Re: [389-users] Password Policy not working fine

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Allan Gaston Hougham wrote:

Hi Rich,
Sorry, I saw you answer now.. 
With our settings on ldap.conf the error is:
> > > > Changing password for user testsi. 
> > > > Enter login(LDAP) password:
> > > > New UNIX password:
> > > > Retype new UNIX password:
> > > > LDAP password information update failed: Confidentiality required
> > > > Operation requires a secure connection.
> > > > passwd: Permission denied
What is the shorcut for to resolve this problem? 1 - We need run this command: ldappasswd -x to disable SASL auth 2- We need make this settings? Need to configure the directory server and nss_ldap/pam_ldap 
(/etc/ldap.conf) to use TLS
Is not important have a secure conection in authentication 
We need that ours policies working fine
I think that we aren´t using ldappasswd...
ldappasswd uses the password extended operation, just like pam_password exop. In order to use this extended operation, you must use a secure connection, which means TLS/SSL or SASL with a negotiated security layer.
So you either need to configure your LDAP server and client to use TLS, or use something like ldapmodify to change the userPassword attribute directly (i.e. don't use the passwd command). 
Thanks in adavance!!
Allan > Date: Fri, 4 Dec 2009 11:03:53 -0700 
> From: rmeggins@xxxxxxxxxx
> To: fedora-directory-users@xxxxxxxxxx
> Subject: Re: [389-users] Password Policy not working fine
>
> Allan Gaston Hougham wrote:
> > Any sugesst??
>
> Did you not read my reply? See below
> >
> > Thanks!
> >
> > > Date: Thu, 3 Dec 2009 11:43:34 -0700
> > > From: rmeggins@xxxxxxxxxx
> > > To: fedora-directory-users@xxxxxxxxxx
> > > Subject: Re: [389-users] Password Policy not working fine
> > >
> > > Allan Gaston Hougham wrote:
> > > > I can´t .. We have two errors:
> > > >
> > > > [root@dblvm32 ~]# passwd testsi
> > > > Changing password for user testsi.
> > > > Enter login(LDAP) password:
> > > > New UNIX password:
> > > > Retype new UNIX password:
> > > > LDAP password information update failed: Confidentiality required
> > > > Operation requires a secure connection.
> > > > passwd: Permission denied
> [begin rmeggins reply]
> > > Need to configure the directory server and nss_ldap/pam_ldap
> > > (/etc/ldap.conf) to use TLS
> [end rmeggins repl
> > > >
> > > > [root@dblvm32 ~]# ldappasswd testsi
> > > > SASL/EXTERNAL authentication started
> > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> > > > additional info: SASL(-4): no mechanism available:
> > > > [root@dblvm32 ~]#
> [begin rmeggins reply]
> > > ldappasswd -x to disable SASL auth
> [end rmeggins reply]
> > > >
> > > >
> > > > What happend?? Thanks!!
> > > >
> > > >
> > > > Allan
> > > >
> > > >
> > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700
> > > > > From: rmeggins@xxxxxxxxxx
> > > > > To: fedora-directory-users@xxxxxxxxxx
> > > > > Subject: Re: [389-users] Password Policy not working fine
> > > > >
> > > > > Allan Gaston Hougham wrote:
> > > > > > Hi, thanks for you response,
> > > > > >
> > > > > > We have Fedora-ds 1.2.2 2009.237.2054
> > > > > >
> > > > > > Platform:
> > > > > >
> > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 EDT 
> > 2007
> > > > > > x86_64 x86_64 x86_64 GNU/Linux
> > > > > >
> > > > > > In this time we can apply any policies, but is not working
> > "user must
> > > > > > change password after reset" and change password later that it 
> > exipire
> > > > > >
> > > > > > This is the error with this ldap.conf:
> > > > > >
> > > > > > [root@yblhp35 openldap]# cat ldap.conf
> > > > > > #
> > > > > > # LDAP Defaults
> > > > > > #
> > > > > > # See ldap.conf(5) for details
> > > > > > # This file should be world readable but not world writable.
> > > > > > #BASE dc=example, dc=com
> > > > > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 
> > > > > > #SIZELIMIT 12
> > > > > > #TIMELIMIT 15
> > > > > > #DEREF never
> > > > > > #use_sasl on
> > > > > > URI ldap://zblhp36.ml.com/
> > > > > > BASE dc=ml,dc=com
> > > > > > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" 
> > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > > > > > #TLS_CACERTDIR /etc/openldap/cacerts
> > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
> > > > > > TLS_REQCERT allow
> > > > > > bind_policy soft
> > > > > > ssl no
> > > > > > TLS_CACERTDIR /etc/openldap/cacerts
> > > > > > pam_password md5
> > > > > >
> > > > > > ERROR:
> > > > > >
> > > > > > WARNING: Your password has expired.
> > > > > > You must change your password now and login again!
> > > > > > Changing password for user testsi.
> > > > > > Enter login(LDAP) password:
> > > > > > LDAP Password incorrect: try again
> > > > > > Enter login(LDAP) password:
> > > > > > New UNIX password:
> > > > > > Retype new UNIX password:
> > > > > > LDAP password information update failed: Server is unwilling to 
> > > > > > perform user is not allowed to change password
> > > > > > passwd: Permission denied
> > > > > >
> > > > > >
> > > > > > And this is the error with this ldap.conf:
> > > > > >
> > > > > >
> > > > > > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf
> > > > > > #
> > > > > > # See ldap.conf(5) for details
> > > > > > # This file should be world readable but not world writable.
