/etc/pam.d/system-auth : |
account sufficient pam_localuser.so << this on seccond line |
Do not remember where I read that the SSL/TLS is required. But if that is the case, I cannot get the Password Policy to work. For instance, prior to messing around with SSL, I set in the Password Policy to require the user to choose a new password after reset. I reset the users password in the Directory Server and when the user typed that password in on a client machine it did not prompt him to change his password. Also, none of the password complexity settings worked either. Could it be that PAM is overriding the Directory Server and if it is how do I bypass PAM?
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Nathan Kinder
Sent: Thursday, January 14, 2010 1:14 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Help with setiting up Password Policy and SSL/TLS
On 01/14/2010 10:56 AM, Fulda, Paul R (IS) wrote:
Hi,Where did you read this? SSL/TLS is not required to use the password policy features.
There are 3 choices it provides after running the sslsetup2.sh script which are CA Certificate, server-cert, and server-Cert.
The one named "Server-Cert" should be used for the Directory Server.
Is this how you force the Directory Server to use only port 636 for secure communications? If not, how do you do that?
No. Client authentication refers to using a client certificate to authenticate as opposed to a bind DN and password. You most likely don't want to do this. If you truly want to only use port 636, you can set nsslapd-listenport to "0", but all of your clients will be required to use LDAPS over port 636. You should be really sure that this is what you want.
/etc/openldap/ldap.conf is the OpenLDAP client config file. /etc/ldap.conf is the config file for nss_ldap and pam_ldap.
The only ldap.conf file that http://directory.fedoraproject.org/wiki/Howto:SSL talks about configuring is the /etc/openldap/ldap.conf file.
My /etc/openldap/ldap.conf file looks like this:
URI ldap://hadmina.eidev.ngc.com/
BASE dc=eidev, dc=ngc, dc=com
TLS_CACERT /etc/openldap/cacerts
TLS_REQCERT allow
4) How do you get the certificate on the client machines? What I did was copy from the server the cacert.asc file that is located in /etc/dirsrv/slapd-hadminato the client machine in /etc/openldap/cacerts directory. Is this correct?
Thanks and I hope there is someone out there that can help me get this working!--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users