Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody)
As root, I can change any user's password and that works. As a regular user, however, no luck:
-bash-3.00$ passwd passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied
-bash-3.00$ passwd -r ldap passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$
I've this aci:
(targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux, non-root users can change their passwords just fine!
I've also two of these ACIs which I got from Gary Tay's site:
(target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";)
(targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";)
They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything.
Nothing in server/client logs either...
Any ideas?
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Susan,
What does your PAM password stack look like on the Solaris 10 client? -- George
Susan wrote:
Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody)
As root, I can change any user's password and that works. As a regular user, however, no luck:
-bash-3.00$ passwd passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied
-bash-3.00$ passwd -r ldap passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$
I've this aci:
(targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow (write) userdn="ldap:///self";)
Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux, non-root users can change their passwords just fine!
I've also two of these ACIs which I got from Gary Tay's site:
(target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";)
(targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";)
They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything.
Nothing in server/client logs either...
Any ideas?
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
I got it from docs.sun.com:
-bash-3.00# cat /etc/pam.conf # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_dial_auth.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_ldap.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_dial_auth.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_ldap.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 #
--- George Holbert gholbert@broadcom.com wrote:
Susan,
What does your PAM password stack look like on the Solaris 10 client? -- George
Susan wrote:
Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody)
As root, I can change any user's password and that works. As a regular user, however, no
luck:
-bash-3.00$ passwd passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied
-bash-3.00$ passwd -r ldap passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$
I've this aci:
(targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow
(write)
userdn="ldap:///self";)
Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux,
non-root
users can change their passwords just fine!
I've also two of these ACIs which I got from Gary Tay's site:
(target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";)
(targetattr =
"cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version
3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";)
They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything.
Nothing in server/client logs either...
Any ideas?
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
It looks like you're missing a password stack in your /etc/pam.conf.
I think you got the example pam.conf here: http://docs.sun.com/app/docs/doc/816-4556/6maort2tb?a=view ...but did you omit the bottom portion of the file?
This part:
# # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1
Susan wrote:
I got it from docs.sun.com:
-bash-3.00# cat /etc/pam.conf # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_dial_auth.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_ldap.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_dial_auth.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_ldap.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 #
--- George Holbert gholbert@broadcom.com wrote:
Susan,
What does your PAM password stack look like on the Solaris 10 client? -- George
Susan wrote:
Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody)
As root, I can change any user's password and that works. As a regular user, however, no
luck:
-bash-3.00$ passwd passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied
-bash-3.00$ passwd -r ldap passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$
I've this aci:
(targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow
(write)
userdn="ldap:///self";)
Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux,
non-root
users can change their passwords just fine!
I've also two of these ACIs which I got from Gary Tay's site:
(target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";)
(targetattr =
"cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version
3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";)
They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything.
Nothing in server/client logs either...
Any ideas?
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
No, looks like I messed up on copy & paste:
-bash-3.00# tail /etc/pam.conf # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication and example configurations can # be found in the pam_krb5(5) man page under the "EXAMPLES" section. #
I have it.
______________________________________________________
--- George Holbert gholbert@broadcom.com wrote:
It looks like you're missing a password stack in your /etc/pam.conf.
I think you got the example pam.conf here: http://docs.sun.com/app/docs/doc/816-4556/6maort2tb?a=view ...but did you omit the bottom portion of the file?
This part:
# # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1
Susan wrote:
I got it from docs.sun.com:
-bash-3.00# cat /etc/pam.conf # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_dial_auth.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_ldap.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth sufficient pam_unix_auth.so.1 rlogin auth required pam_ldap.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_dial_auth.so.1 ppp auth sufficient pam_unix_auth.so.1 ppp auth required pam_ldap.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_ldap.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 #
--- George Holbert gholbert@broadcom.com wrote:
Susan,
What does your PAM password stack look like on the Solaris 10 client? -- George
Susan wrote:
Well, I've gotten authentication working for solaris 10 & FDS. (Thank you, everybody)
As root, I can change any user's password and that works. As a regular user, however, no
luck:
-bash-3.00$ passwd passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied
-bash-3.00$ passwd -r ldap passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$
I've this aci:
(targetattr="carLicense ||description ||displayName ||facsimileTelephoneNumber ||homePhone ||homePostalAddress ||initials ||jpegPhoto ||labeledURL ||mail ||mobile ||pager ||photo ||postOfficeBox ||postalAddress ||postalCode ||preferredDeliveryMethod ||preferredLanguage ||registeredAddress ||roomNumber ||secretary ||seeAlso ||st ||street ||telephoneNumber ||telexNumber ||title ||userCertificate ||userPassword ||userSMIMECertificate ||x500UniqueIdentifier")(version 3.0; acl "Enable self write for common attributes"; allow
(write)
userdn="ldap:///self";)
Doesn't seem to be doing anything, even though userPassword is in there. Btw, in Linux,
non-root
users can change their passwords just fine!
I've also two of these ACIs which I got from Gary Tay's site:
(target="ldap:///dc=company,dc=com")(targetattr="userPassword")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = "ldap:///cn=proxyagent,ou=profile,dc=company,dc=com";)
(targetattr =
"cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowMin||shadowMax||shadowWarning||shadowInactive||shadowExpire||shadowFlag||memberUid")(version
3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap:///self";)
They seem to doing nothing either, i.e. removing them neither fixes nor breaks anything.
Nothing in server/client logs either...
Any ideas?
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Susan wrote:
# passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1
You have no password directives - auth is for authentication only.
passwd password sufficient pam_passwd_auth.so.1
passwd password required pam_ldap.so.1
Alright, I added that, didn't do anything though:
-bash-3.00# grep passwd /etc/pam.conf # passwd command (explicit because of a different authentication module) passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 passwd password sufficient pam_passwd_auth.so.1 passwd password required pam_ldap.so.1
-bash-3.00$ passwd passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$ passwd -r ldap passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$
--- Pete Rowley prowley@redhat.com wrote:
Susan wrote:
# passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1
You have no password directives - auth is for authentication only.
passwd password sufficient pam_passwd_auth.so.1
passwd password required pam_ldap.so.1
-- Pete
--
Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Turned pam debugging on, I see this now:
Feb 23 17:36:04 unknown passwd[1187]: [ID 293258 user.warning] libsldap: Status: 91 Mesg: openConnection: failed to initialize TLS security (An I/O error occurred during security authorization.) Feb 23 17:36:04 unknown passwd[1187]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: Session error no available conn. Feb 23 17:36:04 unknown passwd[1187]: [ID 993883 user.debug] passwd_auth: __user_to_authenticate returned 13 Feb 23 17:36:04 unknown passwd[1187]: [ID 239966 auth.debug] PAM[1187]: pam_authenticate(29748, 0): error No account present for user Feb 23 17:36:04 unknown passwd[1187]: [ID 285619 auth.debug] ldap pam_sm_authenticate(passwd test), flags = 0 Feb 23 17:36:04 unknown passwd[1187]: [ID 647000 auth.debug] ldap pam_sm_authenticate(passwd test), AUTHTOK not set Feb 23 17:36:04 unknown passwd[1187]: [ID 239966 auth.debug] PAM[1187]: pam_authenticate(29748, 0): error Authentication failed Feb 23 17:36:04 unknown passwd[1187]: [ID 909073 auth.debug] PAM[1187]: pam_set_item(29748:authtok) Feb 23 17:36:04 unknown passwd[1187]: [ID 557867 auth.debug] PAM[1187]: pam_end(29748): status = Success
Why would it fail to initialize TLS security? root works fine... Is there an env var I'm missing?
--- Susan logastellus@yahoo.com wrote:
Alright, I added that, didn't do anything though:
-bash-3.00# grep passwd /etc/pam.conf # passwd command (explicit because of a different authentication module) passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1 passwd password sufficient pam_passwd_auth.so.1 passwd password required pam_ldap.so.1
-bash-3.00$ passwd passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$ passwd -r ldap passwd: Changing password for test passwd: Sorry, wrong passwd Permission denied -bash-3.00$
--- Pete Rowley prowley@redhat.com wrote:
Susan wrote:
# passwd command (explicit because of a different authentication module) # passwd auth sufficient pam_passwd_auth.so.1 passwd auth required pam_ldap.so.1
You have no password directives - auth is for authentication only.
passwd password sufficient pam_passwd_auth.so.1
passwd password required pam_ldap.so.1
-- Pete
--
Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Susan wrote:
Why would it fail to initialize TLS security? root works fine... Is there an env var I'm missing?
Permissions for local files? Try getting a TLS ldapsearch to work first.
Ah yes,
Check permission on /var/ldap/cert7.db and /var/ldap/key3.db.
They should be mode 644.
Pete Rowley wrote:
Susan wrote:
Why would it fail to initialize TLS security? root works fine... Is there an env var I'm missing?
Permissions for local files? Try getting a TLS ldapsearch to work first.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Yea, I checked that, it was already set correctly:
-bash-3.00# ls -l /var/ldap/*.db -rw-r--r-- 1 root root 65536 Feb 22 09:45 /var/ldap/cert8.db -rw-r--r-- 1 root root 32768 Feb 22 09:45 /var/ldap/key3.db -rw-r--r-- 1 root root 32768 Feb 22 09:38 /var/ldap/secmod.db -bash-3.00# ls -ld /var/ldap/ drwxr-xr-x 3 root sys 512 Feb 22 09:49 /var/ldap/
and ldapsearch -Z works fine, as non-root.
The strange thing is that in the pam debug log, I see this:
Feb 24 08:52:03 unknown passwd[1227]: [ID 293258 user.warning] libsldap: Status: 91 Mesg: openConnection: failed to initialize TLS security (An I/O error occurred during security authorization.) Feb 24 08:52:03 unknown passwd[1227]: [ID 292100 user.warning] libsldap: could not remove ldap-serv from servers list Feb 24 08:52:03 unknown passwd[1227]: [ID 293258 user.warning] libsldap: Status: 7 Mesg: Session error no available conn. Feb 24 08:52:03 unknown passwd[1227]: [ID 993883 user.debug] passwd_auth: __user_to_authenticate returned 13 Feb 24 08:52:03 unknown passwd[1227]: [ID 238438 auth.debug] PAM[1227]: pam_authenticate(29748, 0): error No account present for user Feb 24 08:52:03 unknown passwd[1227]: [ID 285619 auth.debug] ldap pam_sm_authenticate(passwd test), flags = 0 Feb 24 08:52:03 unknown passwd[1227]: [ID 647000 auth.debug] ldap pam_sm_authenticate(passwd test), AUTHTOK not set Feb 24 08:52:03 unknown passwd[1227]: [ID 238438 auth.debug] PAM[1227]: pam_authenticate(29748, 0): error Authentication failed
Several things stand out.
1st, the TLS business. If root works, why wouldn't non-root users work also?? 2nd, what does it mean "error No account present for user"?? is it trying to change local password? Even though I explicitly say passwd -r ldap ? 3rd, why is it trying to remove my fds server from some list and what is that list?
I'm thinking that before letting me change my password, it's trying to make me enter my current password and bombs immediately:
passwd_auth: __user_to_authenticate returned 13
So... I'm kind of stuck here...
Thank you, guys.
--- George Holbert gholbert@broadcom.com wrote:
Ah yes,
Check permission on /var/ldap/cert7.db and /var/ldap/key3.db.
They should be mode 644.
Pete Rowley wrote:
Susan wrote:
Why would it fail to initialize TLS security? root works fine... Is there an env var I'm missing?
Permissions for local files? Try getting a TLS ldapsearch to work first.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
389-users@lists.fedoraproject.org