Fulda, Paul R (IS) wrote: > > Do not remember where I read that the SSL/TLS is required. But if that > is the case, I cannot get the Password Policy to work. For instance, > prior to messing around with SSL, I set in the Password Policy to > require the user to choose a new password after reset. I reset the > users password in the Directory Server and when the user typed that > password in on a client machine it did not prompt him to change his > password. Also, none of the password complexity settings worked > either. Could it be that PAM is overriding the Directory Server and if > it is how do I bypass PAM? > man pam_ldap > > *From:* 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx > [mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] *On Behalf Of > *Nathan Kinder > *Sent:* Thursday, January 14, 2010 1:14 PM > *To:* General discussion list for the 389 Directory server project. > *Subject:* Re: [389-users] Help with setiting up Password Policy and > SSL/TLS > > On 01/14/2010 10:56 AM, Fulda, Paul R (IS) wrote: > > Hi, > > I am trying to configure the Password Policy for my users and read > that you would not be able to use the Policy unless you set up SSL/TLS. > > Where did you read this? SSL/TLS is not required to use the password > policy features. > > I am using 389 Server version 1.2.2. Also I am running the Server on > Fedora 11 64 bit. All clients are also Fedora 11 64 bit. > > I followed the instructions in setting up SSL here at > http://directory.fedoraproject.org/wiki/Howto:SSL > > I ran the setupssl2.sh script and it completed with no errors. In the > 389 Admin Console I could see the certificates for both the Admin > Server and DS Server in the > > Manage Certificates screens. > > Also, I do not want to use SSL for the Admin Server or the Admin > Console. I just want to be able to use it for user authentication so > the Password Policy works. > > Bottom line is that I cannot get both features (Password Policies and > SSL) working. Any help would be greatly appreciated. > > Up to this point here are my questions: > > 1) In the Directory Server GUI from the 389 Admin Console what > certificate do I use to populate the Certificate field in the > Encryption Tab? > > There are 3 choices it provides after running the sslsetup2.sh script > which are CA Certificate, server-cert, and server-Cert. > > The one named "Server-Cert" should be used for the Directory Server. > > 2) In the Client Authentication Block in the same Encryption Tab as #1 > above, I have selected “Require client authentication”. Is this correct? > > Is this how you force the Directory Server to use only port 636 for > secure communications? If not, how do you do that? > > No. Client authentication refers to using a client certificate to > authenticate as opposed to a bind DN and password. You most likely > don't want to do this. If you truly want to only use port 636, you can > set nsslapd-listenport to "0", but all of your clients will be > required to use LDAPS over port 636. You should be really sure that > this is what you want. > > 3) What are the differences between /etc/openldap/ldap.conf and > /etc/ldap.conf? What are the client configurations needed to make this > work? > > /etc/openldap/ldap.conf is the OpenLDAP client config file. > /etc/ldap.conf is the config file for nss_ldap and pam_ldap. > > The only ldap.conf file that > http://directory.fedoraproject.org/wiki/Howto:SSL talks about > configuring is the /etc/openldap/ldap.conf file. > > My /etc/openldap/ldap.conf file looks like this: > > URI ldap://hadmina.eidev.ngc.com/ > > BASE dc=eidev, dc=ngc, dc=com > > TLS_CACERT /etc/openldap/cacerts > > TLS_REQCERT allow > > 4) How do you get the certificate on the client machines? What I did > was copy from the server the cacert.asc file that is located in > /etc/dirsrv/slapd-hadmina > > to the client machine in /etc/openldap/cacerts directory. Is this correct? > > Thanks and I hope there is someone out there that can help me get this > working! > > Paul > > > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx> > https://admin.fedoraproject.org/mailman/listinfo/389-users > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
