Account Expiration Warning

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jamie McKnight wrote:
>>>in /etc/ldap.conf, and that your pam stack is set up for pam_ldap
>>>authentication.  Also, if you are using a proxy agent, the proxy agent
>>>must not be able to see the userPassword attribute, or you will end up
>>>authenticating via pam_unix, and not pam_ldap.  
>>
>>This could be the problem.  I am using a proxy and not sure how to test 
>>what you are saying.  If I do an ldasearch such as:
>>
>>ldapsearch -x -ZZ '(uid=tulsa)'
>>
>>then that should bind via the entries in ldap.conf hence use the 
>>config'd proxy, correct?  Then if that search shows a userPassword then 
>>that would confirm pam_unix usage?  Not sure how to stop it if it is 
>>using pam_unix?
>>
> 
> 
> That's correct, if you can do a ldapsearch and bind as the proxyagent
> and you see the userPassword attribute returned, then the directory
> server has an ACI that allows read for your proxy agent of the
> userPassword attribute.  You can just remove that ACI and it should at
> that point not return the userPassword field, and pam_ldap
> authentication would take place then.
> 
> For example:
> 
> ldapsearch -x -h ldapsrv -D "cn=proxyid,dc=blah" -W -b
> "ou=people,dc=blah" uid=tulsa
> 
> Where -D is the id listed as proxyagent in ldap.conf, and the password
> supplied is for that id.  If userPassword is returned then you know what
> is going on.
> 
> If this is not what is happening, check and make sure you don't have
> rootbinddn and /etc/ldap.secret set up.  If it is actually binding as
> your rootdn then that is what it could be as well.

Welp, I am stumped.  Running various ldapsearchs I got the results as 
they should be.  Binding as the proxy, no userPassword, binding as an 
admin then I get the userPassword.

I looked in /etc/ and there is not an ldap.secret file, so I guess I do 
not have the rootbinddn setup.

I was thinking of removing the shadowExpire attributes but I am afraid 
if I do that then cron may stop working.

Not sure at this point.

Thanks,
jim


> 
> 
> Jamie
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-- 
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux