Hi nsswitch.conf contains the following relevant lines, the rest is unchanged
passwd: ldap files shadow: ldap files group: ldap files Maybe it is my ldap settings, please see /etc/ldap.conf below bind_policy soft URI ldap://ldap.server.ip BASE dc=domain,dc=local TLS_CACERTDIR /etc/openldap/cacerts pam_password clear pam_lookup_policy yes pam_password exop # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600 idle_timelimit 900 On Tue, Nov 13, 2012 at 1:59 PM, Grzegorz Dwornicki <gd1...@gmail.com>wrote: > What about NSS configuration? Maybe there is configuration making ssl > mandatory? > > Greg > 13 lis 2012 12:51, "Ali Jawad" <ali.ja...@splendor.net> napisał(a): > > Hi All >> I am trying to change the password using passwd, please see the below : >> >> [xyz@server ~]$ passwd >> Changing password for user xyz. >> Enter login(LDAP) password: >> New UNIX password: >> Retype new UNIX password: >> *LDAP password information update failed: Confidentiality required* >> *Operation requires a secure connection.* >> >> The error log shows >> Nov 13 11:47:17 HA-Dev-Nymgo-100-45 passwd: pam_unix(passwd:chauthtok): >> user "xyz" does not exist in /etc/passwd >> >> Pam config follows : >> >> /etc/pam.d/passwd >> #%PAM-1.0 >> auth include system-auth >> account include system-auth >> password include system-auth >> ~ >> >> /etc/pam.d/system-auth >> >> #/etc/pam.d/system-auth >> #%PAM-1.0 >> >> auth required pam_env.so >> auth sufficient pam_unix.so >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account sufficient pam_unix.so >> account sufficient pam_ldap.so use_first_pass >> account required pam_deny.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 >> password sufficient pam_unix.so md5 shadow nullok try_first_pass >> use_authtok >> password sufficient pam_ldap.so use_authtok >> password required pam_deny.so >> >> >> #password required pam_cracklib.so retry=3 minlen=2 >> dcredit=0 ucredit=0 >> #password sufficient pam_unix.so nullok use_authtok md5 shadow >> #password sufficient pam_ldap.so >> #password required pam_deny.so >> >> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 >> session required pam_limits.so >> session required pam_unix.so >> session optional pam_ldap.so >> ~ >> ~ >> >> >> >> On Tue, Nov 13, 2012 at 11:15 AM, Arpit Tolani <arpittol...@gmail.com>wrote: >> >>> Hello >>> >>> >>> >>> On Tue, Nov 13, 2012 at 1:10 PM, Ali Jawad <ali.ja...@splendor.net> >>> wrote: >>> > Hi Arpit >>> > Actually I was attempting to change the password using command line >>> > >>> > passwd >>> > >>> > I.e. each user changes his own password, is passwd the right choice >>> here ? >>> > >>> >>> Yes, passwd is right choice, considering you have pam_ldap.so properly >>> configured & yes passwd dont need ssl/tls to be configured. >>> >>> >>> > Regards >>> > >>> > On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani <arpittol...@gmail.com> >>> > wrote: >>> >> >>> >> Hello >>> >> >>> >> On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad <ali.ja...@splendor.net> >>> >> wrote: >>> >> > In that case I have a major overhaul that I need to complete, change >>> >> > password is not working for me, my assumption is that it only works >>> with >>> >> > TLS >>> >> > enabled between the client and the server, I have tried to get TLS >>> to >>> >> > run a >>> >> > few times but could not get it to run so far. Am I right about the >>> >> > assumption that I need encryption between the server and the >>> clients for >>> >> > password change to work ? >>> >> > Regards >>> >> > >>> >> >>> >> When using ldappasswd command, Yes ssl/tls is mandatory, Try changing >>> >> password using ldapmodify, it doesnt required ssl/tls connection. >>> >> >>> >> > >>> >> > On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds <marey...@redhat.com >>> > >>> >> > wrote: >>> >> >> >>> >> >> Only "crypt" uses the first 8 characters, so any other scheme >>> would be >>> >> >> fine. After you change the scheme you will need to force all the >>> users >>> >> >> to >>> >> >> change their passwords - otherwise their crypt passwords will >>> still be >>> >> >> present. >>> >> >> >>> >> >> >>> >> >> >>> >> >> On 11/12/2012 01:52 PM, Ali Jawad wrote: >>> >> >> >>> >> >> Hi All >>> >> >> This is an all Linux environment with 389 being used as the sole >>> >> >> authentication mechanism, I do believe I am using crypt, I am out >>> of >>> >> >> office >>> >> >> right now, what should I use instead of crypt to match more >>> characters >>> >> >> ? >>> >> >> Regards >>> >> >> >>> >> >> On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds < >>> marey...@redhat.com> >>> >> >> wrote: >>> >> >>> >>> >> >>> Also what password storage scheme are you using? For example >>> "crypt" >>> >> >>> only checks the first 8 characters of a password. >>> >> >>> >>> >> >>> >>> >> >>> On 11/12/2012 11:18 AM, Dan Lavu wrote: >>> >> >>> >>> >> >>> In regards to a password policy? Just 389 or are you using winsync >>> >> >>> with >>> >> >>> AD? Because the password policy from AD does not transfer over. >>> Also >>> >> >>> they >>> >> >>> are some extra steps if you want to setup an OU based password >>> policy >>> >> >>> but if >>> >> >>> you just do it for the entire directory through ‘configuration’ it >>> >> >>> works >>> >> >>> with no issues. >>> >> >>> >>> >> >>> Dan >>> >> >>> >>> >> >>> From: Ali Jawad <ali.ja...@splendor.net> >>> >> >>> Sent: November 12, 2012 6:00 AM >>> >> >>> To: General discussion list for the 389 Directory server project. >>> >> >>> Subject: [389-users] Password + anything works ? >>> >> >>> >>> >> >>> Hi >>> >> >>> I just noticed that you can use the password+ANYLetters and it >>> will >>> >> >>> work, >>> >> >>> I.e. if the password is xyz xyz99 or xyzABC will work as well, is >>> this >>> >> >>> a >>> >> >>> misconfiguration on my part or a bug ? >>> >> >>> Regards >>> >> >>> >>> >> >>> >> Regards >>> >> Arpit Tolani >>> >> -- >>> >> 389 users mailing list >>> >> 389-users@lists.fedoraproject.org >>> >> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> > >>> > >>> > >>> > >>> > -- >>> > Ali Jawad >>> > Information Systems Manager >>> > CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA >>> > Splendor Telecom (www.splendor.net) >>> > Beirut, Lebanon >>> > Phone: +9611373725/ext 116 >>> > FAX: +9611375554 >>> > >>> > >>> > >>> > -- >>> > 389 users mailing list >>> > 389-users@lists.fedoraproject.org >>> > https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >>> -- >>> Regards >>> Arpit Tolani >>> -- >>> 389 users mailing list >>> 389-users@lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >> >> >> >> -- >> *Ali Jawad >> * >> *Information Systems Manager >> CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA >> * >> *Splendor Telecom (www.splendor.net) >> Beirut, Lebanon >> Phone: +9611373725/ext 116 >> FAX: +9611375554 >> >> * >> >> >> -- >> 389 users mailing list >> 389-users@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 *
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users