> > > > > > #BASE dc=example, dc=com
> > > > > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 
> > > > > > #SIZELIMIT 12
> > > > > > #TIMELIMIT 15
> > > > > > #DEREF never
> > > > > > #use_sasl on
> > > > > > HOST 172.16.100.186 172.16.102.49
> > > > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49
> > > > > > BASE dc=ml,dc=com
> > > > > > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" 
> > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > > > > > #TLS_CACERTDIR /etc/openldap/cacerts/
> > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
> > > > > > TLS_REQCERT allow
> > > > > > bind_policy soft
> > > > > > ssl no
> > > > > > tls_cacertdir /etc/openldap/cacerts
> > > > > > pam_password md5
> > > > > > uri ldap://zblhp36.ml.com/
> > > > > > base dc=ml,dc=com
> > > > > > # Search the root DSE for the password policy (works
> > > > > > # with Netscape Directory Server)
> > > > > > pam_lookup_policy yes
> > > > > > # Use the OpenLDAP password change
> > > > > > # extended operation to update the password.
> > > > > > pam_password exop
> > > > > >
> > > > > >
> > > > > > WARNING: Your password has expired.
> > > > > > You must change your password now and login again!
> > > > > > Changing password for user testsi.
> > > > > > Enter login(LDAP) password:
> > > > > > New UNIX password:
> > > > > > Retype new UNIX password:
> > > > > > LDAP password information update failed: Confidentiality required 
> > > > > > Operation requires a secure connection.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Thanks in advance!!!
> > > > > Does it work if you use the ldappasswd command line tool?
> > > > > >
> > > > > >
> > > > > > Allan
> > > > > >
> > > > > >
> > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700
> > > > > > > From: rmeggins@xxxxxxxxxx
> > > > > > > To: fedora-directory-users@xxxxxxxxxx
> > > > > > > Subject: Re: [389-users] Password Policy not working fine
> > > > > > >
> > > > > > > Allan Gaston Hougham wrote:
> > > > > > > > Dears,
> > > > > > > >
> > > > > > > > I have a problem with my passwords policies, I enabled "Enable 
> > > > > > > > fine-grained password policy", I apply this but is not
> > working
> > > > fine.
> > > > > > > > I followed the steps of Administration Guide pag 364 -
> > > > > > > >
> > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy Using the 
> > > > > > Console*
> > > > > > > >
> > > > > > > > But it´s not working, i have that setting any more?
> > > > > > > > Can you help me?
> > > > > > > >
> > > > > > > What is your platform? What version of directory server? rpm -qi 
> > > > > > > 389-ds-base (or fedora-ds-base)
> > > > > > > >
> > > > > > > > Thanks a lot in advance!
> > > > > > > >
> > > > > > > > Allan Hougham
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > >
> > > >
> > ------------------------------------------------------------------------ 
> > > > > > > > Internet Explorer 8 especial para MSN - ¡Gratis!
> > Descargalo ahora
> > > > > > > > haciendo clic aquí
> > > > > > > >
> > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> 
> > > > > > > >
> > > > > >
> > > >
> > ------------------------------------------------------------------------ 
> > > > > > > >
> > > > > > > > --
> > > > > > > > 389 users mailing list
> > > > > > > > 389-users@xxxxxxxxxx
> > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users 
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > >
> > ------------------------------------------------------------------------ 
> > > > > > ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá
> > carpetas
> > > > > > para todos tus correos! <http://mail.live.com/>
> > > > > >
> > > >
> > ------------------------------------------------------------------------ 
> > > > > >
> > > > > > --
> > > > > > 389 users mailing list
> > > > > > 389-users@xxxxxxxxxx
> > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > ------------------------------------------------------------------------ > > > > ¡Revisá de un vistazo si tenés correos nuevos! Ingresá a tu Hotmail 
> > > > desde tu Messenger. ¡Probalo ahora!
> > > > <http://www.microsoft.com/latam/windows/windowslive/default.aspx>
> > > >
> > ------------------------------------------------------------------------ 
> > > >
> > > > --
> > > > 389 users mailing list
> > > > 389-users@xxxxxxxxxx
> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > >
> > >
> > > --
> > > 389 users mailing list
> > > 389-users@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
> > ------------------------------------------------------------------------ 
> > Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí
> > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx>
> > ------------------------------------------------------------------------ 
> >
> > --
> > 389 users mailing list
> > 389-users@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
> --
> 389 users mailing list
> 389-users@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

------------------------------------------------------------------------
¿Cansado de borrar spam de tu bandea de entrada? ¡Ganá tiempo con el nuevo filtro anti spam de Hotmail! <http://mail.live.com> 
------------------------------------------------------------------------

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux