Ho Yes ldap.conf is only what is listed, yes you are right there are two pam_password that is wrong, I prefer not to use crypt if possible as I do not want to be limited to 8 char passwords, does that make sense ? Regards
On Tue, Nov 13, 2012 at 2:38 PM, Grzegorz Dwornicki <gd1...@gmail.com>wrote: > Sorry my bad i thinking about ldap.conf but said nss... > > Does ldap.conf contains only these lines? Why you use pam_password clear > and then exop? try crypt. > > Greg. > 13 lis 2012 13:18, "Ali Jawad" <ali.ja...@splendor.net> napisał(a): > > Hi >> nsswitch.conf contains the following relevant lines, the rest is >> unchanged >> >> >> passwd: ldap files >> shadow: ldap files >> group: ldap files >> >> Maybe it is my ldap settings, please see /etc/ldap.conf below >> >> bind_policy soft >> URI ldap://ldap.server.ip >> BASE dc=domain,dc=local >> TLS_CACERTDIR /etc/openldap/cacerts >> pam_password clear >> pam_lookup_policy yes >> pam_password exop >> # Idle timelimit; client will close connections >> # (nss_ldap only) if the server has not been contacted >> # for the number of seconds specified below. >> #idle_timelimit 3600 >> idle_timelimit 900 >> >> >> On Tue, Nov 13, 2012 at 1:59 PM, Grzegorz Dwornicki <gd1...@gmail.com>wrote: >> >>> What about NSS configuration? Maybe there is configuration making ssl >>> mandatory? >>> >>> Greg >>> 13 lis 2012 12:51, "Ali Jawad" <ali.ja...@splendor.net> napisał(a): >>> >>> Hi All >>>> I am trying to change the password using passwd, please see the below : >>>> >>>> [xyz@server ~]$ passwd >>>> Changing password for user xyz. >>>> Enter login(LDAP) password: >>>> New UNIX password: >>>> Retype new UNIX password: >>>> *LDAP password information update failed: Confidentiality required* >>>> *Operation requires a secure connection.* >>>> >>>> The error log shows >>>> Nov 13 11:47:17 HA-Dev-Nymgo-100-45 passwd: pam_unix(passwd:chauthtok): >>>> user "xyz" does not exist in /etc/passwd >>>> >>>> Pam config follows : >>>> >>>> /etc/pam.d/passwd >>>> #%PAM-1.0 >>>> auth include system-auth >>>> account include system-auth >>>> password include system-auth >>>> ~ >>>> >>>> /etc/pam.d/system-auth >>>> >>>> #/etc/pam.d/system-auth >>>> #%PAM-1.0 >>>> >>>> auth required pam_env.so >>>> auth sufficient pam_unix.so >>>> auth sufficient pam_ldap.so use_first_pass >>>> auth required pam_deny.so >>>> >>>> account sufficient pam_unix.so >>>> account sufficient pam_ldap.so use_first_pass >>>> account required pam_deny.so >>>> >>>> password requisite pam_cracklib.so try_first_pass retry=3 >>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass >>>> use_authtok >>>> password sufficient pam_ldap.so use_authtok >>>> password required pam_deny.so >>>> >>>> >>>> #password required pam_cracklib.so retry=3 minlen=2 >>>> dcredit=0 ucredit=0 >>>> #password sufficient pam_unix.so nullok use_authtok md5 >>>> shadow >>>> #password sufficient pam_ldap.so >>>> #password required pam_deny.so >>>> >>>> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 >>>> session required pam_limits.so >>>> session required pam_unix.so >>>> session optional pam_ldap.so >>>> ~ >>>> ~ >>>> >>>> >>>> >>>> On Tue, Nov 13, 2012 at 11:15 AM, Arpit Tolani >>>> <arpittol...@gmail.com>wrote: >>>> >>>>> Hello >>>>> >>>>> >>>>> >>>>> On Tue, Nov 13, 2012 at 1:10 PM, Ali Jawad <ali.ja...@splendor.net> >>>>> wrote: >>>>> > Hi Arpit >>>>> > Actually I was attempting to change the password using command line >>>>> > >>>>> > passwd >>>>> > >>>>> > I.e. each user changes his own password, is passwd the right choice >>>>> here ? >>>>> > >>>>> >>>>> Yes, passwd is right choice, considering you have pam_ldap.so properly >>>>> configured & yes passwd dont need ssl/tls to be configured. >>>>> >>>>> >>>>> > Regards >>>>> > >>>>> > On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani < >>>>> arpittol...@gmail.com> >>>>> > wrote: >>>>> >> >>>>> >> Hello >>>>> >> >>>>> >> On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad <ali.ja...