Hi Rich, thanks for you support, I will try it Do you have any white papper or guide for implementing LDAP server and client to use TLS? I read the Administration Guide but if you have any tutorial, better! Thanks! Allan > Date: Fri, 4 Dec 2009 13:25:34 -0700 > From: rmeggins at redhat.com > To: fedora-directory-users at redhat.com > Subject: Re: [389-users] Password Policy not working fine > > Allan Gaston Hougham wrote: > > Hi Rich, > > > > Sorry, I saw you answer now.. > > With our settings on ldap.conf the error is: > > > > > > > > > > Changing password for user testsi. > > > > > > Enter login(LDAP) password: > > > > > > New UNIX password: > > > > > > Retype new UNIX password: > > > > > > LDAP password information update failed: Confidentiality required > > > > > > Operation requires a secure connection. > > > > > > passwd: Permission denied > > > > > > What is the shorcut for to resolve this problem? > > > > 1 - We need run this command: ldappasswd -x to disable SASL auth > > > > > > 2- We need make this settings? > > > > Need to configure the directory server and nss_ldap/pam_ldap > > (/etc/ldap.conf) to use TLS > > > > > > Is not important have a secure conection in authentication > > We need that ours policies working fine > > > > I think that we aren?t using ldappasswd... > ldappasswd uses the password extended operation, just like pam_password > exop. In order to use this extended operation, you must use a secure > connection, which means TLS/SSL or SASL with a negotiated security layer. > > So you either need to configure your LDAP server and client to use TLS, > or use something like ldapmodify to change the userPassword attribute > directly (i.e. don't use the passwd command). > > > > > > > > Thanks in adavance!! > > > > > > Allan > > > > > > > > > > > > > Date: Fri, 4 Dec 2009 11:03:53 -0700 > > > From: rmeggins at redhat.com > > > To: fedora-directory-users at redhat.com > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > Allan Gaston Hougham wrote: > > > > Any sugesst?? > > > > > > Did you not read my reply? See below > > > > > > > > Thanks! > > > > > > > > > Date: Thu, 3 Dec 2009 11:43:34 -0700 > > > > > From: rmeggins at redhat.com > > > > > To: fedora-directory-users at redhat.com > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > I can?t .. We have two errors: > > > > > > > > > > > > [root at dblvm32 ~]# passwd testsi > > > > > > Changing password for user testsi. > > > > > > Enter login(LDAP) password: > > > > > > New UNIX password: > > > > > > Retype new UNIX password: > > > > > > LDAP password information update failed: Confidentiality required > > > > > > Operation requires a secure connection. > > > > > > passwd: Permission denied > > > [begin rmeggins reply] > > > > > Need to configure the directory server and nss_ldap/pam_ldap > > > > > (/etc/ldap.conf) to use TLS > > > [end rmeggins repl > > > > > > > > > > > > [root at dblvm32 ~]# ldappasswd testsi > > > > > > SASL/EXTERNAL authentication started > > > > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > > > > > > additional info: SASL(-4): no mechanism available: > > > > > > [root at dblvm32 ~]# > > > [begin rmeggins reply] > > > > > ldappasswd -x to disable SASL auth > > > [end rmeggins reply] > > > > > > > > > > > > > > > > > > What happend?? Thanks!! > > > > > > > > > > > > > > > > > > Allan > > > > > > > > > > > > > > > > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700 > > > > > > > From: rmeggins at redhat.com > > > > > > > To: fedora-directory-users at redhat.com > > > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > > Hi, thanks for you response, > > > > > > > > > > > > > > > > We have Fedora-ds 1.2.2 2009.237.2054 > > > > > > > > > > > > > > > > Platform: > > > > > > > > > > > > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 > > EDT > > > > 2007 > > > > > > > > x86_64 x86_64 x86_64 GNU/Linux > > > > > > > > > > > > > > > > In this time we can apply any policies, but is not working > > > > "user must > > > > > > > > change password after reset" and change password later > > that it > > > > exipire > > > > > > > > > > > > > > > > This is the error with this ldap.conf: > > > > > > > > > > > > > > > > [root at yblhp35 openldap]# cat ldap.conf > > > > > > > > # > > > > > > > > # LDAP Defaults > > > > > > > > # > > > > > > > > # See ldap.conf(5) for details > > > > > > > > # This file should be world readable but not world writable. > > > > > > > > #BASE dc=example, dc=com > > > > > > > > #URI ldap://ldap.example.com > > ldap://ldap-master.example.com:666 > > > > > > > > #SIZELIMIT 12 > > > > > > > > #TIMELIMIT 15 > > > > > > > > #DEREF never > > > > > > > > #use_sasl on > > > > > > > > URI ldap://zblhp36.ml.com/ > > > > > > > > BASE dc=ml,dc=com > > > > > > > > suffix > > "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts > > > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > > > > TLS_REQCERT allow > > > > > > > > bind_policy soft > > > > > > > > ssl no > > > > > > > > TLS_CACERTDIR /etc/openldap/cacerts > > > > > > > > pam_password md5 > > > > > > > > > > > > > > > > ERROR: > > > > > > > > > > > > > > > > WARNING: Your password has expired. > > > > > > > > You must change your password now and login again! > > > > > > > > Changing password for user testsi. > > > > > > > > Enter login(LDAP) password: > > > > > > > > LDAP Password incorrect: try again > > > > > > > > Enter login(LDAP) password: > > > > > > > > New UNIX password: > > > > > > > > Retype new UNIX password: > > > > > > > > LDAP password information update failed: Server is > > unwilling to > > > > > > > > perform user is not allowed to change password > > > > > > > > passwd: Permission denied > > > > > > > > > > > > > > > > > > > > > > > > And this is the error with this ldap.conf: > > > > > > > > > > > > > > > > > > > > > > > > [ahougham at dblvm32 ~]$ cat /etc/ldap.conf > > > > > > > > # > > > > > > > > # See ldap.conf(5) for details > > > > > > > > # This file should be world readable but not world writable. > > > > > > > > #BASE dc=example, dc=com > > > > > > > > #URI ldap://ldap.example.com > > ldap://ldap-master.example.com:666 > > > > > > > > #SIZELIMIT 12 > > > > > > > > #TIMELIMIT 15 > > > > > > > > #DEREF never > > > > > > > > #use_sasl on > > > > > > > > HOST 172.16.100.186 172.16.102.49 > > > > > > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49 > > > > > > > > BASE dc=ml,dc=com > > > > > > > > suffix > > "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts/ > > > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > > > > TLS_REQCERT allow > > > > > > > > bind_policy soft > > > > > > > > ssl no > > > > > > > > tls_cacertdir /etc/openldap/cacerts > > > > > > > > pam_password md5 > > > > > > > > uri ldap://zblhp36.ml.com/ > > > > > > > > base dc=ml,dc=com > > > > > > > > # Search the root DSE for the password policy (works > > > > > > > > # with Netscape Directory Server) > > > > > > > > pam_lookup_policy yes > > > > > > > > # Use the OpenLDAP password change > > > > > > > > # extended operation to update the password. > > > > > > > > pam_password exop > > > > > > > > > > > > > > > > > > > > > > > > WARNING: Your password has expired. > > > > > > > > You must change your password now and login again! > > > > > > > > Changing password for user testsi. > > > > > > > > Enter login(LDAP) password: > > > > > > > > New UNIX password: > > > > > > > > Retype new UNIX password: > > > > > > > > LDAP password information update failed: Confidentiality > > required > > > > > > > > Operation requires a secure connection. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks in advance!!! > > > > > > > Does it work if you use the ldappasswd command line tool? > > > > > > > > > > > > > > > > > > > > > > > > Allan > > > > > > > > > > > > > > > > > > > > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700 > > > > > > > > > From: rmeggins at redhat.com > > > > > > > > > To: fedora-directory-users at redhat.com > > > > > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > > > > Dears, > > > > > > > > > > > > > > > > > > > > I have a problem with my passwords policies, I enabled > > "Enable > > > > > > > > > > fine-grained password policy", I apply this but is not > > > > working > > > > > > fine. > > > > > > > > > > I followed the steps of Administration Guide pag 364 - > > > > > > > > > > > > > > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy > > Using the > > > > > > > > Console* > > > > > > > > > > > > > > > > > > > > But it?s not working, i have that setting any more? > > > > > > > > > > Can you help me? > > > > > > > > > > > > > > > > > > > What is your platform? What version of directory server? > > rpm -qi > > > > > > > > > 389-ds-base (or fedora-ds-base) > > > > > > > > > > > > > > > > > > > > Thanks a lot in advance! > > > > > > > > > > > > > > > > > > > > Allan Hougham > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > Internet Explorer 8 especial para MSN - ?Gratis! > > > > Descargalo ahora > > > > > > > > > > haciendo clic aqu? > > > > > > > > > > > > > > > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > 389 users mailing list > > > > > > > > > > 389-users at redhat.com > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > ?Te llegan demasiados emails? Organizate con Hotmail. ?Cre? > > > > carpetas > > > > > > > > para todos tus correos! <http://mail.live.com/> > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > -- > > > > > > > > 389 users mailing list > > > > > > > > 389-users at redhat.com > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > ?Revis? de un vistazo si ten?s correos nuevos! Ingres? a tu > > Hotmail > > > > > > desde tu Messenger. ?Probalo ahora! > > > > > > <http://www.microsoft.com/latam/windows/windowslive/default.aspx> > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > -- > > > > > > 389 users mailing list > > > > > > 389-users at redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > -- > > > > > 389 users mailing list > > > > > 389-users at redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > ------------------------------------------------------------------------ > > > > Internet Explorer 8 especial para MSN - ?Gratis! Hac? clic aqu? > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > 389 users mailing list > > > > 389-users at redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > > 389 users mailing list > > > 389-users at redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > ?Cansado de borrar spam de tu bandea de entrada? ?Gan? tiempo con el > > nuevo filtro anti spam de Hotmail! <http://mail.live.com> > > ------------------------------------------------------------------------ > > > > -- > > 389 users mailing list > > 389-users at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users _________________________________________________________________ A tu BlackBerry le falta Messenger. Descargalo GRATIS aqu? http://www.messengerentublackberry.com?ocid=WL_BB_LandPage_TagLine -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.fedoraproject.org/pipermail/389-users/attachments/20091207/2731bc73/attachment.html
