Re: [389-users] Password + anything works ?

[Ali Jawad]

Hi Arpit
Actually I was attempting to change the password using command line

passwd

I.e. each user changes his own password, is passwd the right choice here ?

Regards

On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani wrote:

> Hello
>
> On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad 
> wrote:
> > In that case I have a major overhaul that I need to complete, change
> > password is not working for me, my assumption is that it only works with
> TLS
> > enabled between the client and the server, I have tried to get TLS to
> run a
> > few times but could not get it to run so far. Am I right about the
> > assumption that I need encryption between the server and the clients for
> > password change to work ?
> > Regards
> >
>
> When using ldappasswd command, Yes ssl/tls is mandatory, Try changing
> password using ldapmodify, it doesnt required ssl/tls connection.
>
> >
> > On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds 
> wrote:
> >>
> >> Only "crypt" uses the first 8 characters, so any other scheme would be
> >> fine.  After you change the scheme you will need to force all the users
> to
> >> change their passwords - otherwise their crypt passwords will still be
> >> present.
> >>
> >>
> >>
> >> On 11/12/2012 01:52 PM, Ali Jawad wrote:
> >>
> >> Hi All
> >> This is an all Linux environment with 389 being used as the sole
> >> authentication mechanism, I do believe I am using crypt, I am out of
> office
> >> right now, what should I use instead of crypt to match more characters ?
> >> Regards
> >>
> >> On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds 
> >> wrote:
> >>>
> >>> Also what password storage scheme are you using?  For example "crypt"
> >>> only checks the first 8 characters of a password.
> >>>
> >>>
> >>> On 11/12/2012 11:18 AM, Dan Lavu wrote:
> >>>
> >>> In regards to a password policy? Just 389 or are you using winsync with
> >>> AD? Because the password policy from AD does not transfer over. Also
> they
> >>> are some extra steps if you want to setup an OU based password policy
> but if
> >>> you just do it for the entire directory through ‘configuration’ it
> works
> >>> with no issues.
> >>>
> >>> Dan
> >>>
> >>> From: Ali Jawad 
> >>> Sent: November 12, 2012 6:00 AM
> >>> To: General discussion list for the 389 Directory server project.
> >>> Subject: [389-users] Password + anything works ?
> >>>
> >>> Hi
> >>> I just noticed that you can use the password+ANYLetters and it will
> work,
> >>> I.e. if the password is xyz xyz99 or xyzABC will work as well, is this
> a
> >>> misconfiguration on my part or a bug ?
> >>> Regards
> >>>
>
> Regards
> Arpit Tolani
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>



-- 
*Ali Jawad
*
*Information Systems Manager
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554

*
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] Nested group and ssh login against 389-dir

[thomas]

Hello,

I have an issue when I try to authenticate my openssh against 389-dir
when using nested groups.

If I add an user to one group only there aren't issues, but if I use
nested groups it doesn't work !

This is the log I copied from 389-dir server :

[12/Nov/2012:23:05:03 +0100] conn=147 fd=81 slot=81 SSL connection
from 192.168.xxx.117 to 192.168.xxx.216
[12/Nov/2012:23:05:03 +0100] conn=147 SSL 256-bit AES
[12/Nov/2012:23:05:03 +0100] conn=147 op=0 BIND
dn="uid=binduser,cn=config" method=128 version=3
[12/Nov/2012:23:05:03 +0100] conn=147 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=binduser,cn=config"
[12/Nov/2012:23:05:03 +0100] conn=147 op=1 SRCH
base="dc=,dc=local" scope=2 filter="(uid=demo)" attrs=ALL
[12/Nov/2012:23:05:03 +0100] conn=147 op=1 RESULT err=0 tag=101
nentries=1 etime=0
[12/Nov/2012:23:05:03 +0100] conn=147 op=2 BIND
dn="uid=demo,ou=IT_Operation,ou=Company,dc=,dc=local" method=128
version=3
[12/Nov/2012:23:05:03 +0100] conn=147 op=2 RESULT err=0 tag=97
nentries=0 etime=0
dn="uid=demo,ou=it_operation,ou=company,dc=,dc=local"
[12/Nov/2012:23:05:03 +0100] conn=147 op=3 BIND
dn="uid=binduser,cn=config" method=128 version=3
[12/Nov/2012:23:05:03 +0100] conn=147 op=3 RESULT err=0 tag=97
nentries=0 etime=0 dn="uid=binduser,cn=config"
[12/Nov/2012:23:05:03 +0100] conn=147 op=4 CMP
dn="cn=lin17_access,ou=production,ou=hosts,dc=,dc=local"
attr="uniquemember"
[12/Nov/2012:23:05:03 +0100] conn=147 op=4 RESULT err=16 tag=111
nentries=0 etime=0
[12/Nov/2012:23:05:05 +0100] conn=147 op=5 UNBIND


This is my /etc/ldap.conf :

host 389-svr01..local 389-svr02..local
port 636
base dc=,dc=local
pam_password md5
ssl yes
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no
bind_policy soft
bind_timelimit 15
timelimit 15
pam_groupdn cn=lin17_access,ou=production,ou=hosts,dc=,dc=local
ldap_version 3
binddn uid=binduser,cn=config
bindpw 


Can you help me please ?

My desire is to create groups where only some people can log on certain servers.

Regards .
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Password + anything works ?

[Arpit Tolani]

Hello

On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad  wrote:
> In that case I have a major overhaul that I need to complete, change
> password is not working for me, my assumption is that it only works with TLS
> enabled between the client and the server, I have tried to get TLS to run a
> few times but could not get it to run so far. Am I right about the
> assumption that I need encryption between the server and the clients for
> password change to work ?
> Regards
>

When using ldappasswd command, Yes ssl/tls is mandatory, Try changing
password using ldapmodify, it doesnt required ssl/tls connection.

>
> On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds  wrote:
>>
>> Only "crypt" uses the first 8 characters, so any other scheme would be
>> fine.  After you change the scheme you will need to force all the users to
>> change their passwords - otherwise their crypt passwords will still be
>> present.
>>
>>
>>
>> On 11/12/2012 01:52 PM, Ali Jawad wrote:
>>
>> Hi All
>> This is an all Linux environment with 389 being used as the sole
>> authentication mechanism, I do believe I am using crypt, I am out of office
>> right now, what should I use instead of crypt to match more characters ?
>> Regards
>>
>> On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds 
>> wrote:
>>>
>>> Also what password storage scheme are you using?  For example "crypt"
>>> only checks the first 8 characters of a password.
>>>
>>>
>>> On 11/12/2012 11:18 AM, Dan Lavu wrote:
>>>
>>> In regards to a password policy? Just 389 or are you using winsync with
>>> AD? Because the password policy from AD does not transfer over. Also they
>>> are some extra steps if you want to setup an OU based password policy but if
>>> you just do it for the entire directory through ‘configuration’ it works
>>> with no issues.
>>>
>>> Dan
>>>
>>> From: Ali Jawad 
>>> Sent: November 12, 2012 6:00 AM
>>> To: General discussion list for the 389 Directory server project.
>>> Subject: [389-users] Password + anything works ?
>>>
>>> Hi
>>> I just noticed that you can use the password+ANYLetters and it will work,
>>> I.e. if the password is xyz xyz99 or xyzABC will work as well, is this a
>>> misconfiguration on my part or a bug ?
>>> Regards
>>>

Regards
Arpit Tolani
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Password + anything works ?

[Ali Jawad]

Thanks I will try again and if I can not get password change to work I will
post error + configs, thanks for the help so far.
Regards

On Mon, Nov 12, 2012 at 9:19 PM, Mark Reynolds  wrote:

>  I'm not aware of passwords not being updated based off the connection
> type.  It should work.
>
>
> On 11/12/2012 02:03 PM, Ali Jawad wrote:
>
> In that case I have a major overhaul that I need to complete, change
> password is not working for me, my assumption is that it only works with
> TLS enabled between the client and the server, I have tried to get TLS to
> run a few times but could not get it to run so far. Am I right about the
> assumption that I need encryption between the server and the clients for
> password change to work ?
> Regards
>
> On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds wrote:
>
>>  Only "crypt" uses the first 8 characters, so any other scheme would be
>> fine.  After you change the scheme you will need to force all the users to
>> change their passwords - otherwise their crypt passwords will still be
>> present.
>>
>>
>>
>> On 11/12/2012 01:52 PM, Ali Jawad wrote:
>>
>> Hi All
>> This is an all Linux environment with 389 being used as the sole
>> authentication mechanism, I do believe I am using crypt, I am out of office
>> right now, what should I use instead of crypt to match more characters ?
>> Regards
>>
>> On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds wrote:
>>
>>>  Also what password storage scheme are you using?  For example "crypt"
>>> only checks the first 8 characters of a password.
>>>
>>>
>>> On 11/12/2012 11:18 AM, Dan Lavu wrote:
>>>
>>>  In regards to a password policy? Just 389 or are you using winsync
>>> with AD? Because the password policy from AD does not transfer over. Also
>>> they are some extra steps if you want to setup an OU based password policy
>>> but if you just do it for the entire directory through ‘configuration’ it
>>> works with no issues.
>>>
>>> Dan
>>>
>>>  *From:* Ali Jawad 
>>> *Sent:* November 12, 2012 6:00 AM
>>> *To:* General discussion list for the 389 Directory server project.
>>> *Subject:* [389-users] Password + anything works ?
>>>
>>> Hi
>>> I just noticed that you can use the password+ANYLetters and it will
>>> work, I.e. if the password is xyz xyz99 or xyzABC will work as well, is
>>> this a misconfiguration on my part or a bug ?
>>> Regards
>>>
>>>   *
>>> *
>>>
>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>> --
>>> 389 users mailing 
>>> list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>>>
>>>   --
>>> Mark Reynolds
>>> Red Hat, incmreyno...@redhat.com
>>>
>>>
>>
>>
>>  --
>> *Ali Jawad
>> *
>> *Information Systems Manager
>> CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
>> *
>> *Splendor Telecom (www.splendor.net)
>> Beirut, Lebanon
>> Phone: +9611373725/ext 116
>> FAX: +9611375554
>>
>> *
>>
>>
>> --
>> Mark Reynolds
>> Red Hat, incmreyno...@redhat.com
>>
>>
>
>
>  --
> *Ali Jawad
> *
> *Information Systems Manager
> CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
> *
> *Splendor Telecom (www.splendor.net)
> Beirut, Lebanon
> Phone: +9611373725/ext 116
> FAX: +9611375554
>
> *
>
>
> --
> Mark Reynolds
> Red Hat, incmreyno...@redhat.com
>
>


-- 
*Ali Jawad
*
*Information Systems Manager
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554

*
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Password + anything works ?

[Mark Reynolds]

I'm not aware of passwords not being updated based off the connection 
type.  It should work.


On 11/12/2012 02:03 PM, Ali Jawad wrote:
In that case I have a major overhaul that I need to complete, change 
password is not working for me, my assumption is that it only works 
with TLS enabled between the client and the server, I have tried to 
get TLS to run a few times but could not get it to run so far. Am I 
right about the assumption that I need encryption between the server 
and the clients for password change to work ?

Regards

On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds > wrote:


Only "crypt" uses the first 8 characters, so any other scheme
would be fine.  After you change the scheme you will need to force
all the users to change their passwords - otherwise their crypt
passwords will still be present.



On 11/12/2012 01:52 PM, Ali Jawad wrote:

Hi All
This is an all Linux environment with 389 being used as the sole
authentication mechanism, I do believe I am using crypt, I am out
of office right now, what should I use instead of crypt to match
more characters ?
Regards

On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds
mailto:marey...@redhat.com>> wrote:

Also what password storage scheme are you using?  For example
"crypt" only checks the first 8 characters of a password.


On 11/12/2012 11:18 AM, Dan Lavu wrote:

In regards to a password policy? Just 389 or are you using
winsync with AD? Because the password policy from AD does
not transfer over. Also they are some extra steps if you
want to setup an OU based password policy but if you just do
it for the entire directory through ‘configuration’ it works
with no issues.
Dan
*From:* Ali Jawad mailto:ali.ja...@splendor.net>>
*Sent:* November 12, 2012 6:00 AM
*To:* General discussion list for the 389 Directory server
project.
*Subject:* [389-users] Password + anything works ?
Hi
I just noticed that you can use the password+ANYLetters and
it will work, I.e. if the password is xyz xyz99 or xyzABC
will work as well, is this a misconfiguration on my part or
a bug ?
Regards

*
*


--
389 users mailing list
389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org  

https://admin.fedoraproject.org/mailman/listinfo/389-users


-- 
Mark Reynolds

Red Hat, Inc
mreyno...@redhat.com  




-- 
*Ali Jawad

*
*Information Systems Manager
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
*
*Splendor Telecom (www.splendor.net )
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554

*



-- 
Mark Reynolds

Red Hat, Inc
mreyno...@redhat.com  




--
*Ali Jawad
*
*Information Systems Manager
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
*
*Splendor Telecom (www.splendor.net )
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554

*



--
Mark Reynolds
Red Hat, Inc
mreyno...@redhat.com

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Password + anything works ?

[Ali Jawad]

In that case I have a major overhaul that I need to complete, change
password is not working for me, my assumption is that it only works with
TLS enabled between the client and the server, I have tried to get TLS to
run a few times but could not get it to run so far. Am I right about the
assumption that I need encryption between the server and the clients for
password change to work ?
Regards

On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds  wrote:

>  Only "crypt" uses the first 8 characters, so any other scheme would be
> fine.  After you change the scheme you will need to force all the users to
> change their passwords - otherwise their crypt passwords will still be
> present.
>
>
>
> On 11/12/2012 01:52 PM, Ali Jawad wrote:
>
> Hi All
> This is an all Linux environment with 389 being used as the sole
> authentication mechanism, I do believe I am using crypt, I am out of office
> right now, what should I use instead of crypt to match more characters ?
> Regards
>
> On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds wrote:
>
>>  Also what password storage scheme are you using?  For example "crypt"
>> only checks the first 8 characters of a password.
>>
>>
>> On 11/12/2012 11:18 AM, Dan Lavu wrote:
>>
>>  In regards to a password policy? Just 389 or are you using winsync with
>> AD? Because the password policy from AD does not transfer over. Also they
>> are some extra steps if you want to setup an OU based password policy but
>> if you just do it for the entire directory through ‘configuration’ it works
>> with no issues.
>>
>> Dan
>>
>>  *From:* Ali Jawad 
>> *Sent:* November 12, 2012 6:00 AM
>> *To:* General discussion list for the 389 Directory server project.
>> *Subject:* [389-users] Password + anything works ?
>>
>> Hi
>> I just noticed that you can use the password+ANYLetters and it will work,
>> I.e. if the password is xyz xyz99 or xyzABC will work as well, is this a
>> misconfiguration on my part or a bug ?
>> Regards
>>
>>   *
>> *
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>> --
>> 389 users mailing 
>> list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>   --
>> Mark Reynolds
>> Red Hat, incmreyno...@redhat.com
>>
>>
>
>
>  --
> *Ali Jawad
> *
> *Information Systems Manager
> CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
> *
> *Splendor Telecom (www.splendor.net)
> Beirut, Lebanon
> Phone: +9611373725/ext 116
> FAX: +9611375554
>
> *
>
>
> --
> Mark Reynolds
> Red Hat, incmreyno...@redhat.com
>
>


-- 
*Ali Jawad
*
*Information Systems Manager
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554

*
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Password + anything works ?

