Ho
Yes ldap.conf is only what is listed, yes you are right there are two
pam_password that is wrong, I prefer not to use crypt if possible as I do
not want to be limited to 8 char passwords, does that make sense ?
Regards
On Tue, Nov 13, 2012 at 2:38 PM, Grzegorz Dwornicki <gd1100(a)gmail.com>wrote:
Sorry my bad i thinking about ldap.conf but said nss...
Does ldap.conf contains only these lines? Why you use pam_password clear
and then exop? try crypt.
Greg.
13 lis 2012 13:18, "Ali Jawad" <ali.jawad(a)splendor.net> napisał(a):
Hi
> nsswitch.conf contains the following relevant lines, the rest is
> unchanged
>
>
> passwd: ldap files
> shadow: ldap files
> group: ldap files
>
> Maybe it is my ldap settings, please see /etc/ldap.conf below
>
> bind_policy soft
> URI ldap://ldap.server.ip
> BASE dc=domain,dc=local
> TLS_CACERTDIR /etc/openldap/cacerts
> pam_password clear
> pam_lookup_policy yes
> pam_password exop
> # Idle timelimit; client will close connections
> # (nss_ldap only) if the server has not been contacted
> # for the number of seconds specified below.
> #idle_timelimit 3600
> idle_timelimit 900
>
>
> On Tue, Nov 13, 2012 at 1:59 PM, Grzegorz Dwornicki <gd1100(a)gmail.com>wrote:
>
>> What about NSS configuration? Maybe there is configuration making ssl
>> mandatory?
>>
>> Greg
>> 13 lis 2012 12:51, "Ali Jawad" <ali.jawad(a)splendor.net>
napisał(a):
>>
>> Hi All
>>> I am trying to change the password using passwd, please see the below :
>>>
>>> [xyz@server ~]$ passwd
>>> Changing password for user xyz.
>>> Enter login(LDAP) password:
>>> New UNIX password:
>>> Retype new UNIX password:
>>> *LDAP password information update failed: Confidentiality required*
>>> *Operation requires a secure connection.*
>>>
>>> The error log shows
>>> Nov 13 11:47:17 HA-Dev-Nymgo-100-45 passwd: pam_unix(passwd:chauthtok):
>>> user "xyz" does not exist in /etc/passwd
>>>
>>> Pam config follows :
>>>
>>> /etc/pam.d/passwd
>>> #%PAM-1.0
>>> auth include system-auth
>>> account include system-auth
>>> password include system-auth
>>> ~
>>>
>>> /etc/pam.d/system-auth
>>>
>>> #/etc/pam.d/system-auth
>>> #%PAM-1.0
>>>
>>> auth required pam_env.so
>>> auth sufficient pam_unix.so
>>> auth sufficient pam_ldap.so use_first_pass
>>> auth required pam_deny.so
>>>
>>> account sufficient pam_unix.so
>>> account sufficient pam_ldap.so use_first_pass
>>> account required pam_deny.so
>>>
>>> password requisite pam_cracklib.so try_first_pass retry=3
>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>> use_authtok
>>> password sufficient pam_ldap.so use_authtok
>>> password required pam_deny.so
>>>
>>>
>>> #password required pam_cracklib.so retry=3 minlen=2
>>> dcredit=0 ucredit=0
>>> #password sufficient pam_unix.so nullok use_authtok md5
>>> shadow
>>> #password sufficient pam_ldap.so
>>> #password required pam_deny.so
>>>
>>> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
>>> session required pam_limits.so
>>> session required pam_unix.so
>>> session optional pam_ldap.so
>>> ~
>>> ~
>>>
>>>
>>>
>>> On Tue, Nov 13, 2012 at 11:15 AM, Arpit Tolani
<arpittolani(a)gmail.com>wrote:
>>>
>>>> Hello
>>>>
>>>>
>>>>
>>>> On Tue, Nov 13, 2012 at 1:10 PM, Ali Jawad
<ali.jawad(a)splendor.net>
>>>> wrote:
>>>> > Hi Arpit
>>>> > Actually I was attempting to change the password using command line
>>>> >
>>>> > passwd
>>>> >
>>>> > I.e. each user changes his own password, is passwd the right choice
>>>> here ?
>>>> >
>>>>
>>>> Yes, passwd is right choice, considering you have pam_ldap.so properly
>>>> configured & yes passwd dont need ssl/tls to be configured.
>>>>
>>>>
>>>> > Regards
>>>> >
>>>> > On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani <
>>>> arpittolani(a)gmail.com>
>>>> > wrote:
>>>> >>
>>>> >> Hello
>>>> >>
>>>> >> On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad
<ali.jawad(a)splendor.net
>>>> >
>>>> >> wrote:
>>>> >> > In that case I have a major overhaul that I need to
complete,
>>>> change
>>>> >> > password is not working for me, my assumption is that it
only
>>>> works with
>>>> >> > TLS
>>>> >> > enabled between the client and the server, I have tried to
get
>>>> TLS to
>>>> >> > run a
>>>> >> > few times but could not get it to run so far. Am I right
about the
>>>> >> > assumption that I need encryption between the server and
the
>>>> clients for
>>>> >> > password change to work ?
>>>> >> > Regards
>>>> >> >
>>>> >>
>>>> >> When using ldappasswd command, Yes ssl/tls is mandatory, Try
>>>> changing
>>>> >> password using ldapmodify, it doesnt required ssl/tls
connection.
>>>> >>
>>>> >> >
>>>> >> > On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds <
>>>> mareynol(a)redhat.com>
>>>> >> > wrote:
>>>> >> >>
>>>> >> >> Only "crypt" uses the first 8 characters, so
any other scheme
>>>> would be
>>>> >> >> fine. After you change the scheme you will need to
force all
>>>> the users
>>>> >> >> to
>>>> >> >> change their passwords - otherwise their crypt
passwords will
>>>> still be
>>>> >> >> present.
>>>> >> >>
>>>> >> >>
>>>> >> >>
>>>> >> >> On 11/12/2012 01:52 PM, Ali Jawad wrote:
>>>> >> >>
>>>> >> >> Hi All
>>>> >> >> This is an all Linux environment with 389 being used as
the sole
>>>> >> >> authentication mechanism, I do believe I am using
crypt, I am
>>>> out of
>>>> >> >> office
>>>> >> >> right now, what should I use instead of crypt to match
more
>>>> characters
>>>> >> >> ?
>>>> >> >> Regards
>>>> >> >>
>>>> >> >> On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds <
>>>> mareynol(a)redhat.com>
>>>> >> >> wrote:
>>>> >> >>>
>>>> >> >>> Also what password storage scheme are you using?
For example
>>>> "crypt"
>>>> >> >>> only checks the first 8 characters of a password.
>>>> >> >>>
>>>> >> >>>
>>>> >> >>> On 11/12/2012 11:18 AM, Dan Lavu wrote:
>>>> >> >>>
>>>> >> >>> In regards to a password policy? Just 389 or are
you using
>>>> winsync
>>>> >> >>> with
>>>> >> >>> AD? Because the password policy from AD does not
transfer over.
>>>> Also
>>>> >> >>> they
>>>> >> >>> are some extra steps if you want to setup an OU
based password
>>>> policy
>>>> >> >>> but if
>>>> >> >>> you just do it for the entire directory through
‘configuration’
>>>> it
>>>> >> >>> works
>>>> >> >>> with no issues.
>>>> >> >>>
>>>> >> >>> Dan
>>>> >> >>>
>>>> >> >>> From: Ali Jawad <ali.jawad(a)splendor.net>
>>>> >> >>> Sent: November 12, 2012 6:00 AM
>>>> >> >>> To: General discussion list for the 389 Directory
server
>>>> project.
>>>> >> >>> Subject: [389-users] Password + anything works ?
>>>> >> >>>
>>>> >> >>> Hi
>>>> >> >>> I just noticed that you can use the
password+ANYLetters and it
>>>> will
>>>> >> >>> work,
>>>> >> >>> I.e. if the password is xyz xyz99 or xyzABC will
work as well,
>>>> is this
>>>> >> >>> a
>>>> >> >>> misconfiguration on my part or a bug ?
>>>> >> >>> Regards
>>>> >> >>>
>>>> >>
>>>> >> Regards
>>>> >> Arpit Tolani
>>>> >> --
>>>> >> 389 users mailing list
>>>> >> 389-users(a)lists.fedoraproject.org
>>>> >>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Ali Jawad
>>>> > Information Systems Manager
>>>> > CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
>>>> > Splendor Telecom (
www.splendor.net)
>>>> > Beirut, Lebanon
>>>> > Phone: +9611373725/ext 116
>>>> > FAX: +9611375554
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > 389 users mailing list
>>>> > 389-users(a)lists.fedoraproject.org
>>>> >
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>> --
>>>> Regards
>>>> Arpit Tolani
>>>> --
>>>> 389 users mailing list
>>>> 389-users(a)lists.fedoraproject.org
>>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>>
>>>
>>>
>>>
>>> --
>>> *Ali Jawad
>>> *
>>> *Information Systems Manager
>>> CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
>>> *
>>> *Splendor Telecom (
www.splendor.net)
>>> Beirut, Lebanon
>>> Phone: +9611373725/ext 116
>>> FAX: +9611375554
>>>
>>> *
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users(a)lists.fedoraproject.org
>>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
>
> --
> *Ali Jawad
> *
> *Information Systems Manager
> CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
> *
> *Splendor Telecom (
www.splendor.net)
> Beirut, Lebanon
> Phone: +9611373725/ext 116
> FAX: +9611375554
>
> *
>
>
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
*Ali Jawad
*
*Information Systems Manager
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
*
*Splendor Telecom (