Ok, I got the Password Policy somewhat working now the problem is with
gdm and pam. I get the following error when trying to change the users
password from a Fedora 11 client machine login window. This happens
after I reset their password from the Directory Server GUI.
Here are the following errors:
pam: gdm-password: pam_unix (gdm-password:auth): authentication failure
pam: gdm-password: pam_unix (gdm-password:chauthtok): user "smiths" does
not exist in /etc/passwd
Note that smiths is an ldap account, not a local account. I have
Googled this problem with no luck. I am hoping taht someone in the LDAP
world has come across this with a fix.
Thanks in advance!
Paul
-----Original Message-----
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Rich
Megginson
Sent: Thursday, January 14, 2010 1:39 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] Help with setiting up Password Policy and
SSL/TLS
Fulda, Paul R (IS) wrote:
Do not remember where I read that the SSL/TLS is required. But if that
is the case, I cannot get the Password Policy to work. For instance,
prior to messing around with SSL, I set in the Password Policy to
require the user to choose a new password after reset. I reset the
users password in the Directory Server and when the user typed that
password in on a client machine it did not prompt him to change his
password. Also, none of the password complexity settings worked
either. Could it be that PAM is overriding the Directory Server and if
it is how do I bypass PAM?
man pam_ldap
*From:* 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] *On Behalf Of
*Nathan Kinder
*Sent:* Thursday, January 14, 2010 1:14 PM
*To:* General discussion list for the 389 Directory server project.
*Subject:* Re: [389-users] Help with setiting up Password Policy and
SSL/TLS
On 01/14/2010 10:56 AM, Fulda, Paul R (IS) wrote:
Hi,
I am trying to configure the Password Policy for my users and read
that you would not be able to use the Policy unless you set up
SSL/TLS.
Where did you read this? SSL/TLS is not required to use the password
policy features.
I am using 389 Server version 1.2.2. Also I am running the Server on
Fedora 11 64 bit. All clients are also Fedora 11 64 bit.
I followed the instructions in setting up SSL here at
http://directory.fedoraproject.org/wiki/Howto:SSL
I ran the setupssl2.sh script and it completed with no errors. In the
389 Admin Console I could see the certificates for both the Admin
Server and DS Server in the
Manage Certificates screens.
Also, I do not want to use SSL for the Admin Server or the Admin
Console. I just want to be able to use it for user authentication so
the Password Policy works.
Bottom line is that I cannot get both features (Password Policies and
SSL) working. Any help would be greatly appreciated.
Up to this point here are my questions:
1) In the Directory Server GUI from the 389 Admin Console what
certificate do I use to populate the Certificate field in the
Encryption Tab?
There are 3 choices it provides after running the sslsetup2.sh script
which are CA Certificate, server-cert, and server-Cert.
The one named "Server-Cert" should be used for the Directory Server.
2) In the Client Authentication Block in the same Encryption Tab as #1
above, I have selected "Require client authentication". Is
this
correct?
Is this how you force the Directory Server to use only port 636 for
secure communications? If not, how do you do that?
No. Client authentication refers to using a client certificate to
authenticate as opposed to a bind DN and password. You most likely
don't want to do this. If you truly want to only use port 636, you can
set nsslapd-listenport to "0", but all of your clients will
be
required to use LDAPS over port 636. You should be really sure that
this is what you want.
3) What are the differences between /etc/openldap/ldap.conf and
/etc/ldap.conf? What are the client configurations needed to make this
work?
/etc/openldap/ldap.conf is the OpenLDAP client config file.
/etc/ldap.conf is the config file for nss_ldap and pam_ldap.
The only ldap.conf file that
http://directory.fedoraproject.org/wiki/Howto:SSL talks about
configuring is the /etc/openldap/ldap.conf file.
My /etc/openldap/ldap.conf file looks like this:
URI
ldap://hadmina.eidev.ngc.com/
BASE dc=eidev, dc=ngc, dc=com
TLS_CACERT /etc/openldap/cacerts
TLS_REQCERT allow
4) How do you get the certificate on the client machines? What I did
was copy from the server the cacert.asc file that is located in
/etc/dirsrv/slapd-hadmina
to the client machine in /etc/openldap/cacerts directory. Is this
correct?
Thanks and I hope there is someone out there that can help me get this
working!
Paul
--
389 users mailing list
389-users(a)lists.fedoraproject.org
<mailto:389-users@lists.fedoraproject.org>
------------------------------------------------------------------------
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users