you need modify the file
[root@zblhp40 ~]# cat /etc/ldap.conf
#LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example, dc=com
#URI
ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://1X.XX.XX.XX ldap://172.X.XX.XX
BASE dc=XX,dc=com
#TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
TLS_REQCERT never
uri
ldap://SERVER.COM/
base dc=ml,dc=com
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
Add in
/etc/pam.d/system-auth :
account sufficient pam_localuser.so << this on
seccond line
Restart sshd service
Regards!
Allan
Date: Thu, 14 Jan 2010 13:35:23 -0600
From: Paul.Fulda(a)ngc.com
To: 389-users(a)lists.fedoraproject.org
Subject: Re: [389-users] Help with setiting up Password Policy and SSL/TLS
Do not remember where I read that the SSL/TLS is required. But if that is the case, I
cannot get the Password Policy to work. For instance, prior to messing around with SSL, I
set in the Password Policy to require the user to choose a new password after reset. I
reset the users password in the Directory Server and when the user typed that password in
on a client machine it did not prompt him to change his password. Also, none of the
password complexity settings worked either. Could it be that PAM is overriding the
Directory Server and if it is how do I bypass PAM?
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Nathan Kinder
Sent: Thursday, January 14, 2010 1:14 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Help with setiting up Password Policy and SSL/TLS
On 01/14/2010 10:56 AM, Fulda, Paul R (IS) wrote:
Hi,
I am trying to configure the Password Policy for my users and read that you would not be
able to use the Policy unless you set up SSL/TLS.
Where did you read this? SSL/TLS is not required to use the password policy features.
I am using 389 Server version 1.2.2. Also I am running the Server on Fedora 11 64 bit.
All clients are also Fedora 11 64 bit.
I followed the instructions in setting up SSL here at
http://directory.fedoraproject.org/wiki/Howto:SSL
I ran the setupssl2.sh script and it completed with no errors. In the 389 Admin Console I
could see the certificates for both the Admin Server and DS Server in the
Manage Certificates screens.
Also, I do not want to use SSL for the Admin Server or the Admin Console. I just want to
be able to use it for user authentication so the Password Policy works.
Bottom line is that I cannot get both features (Password Policies and SSL) working. Any
help would be greatly appreciated.
Up to this point here are my questions:
1) In the Directory Server GUI from the 389 Admin Console what certificate do I use
to populate the Certificate field in the Encryption Tab?
There are 3 choices it provides after running the sslsetup2.sh script which are CA
Certificate, server-cert, and server-Cert.
The one named "Server-Cert" should be used for the Directory Server.
2) In the Client Authentication Block in the same Encryption Tab as #1 above, I have
selected “Require client authentication”. Is this correct?
Is this how you force the Directory Server to use only port 636 for secure communications?
If not, how do you do that?
No. Client authentication refers to using a client certificate to authenticate as opposed
to a bind DN and password. You most likely don't want to do this. If you truly want
to only use port 636, you can set nsslapd-listenport to "0", but all of your
clients will be required to use LDAPS over port 636. You should be really sure that this
is what you want.
3) What are the differences between /etc/openldap/ldap.conf and /etc/ldap.conf?
What are the client configurations needed to make this work?
/etc/openldap/ldap.conf is the OpenLDAP client config file. /etc/ldap.conf is the config
file for nss_ldap and pam_ldap.
The only ldap.conf file that
http://directory.fedoraproject.org/wiki/Howto:SSL talks about
configuring is the /etc/openldap/ldap.conf file.
My /etc/openldap/ldap.conf file looks like this:
URI
ldap://hadmina.eidev.ngc.com/
BASE dc=eidev, dc=ngc, dc=com
TLS_CACERT /etc/openldap/cacerts
TLS_REQCERT allow
4) How do you get the certificate on the client machines? What I did was copy from
the server the cacert.asc file that is located in /etc/dirsrv/slapd-hadmina
to the client machine in /etc/openldap/cacerts directory. Is this correct?
Thanks and I hope there is someone out there that can help me get this working!
Paul
--389 users mailing
list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
_________________________________________________________________
¿Querés chatear en todos lados con tu celu? ¡Registrate a SMS Messenger!
http://www.somosmessengersiempre.com/?ocid=TWLH