Re: Account Expiration Warning

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jamie McKnight wrote:

in /etc/ldap.conf, and that your pam stack is set up for pam_ldap
authentication.  Also, if you are using a proxy agent, the proxy agent
must not be able to see the userPassword attribute, or you will end up
authenticating via pam_unix, and not pam_ldap.
This could be the problem. I am using a proxy and not sure how to test what you are saying. If I do an ldasearch such as: 

ldapsearch -x -ZZ '(uid=tulsa)'
then that should bind via the entries in ldap.conf hence use the config'd proxy, correct? Then if that search shows a userPassword then that would confirm pam_unix usage? Not sure how to stop it if it is using pam_unix? 




That's correct, if you can do a ldapsearch and bind as the proxyagent
and you see the userPassword attribute returned, then the directory
server has an ACI that allows read for your proxy agent of the
userPassword attribute.  You can just remove that ACI and it should at
that point not return the userPassword field, and pam_ldap
authentication would take place then.

For example:

ldapsearch -x -h ldapsrv -D "cn=proxyid,dc=blah" -W -b
"ou=people,dc=blah" uid=tulsa

Where -D is the id listed as proxyagent in ldap.conf, and the password
supplied is for that id.  If userPassword is returned then you know what
is going on.

If this is not what is happening, check and make sure you don't have
rootbinddn and /etc/ldap.secret set up.  If it is actually binding as
your rootdn then that is what it could be as well.
Welp, I am stumped. Running various ldapsearchs I got the results as they should be. Binding as the proxy, no userPassword, binding as an admin then I get the userPassword.
I looked in /etc/ and there is not an ldap.secret file, so I guess I do not have the rootbinddn setup.
I was thinking of removing the shadowExpire attributes but I am afraid if I do that then cron may stop working. 

Not sure at this point.

Thanks,
jim





Jamie

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------

--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux