for a user, passwordexpwarnd
>>value is 0; I've reset users password to try to initialize the
>>password
>>
>>
>
>
>
>>policy, however this value never seems to change. According to this
>>documentation
>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107
>>7
>>0
>>81 I believe that this attribute is stored in seconds. Is this true?
>>
>>
>>
>>
>Yes.
>
>
>
>>If so, what can I do to ensure this attribute is getting updated
>>(assuming that this is the attribute responsible for triggering
>>password expiration warning).
>>
>>
>>
>>
>I'm not really sure.
>
>
>
>>Second issue/question:
>>I've looked at this wiki
>>http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very
>>bottom it mentions adding the following
>>
>>dn: cn=config
>>changetype: modify
>>add: passwordExp
>>passwordExp: on
>>-
>>add: passwordMaxAge
>>passwordMaxAge: 8640000 (this I believe would give a password max age
>>of 100 days)
>>
>>Do I need to add these attributes even though I've configured the
>>password policy using fds console has done this for me. Is this the
>>case, I see don't these attributes in the gui, however I do see
>>passwordexpirationtime as an attribute and is set to 90 days from now
>>(I'm want to ensure that accounts are indeed locked after passwords
>>have expired).
>>
>>
>>
>>
>Those attributes are only for global (default) password policy - what
>you have set for fine grained password policy will override those.
>
>
>
>>Also, Jim Summers posted to this group that he saw an issue with
>>shadowpasswd / shadowexpire fields not being updated
>>https://www.redhat.com/archives/fedora-directory-users/2005-December/m
>>s
>>g
>>00367.html
>>
>>Can anyone tell me what these fields are used for, as I don't see any
>>mention of them in this documentation
>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107
>>7
>>0
>>81
>>
>>
>>
>>
>Right. They are a PAM/posix thing - FDS treats them as any other data
>- it doesn't update them from it's own password policy.
>
>
>
>>Thanks again very much.
>>
>>Aaron
>>
>>
>>
>>
>>www.preferredcare.org
>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>Power and Associates
>>
>>Confidentiality Notice:
>>The information contained in this electronic message is intended for
>>
>>
>the exclusive use of the individual or entity named above and may
>contain privileged or confidential information. If the reader of this
>message is not the intended recipient or the employee or agent
>responsible to deliver it to the intended recipient, you are hereby
>notified that dissemination, distribution or copying of this
>information is prohibited. If you have received this communication in
>error, please notify the sender immediately by telephone and destroy
>the copies you received.
>
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users(a)redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>
>
>www.preferredcare.org
>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>Power and Associates
>
>Confidentiality Notice:
>The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information. If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the
exclusive use of the individual or entity named above and may contain
privileged or confidential information. If the reader of this message
is not the intended recipient or the employee or agent responsible to
deliver it to the intended recipient, you are hereby notified that
dissemination, distribution or copying of this information is
prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 2 months
[Fedora-directory-users] Updated HOWTO for Daemontools: Running Administration Server
by Mike Jackson
Hi,
I updated the HOWTO on the wiki so that the Apache based
Administration Server with comes with 1.x can also be started and
supervised with svscan (Daemontools).
Running the services under Daemontools provides a rock-solid solution
for guaranteeing service availability, as well as gaining fine grained
control over logging.
The HOWTO takes into account the fact that Administration Server has a
startup and runtime dependency to Directory Server. The starup
dependency checking is implemented with a tool called svwaitup, part of
the runit package.
http://directory.fedora.redhat.com/wiki/Howto:Daemontools
Please test and report to this list if there are any problems.
BR,
Mike
18 years, 2 months
[Fedora-directory-users] install problem: can't start admin server
by Dan Lipsitt
I've put aside my attempts to install on em64t for the moment and
tried installing on a 32-bit machine running Fedora Core 4.
I get this error during the rpm install:
----- snip ----
[slapd-www]: [16/Feb/2006:16:39:24 -0500] - Fedora-Directory/1.0.1
B2005.342.165 starting up
[slapd-www]: [16/Feb/2006:16:39:24 -0500] - slapd started. Listening
on All Interfaces port 389 for LDAP requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Success Slapd Added Directory Server information to Configuration Server.
Configuring Administration Server...
Setting up Administration Server Instance...
Configuring Administration Tasks in Directory Server...
Configuring Global Parameters in Directory Server...
Can't start Admin server [/opt/fedora-ds/start-admin > /tmp/filewvJ2og
2>&1] (error: No such file or directory)You can now use the console.
Here is the command to use to start the console:
---- snip ----
Also, if I cd to /opt/fedora-ds and run start admin, I get no messages
on the console, but if I then run restart-admin it then says "server
not running"
Dan
18 years, 2 months
[Fedora-directory-users] More x86_64 install woes
by Dan Lipsitt
I tried installing the 32-bit rpms on my 64-bit Xeon system as Richard
Megginson suggested was possible in this thread:
https://www.redhat.com/archives/fedora-directory-users/2006-February/msg0...
I encountered the following problems:
Setup failed (but completed), giving the following messages:
----------------------------
[slapd-gause]: starting up server ...