@splendor.net >>>>> > >>>>> >> wrote: >>>>> >> > In that case I have a major overhaul that I need to complete, >>>>> change >>>>> >> > password is not working for me, my assumption is that it only >>>>> works with >>>>> >> > TLS >>>>> >> > enabled between the client and the server, I have tried to get >>>>> TLS to >>>>> >> > run a >>>>> >> > few times but could not get it to run so far. Am I right about the >>>>> >> > assumption that I need encryption between the server and the >>>>> clients for >>>>> >> > password change to work ? >>>>> >> > Regards >>>>> >> > >>>>> >> >>>>> >> When using ldappasswd command, Yes ssl/tls is mandatory, Try >>>>> changing >>>>> >> password using ldapmodify, it doesnt required ssl/tls connection. >>>>> >> >>>>> >> > >>>>> >> > On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds < >>>>> marey...@redhat.com> >>>>> >> > wrote: >>>>> >> >> >>>>> >> >> Only "crypt" uses the first 8 characters, so any other scheme >>>>> would be >>>>> >> >> fine. After you change the scheme you will need to force all >>>>> the users >>>>> >> >> to >>>>> >> >> change their passwords - otherwise their crypt passwords will >>>>> still be >>>>> >> >> present. >>>>> >> >> >>>>> >> >> >>>>> >> >> >>>>> >> >> On 11/12/2012 01:52 PM, Ali Jawad wrote: >>>>> >> >> >>>>> >> >> Hi All >>>>> >> >> This is an all Linux environment with 389 being used as the sole >>>>> >> >> authentication mechanism, I do believe I am using crypt, I am >>>>> out of >>>>> >> >> office >>>>> >> >> right now, what should I use instead of crypt to match more >>>>> characters >>>>> >> >> ? >>>>> >> >> Regards >>>>> >> >> >>>>> >> >> On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds < >>>>> marey...@redhat.com> >>>>> >> >> wrote: >>>>> >> >>> >>>>> >> >>> Also what password storage scheme are you using? For example >>>>> "crypt" >>>>> >> >>> only checks the first 8 characters of a password. >>>>> >> >>> >>>>> >> >>> >>>>> >> >>> On 11/12/2012 11:18 AM, Dan Lavu wrote: >>>>> >> >>> >>>>> >> >>> In regards to a password policy? Just 389 or are you using >>>>> winsync >>>>> >> >>> with >>>>> >> >>> AD? Because the password policy from AD does not transfer over. >>>>> Also >>>>> >> >>> they >>>>> >> >>> are some extra steps if you want to setup an OU based password >>>>> policy >>>>> >> >>> but if >>>>> >> >>> you just do it for the entire directory through ‘configuration’ >>>>> it >>>>> >> >>> works >>>>> >> >>> with no issues. >>>>> >> >>> >>>>> >> >>> Dan >>>>> >> >>> >>>>> >> >>> From: Ali Jawad <ali.ja...@splendor.net> >>>>> >> >>> Sent: November 12, 2012 6:00 AM >>>>> >> >>> To: General discussion list for the 389 Directory server >>>>> project. >>>>> >> >>> Subject: [389-users] Password + anything works ? >>>>> >> >>> >>>>> >> >>> Hi >>>>> >> >>> I just noticed that you can use the password+ANYLetters and it >>>>> will >>>>> >> >>> work, >>>>> >> >>> I.e. if the password is xyz xyz99 or xyzABC will work as well, >>>>> is this >>>>> >> >>> a >>>>> >> >>> misconfiguration on my part or a bug ? >>>>> >> >>> Regards >>>>> >> >>> >>>>> >> >>>>> >> Regards >>>>> >> Arpit Tolani >>>>> >> -- >>>>> >> 389 users mailing list >>>>> >> 389-users@lists.fedoraproject.org >>>>> >> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > Ali Jawad >>>>> > Information Systems Manager >>>>> > CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA >>>>> > Splendor Telecom (www.splendor.net) >>>>> > Beirut, Lebanon >>>>> > Phone: +9611373725/ext 116 >>>>> > FAX: +9611375554 >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > 389 users mailing list >>>>> > 389-users@lists.fedoraproject.org >>>>> > https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>> >>>>> -- >>>>> Regards >>>>> Arpit Tolani >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@lists.fedoraproject.org >>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>> >>>> >>>> >>>> >>>> -- >>>> *Ali Jawad >>>> * >>>> *Information Systems Manager >>>> CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA >>>> * >>>> *Splendor Telecom (www.splendor.net) >>>> Beirut, Lebanon >>>> Phone: +9611373725/ext 116 >>>> FAX: +9611375554 >>>> >>>> * >>>> >>>> >>>> -- >>>> 389 users mailing list >>>> 389-users@lists.fedoraproject.org >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>> >>> >>> -- >>> 389 users mailing list >>> 389-users@lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >> >> >> >> -- >> *Ali Jawad >> * >> *Information Systems Manager >> CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA >> * >> *Splendor Telecom (www.splendor.net) >> Beirut, Lebanon >> Phone: +9611373725/ext 116 >> FAX: +9611375554 >> >> * >> >> >> -- >> 389 users mailing list >> 389-users@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 *
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users