[Mark Reynolds]

Only "crypt" uses the first 8 characters, so any other scheme would be 
fine.  After you change the scheme you will need to force all the users 
to change their passwords - otherwise their crypt passwords will still 
be present.



On 11/12/2012 01:52 PM, Ali Jawad wrote:

Hi All
This is an all Linux environment with 389 being used as the sole 
authentication mechanism, I do believe I am using crypt, I am out of 
office right now, what should I use instead of crypt to match more 
characters ?

Regards

On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds > wrote:


Also what password storage scheme are you using?  For example
"crypt" only checks the first 8 characters of a password.


On 11/12/2012 11:18 AM, Dan Lavu wrote:

In regards to a password policy? Just 389 or are you using
winsync with AD? Because the password policy from AD does not
transfer over. Also they are some extra steps if you want to
setup an OU based password policy but if you just do it for the
entire directory through ‘configuration’ it works with no issues.
Dan
*From:* Ali Jawad mailto:ali.ja...@splendor.net>>
*Sent:* November 12, 2012 6:00 AM
*To:* General discussion list for the 389 Directory server project.
*Subject:* [389-users] Password + anything works ?
Hi
I just noticed that you can use the password+ANYLetters and it
will work, I.e. if the password is xyz xyz99 or xyzABC will work
as well, is this a misconfiguration on my part or a bug ?
Regards

*
*


--
389 users mailing list
389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users


--
389 users mailing list
389-users@lists.fedoraproject.org  

https://admin.fedoraproject.org/mailman/listinfo/389-users


-- 
Mark Reynolds

Red Hat, Inc
mreyno...@redhat.com  




--
*Ali Jawad
*
*Information Systems Manager
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
*
*Splendor Telecom (www.splendor.net )
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554

*



--
Mark Reynolds
Red Hat, Inc
mreyno...@redhat.com

--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Password + anything works ?

[Ali Jawad]

Hi All
This is an all Linux environment with 389 being used as the sole
authentication mechanism, I do believe I am using crypt, I am out of office
right now, what should I use instead of crypt to match more characters ?
Regards

On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds  wrote:

>  Also what password storage scheme are you using?  For example "crypt"
> only checks the first 8 characters of a password.
>
>
> On 11/12/2012 11:18 AM, Dan Lavu wrote:
>
>  In regards to a password policy? Just 389 or are you using winsync with
> AD? Because the password policy from AD does not transfer over. Also they
> are some extra steps if you want to setup an OU based password policy but
> if you just do it for the entire directory through ‘configuration’ it works
> with no issues.
>
> Dan
>
>  *From:* Ali Jawad 
> *Sent:* November 12, 2012 6:00 AM
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* [389-users] Password + anything works ?
>
> Hi
> I just noticed that you can use the password+ANYLetters and it will work,
> I.e. if the password is xyz xyz99 or xyzABC will work as well, is this a
> misconfiguration on my part or a bug ?
> Regards
>
>   *
> *
>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing 
> list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> Mark Reynolds
> Red Hat, incmreyno...@redhat.com
>
>


-- 
*Ali Jawad
*
*Information Systems Manager
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554

*
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Password + anything works ?

[Dan Lavu]

In regards to a password policy? Just 389 or are you using winsync with AD?
Because the password policy from AD does not transfer over. Also they are
some extra steps if you want to setup an OU based password policy but if
you just do it for the entire directory through ‘configuration’ it works
with no issues.

Dan

 *From:* Ali Jawad 
*Sent:* November 12, 2012 6:00 AM
*To:* General discussion list for the 389 Directory server project.
*Subject:* [389-users] Password + anything works ?

Hi
I just noticed that you can use the password+ANYLetters and it will work,
I.e. if the password is xyz xyz99 or xyzABC will work as well, is this a
misconfiguration on my part or a bug ?
Regards

*
*



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users