[slapd-gause]: Fedora-Directory/1.0.1 B2005.342.165
[slapd-gause]: gause.esm.harvard.edu:389 (/opt/fedora-ds/slapd-gause)
[slapd-gause]:
[slapd-gause]: [03/Feb/2006:14:39:40 -0500] - Fedora-Directory/1.0.1
B2005.342.165 starting up
[slapd-gause]: [03/Feb/2006:14:39:42 -0500] - slapd started.
Listening on All Interfaces port 389 for LDAP requests
Your new directory server has been started.
Created new Directory Server
Start Slapd Starting Slapd server configuration.
Fatal Slapd ERROR: Ldap authentication failed for url
ldap://gause.esm.harvard.edu:389/o=NetscapeRoot user id admin
(151:Unknown error.)
Fatal Slapd Did not add Directory Server information to Configuration Server.
Configuring Administration Server...
Setting up Administration Server Instance...
ERROR: Administration Server configuration failed. See install.log.
----------------------------
I tried to start the console anyway, but my java VM crashed:
----------------------------
$ ./startconsole -u admin -a http://gause.esm.harvard.edu:1389/
#
[thread 1077664096 also had an error]
# An unexpected error has been detected by HotSpot Virtual Machine:
#
# SIGILL (0x4) at pc=0x0000002a958b3665, pid=15189, tid=1076611424
#
# Java VM: Java HotSpot(TM) 64-Bit Server VM (1.5.0-b64 mixed mode)
# Problematic frame:
# V [libjvm.so+0x336665]
#
# An error report file with more information is saved as hs_err_pid15189.log
#
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
#
./startconsole: line 72: 15189 Aborted
$JAVA_HOME/bin/java -ms8m -mx64m -cp
.:./base.jar:./mcc10_en.jar:./jss3.jar:./ldapjdk.jar:./mcc10.jar:./nmclf10_en.jar:./nmclf10.jar
-Djava.library.path=../lib -Djava.util.prefs.systemRoot=.
-Djava.util.prefs.userRoot=.
com.netscape.management.client.console.Console $*
----------------------------
Any suggestions?
Thanks,
Dan
18 years, 2 months
[Fedora-directory-users] Build error
by Felipe Alfaro Solana
Hi!
I have downloaded dsbuild-fds101-1.tar.gz, but I'm unable to build
Netscape SDK. It always fails with the same error, which seems to be
the build process is unable to find file "nspr.h".
I have attached a dump of the build process.
Any ideas?
Thanks!
18 years, 2 months
RE: [Fedora-directory-users] problem with startconsole
by Chris Conner
Sorry actually -x nologo is the option. I guess I should have checked
first....
Hth
C
Chris Conner, M.A.
Manager of Systems Support
MCP, MCP+I, MCDBA, MCSE
Salem Health Solutions
cconner(a)salem-health.com
336-747-7572
866-747-7560 x7572
/(bb|[^b]{2})/ that is the Question
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Chris
Conner
Sent: Wednesday, February 01, 2006 10:52 AM
To: General discussion list for the Fedora Directory server project.
Subject: RE: [Fedora-directory-users] problem with startconsole
Have you tried the -nologo option?
Chris
Chris Conner, M.A.
Manager of Systems Support
MCP, MCP+I, MCDBA, MCSE
Salem Health Solutions
cconner(a)salem-health.com
336-747-7572
866-747-7560 x7572
/(bb|[^b]{2})/ that is the Question
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of basile
au siris
Sent: Wednesday, February 01, 2006 10:49 AM
To: fedora-directory-users(a)redhat.com
Subject: [Fedora-directory-users] problem with startconsole
hi
i install fds-7.0 on solaris 9
all works fine , but i have a strange problem with console i can start
the console on the server i can start the console from windows box but i
can t start it from linux box ( but i can start console from this linux
box to another fds installation on solaris ) i ssh -X , startconsole -D
, and i have the prompt fedora management console but never the login
window if someone has an idea ( port 6000 is open , ssh forward X11 ,
and all machines are on the same vlan ) thanks basile
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
18 years, 2 months
[Fedora-directory-users] PassSync service memory leak?
by Dan Oglesby
Has anyone else experienced a memory leak of the PassSync service on
Windows 2003 servers? I have a system running the PassSync service that
will use over 1GB of RAM if left alone for days at a time.
--Dan
18 years, 2 months
[Fedora-directory-users] FDS & Novell Directory Server
by Nikos Zaharioudakis
Dear All,
I am trying to find a way to migrate away from the old NDS (based on
Novell 5.1) to other platforms and architectures. Is there a way to
synchronise these two ?
Because in the meanwhile I shall have them both working in parallel,
until the migration is through.
Any links, howtos or advice is highly appreciated ?
Best Regards,
--
########################################3
Zaharioudakis Nikos
mob: +30 6947204063
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?
18 years, 2 months
[Fedora-directory-users] Freeradius authentcation with FDS - password types.
by Jon Steer
I am attempting to authenticate freeradius with FDS The issue seems
to be the passwords that are handed back from FDS
Environment:
OS: Fedora 4
FreeRadius : 1.0.4
FDS: 1.0.1
I am using inetOrgPerson and passing back userPassword. But it seems
that no matter which password encoding I use, freeRadius doesn't seem
to understand it.
Has anyone had luck with this?
thanks,
jon
18 years, 2 months