Hi
--
nsswitch.conf contains the following relevant lines, the rest is unchanged
passwd: ldap files
shadow: ldap files
group: ldap files
Maybe it is my ldap settings, please see /etc/ldap.conf below
bind_policy soft
URI ldap://ldap.server.ip
BASE dc=domain,dc=local
TLS_CACERTDIR /etc/openldap/cacerts
pam_password clear
pam_lookup_policy yes
pam_password exop
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
idle_timelimit 900
On Tue, Nov 13, 2012 at 1:59 PM, Grzegorz Dwornicki <gd1100@xxxxxxxxx> wrote:
What about NSS configuration? Maybe there is configuration making ssl mandatory?
Greg
13 lis 2012 12:51, "Ali Jawad" <ali.jawad@xxxxxxxxxxxx> napisał(a):Hi AllI am trying to change the password using passwd, please see the below :[xyz@server ~]$ passwdChanging password for user xyz.Enter login(LDAP) password:New UNIX password:Retype new UNIX password:LDAP password information update failed: Confidentiality requiredOperation requires a secure connection.The error log showsNov 13 11:47:17 HA-Dev-Nymgo-100-45 passwd: pam_unix(passwd:chauthtok): user "xyz" does not exist in /etc/passwdPam config follows :/etc/pam.d/passwd#%PAM-1.0auth include system-authaccount include system-authpassword include system-auth~/etc/pam.d/system-auth#/etc/pam.d/system-auth#%PAM-1.0auth required pam_env.soauth sufficient pam_unix.soauth sufficient pam_ldap.so use_first_passauth required pam_deny.soaccount sufficient pam_unix.soaccount sufficient pam_ldap.so use_first_passaccount required pam_deny.sopassword requisite pam_cracklib.so try_first_pass retry=3password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtokpassword sufficient pam_ldap.so use_authtokpassword required pam_deny.so#password required pam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0#password sufficient pam_unix.so nullok use_authtok md5 shadow#password sufficient pam_ldap.so#password required pam_deny.sosession optional pam_mkhomedir.so skel=/etc/skel/ umask=0022session required pam_limits.sosession required pam_unix.sosession optional pam_ldap.so~~On Tue, Nov 13, 2012 at 11:15 AM, Arpit Tolani <arpittolani@xxxxxxxxx> wrote:Hello
Yes, passwd is right choice, considering you have pam_ldap.so properly
On Tue, Nov 13, 2012 at 1:10 PM, Ali Jawad <ali.jawad@xxxxxxxxxxxx> wrote:
> Hi Arpit
> Actually I was attempting to change the password using command line
>
> passwd
>
> I.e. each user changes his own password, is passwd the right choice here ?
>
configured & yes passwd dont need ssl/tls to be configured.
> Regards
>
> On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani <arpittolani@xxxxxxxxx>
> wrote:
>>
>> Hello
>>
>> On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad <ali.jawad@xxxxxxxxxxxx>
>> wrote:
>> > In that case I have a major overhaul that I need to complete, change
>> > password is not working for me, my assumption is that it only works with
>> > TLS
>> > enabled between the client and the server, I have tried to get TLS to
>> > run a
>> > few times but could not get it to run so far. Am I right about the
>> > assumption that I need encryption between the server and the clients for
>> > password change to work ?
>> > Regards
>> >
>>
>> When using ldappasswd command, Yes ssl/tls is mandatory, Try changing
>> password using ldapmodify, it doesnt required ssl/tls connection.
>>
>> >
>> > On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds <mareynol@xxxxxxxxxx>
>> > wrote:
>> >>
>> >> Only "crypt" uses the first 8 characters, so any other scheme would be
>> >> fine. After you change the scheme you will need to force all the users
>> >> to
>> >> change their passwords - otherwise their crypt passwords will still be
>> >> present.
>> >>
>> >>
>> >>
>> >> On 11/12/2012 01:52 PM, Ali Jawad wrote:
>> >>
>> >> Hi All
>> >> This is an all Linux environment with 389 being used as the sole
>> >> authentication mechanism, I do believe I am using crypt, I am out of
>> >> office
>> >> right now, what should I use instead of crypt to match more characters
>> >> ?
>> >> Regards
>> >>
>> >> On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds <mareynol@xxxxxxxxxx>
>> >> wrote:
>> >>>
>> >>> Also what password storage scheme are you using? For example "crypt"
>> >>> only checks the first 8 characters of a password.
>> >>>
>> >>>
>> >>> On 11/12/2012 11:18 AM, Dan Lavu wrote:
>> >>>
>> >>> In regards to a password policy? Just 389 or are you using winsync
>> >>> with
>> >>> AD? Because the password policy from AD does not transfer over. Also
>> >>> they
>> >>> are some extra steps if you want to setup an OU based password policy
>> >>> but if
>> >>> you just do it for the entire directory through ‘configuration’ it
>> >>> works
>> >>> with no issues.
>> >>>
>> >>> Dan
>> >>>
>> >>> From: Ali Jawad <ali.jawad@xxxxxxxxxxxx>
>> >>> Sent: November 12, 2012 6:00 AM
>> >>> To: General discussion list for the 389 Directory server project.
>> >>> Subject: Password + anything works ?
>> >>>
>> >>> Hi
>> >>> I just noticed that you can use the password+ANYLetters and it will
>> >>> work,
>> >>> I.e. if the password is xyz xyz99 or xyzABC will work as well, is this
>> >>> a
>> >>> misconfiguration on my part or a bug ?
>> >>> Regards
>> >>>
>>
>> Regards
>> Arpit Tolani
>> --
>> 389 users mailing list
>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
> --
> Ali Jawad
> Information Systems Manager
> CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
> Splendor Telecom (www.splendor.net)
> Beirut, Lebanon
> Phone: +9611373725/ext 116
> FAX: +9611375554
>
>
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Regards
Arpit Tolani
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users--
Ali JawadInformation Systems Manager
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
Ali Jawad
Information Systems Manager
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
