Re: [389-users] Password + anything works ?
In that case I have a major overhaul that I need to complete, change password is not working for me, my assumption is that it only works with TLS enabled between the client and the server, I have tried to get TLS to run a few times but could not get it to run so far. Am I right about the assumption that I need encryption between the server and the clients for password change to work ? Regards On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds marey...@redhat.com wrote: Only crypt uses the first 8 characters, so any other scheme would be fine. After you change the scheme you will need to force all the users to change their passwords - otherwise their crypt passwords will still be present. On 11/12/2012 01:52 PM, Ali Jawad wrote: Hi All This is an all Linux environment with 389 being used as the sole authentication mechanism, I do believe I am using crypt, I am out of office right now, what should I use instead of crypt to match more characters ? Regards On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds marey...@redhat.comwrote: Also what password storage scheme are you using? For example crypt only checks the first 8 characters of a password. On 11/12/2012 11:18 AM, Dan Lavu wrote: In regards to a password policy? Just 389 or are you using winsync with AD? Because the password policy from AD does not transfer over. Also they are some extra steps if you want to setup an OU based password policy but if you just do it for the entire directory through ‘configuration’ it works with no issues. Dan *From:* Ali Jawad ali.ja...@splendor.net *Sent:* November 12, 2012 6:00 AM *To:* General discussion list for the 389 Directory server project. *Subject:* [389-users] Password + anything works ? Hi I just noticed that you can use the password+ANYLetters and it will work, I.e. if the password is xyz xyz99 or xyzABC will work as well, is this a misconfiguration on my part or a bug ? Regards * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- Mark Reynolds Red Hat, incmreyno...@redhat.com -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- Mark Reynolds Red Hat, incmreyno...@redhat.com -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Password + anything works ?
I'm not aware of passwords not being updated based off the connection type. It should work. On 11/12/2012 02:03 PM, Ali Jawad wrote: In that case I have a major overhaul that I need to complete, change password is not working for me, my assumption is that it only works with TLS enabled between the client and the server, I have tried to get TLS to run a few times but could not get it to run so far. Am I right about the assumption that I need encryption between the server and the clients for password change to work ? Regards On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds marey...@redhat.com mailto:marey...@redhat.com wrote: Only crypt uses the first 8 characters, so any other scheme would be fine. After you change the scheme you will need to force all the users to change their passwords - otherwise their crypt passwords will still be present. On 11/12/2012 01:52 PM, Ali Jawad wrote: Hi All This is an all Linux environment with 389 being used as the sole authentication mechanism, I do believe I am using crypt, I am out of office right now, what should I use instead of crypt to match more characters ? Regards On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds marey...@redhat.com mailto:marey...@redhat.com wrote: Also what password storage scheme are you using? For example crypt only checks the first 8 characters of a password. On 11/12/2012 11:18 AM, Dan Lavu wrote: In regards to a password policy? Just 389 or are you using winsync with AD? Because the password policy from AD does not transfer over. Also they are some extra steps if you want to setup an OU based password policy but if you just do it for the entire directory through ‘configuration’ it works with no issues. Dan *From:* Ali Jawad ali.ja...@splendor.net mailto:ali.ja...@splendor.net *Sent:* November 12, 2012 6:00 AM *To:* General discussion list for the 389 Directory server project. *Subject:* [389-users] Password + anything works ? Hi I just noticed that you can use the password+ANYLetters and it will work, I.e. if the password is xyz xyz99 or xyzABC will work as well, is this a misconfiguration on my part or a bug ? Regards * * -- 389 users mailing list 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org mailto:389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- Mark Reynolds Red Hat, Inc mreyno...@redhat.com mailto:mreyno...@redhat.com -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net http://www.splendor.net/) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- Mark Reynolds Red Hat, Inc mreyno...@redhat.com mailto:mreyno...@redhat.com -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net http://www.splendor.net/) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- Mark Reynolds Red Hat, Inc mreyno...@redhat.com -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Password + anything works ?
Thanks I will try again and if I can not get password change to work I will post error + configs, thanks for the help so far. Regards On Mon, Nov 12, 2012 at 9:19 PM, Mark Reynolds marey...@redhat.com wrote: I'm not aware of passwords not being updated based off the connection type. It should work. On 11/12/2012 02:03 PM, Ali Jawad wrote: In that case I have a major overhaul that I need to complete, change password is not working for me, my assumption is that it only works with TLS enabled between the client and the server, I have tried to get TLS to run a few times but could not get it to run so far. Am I right about the assumption that I need encryption between the server and the clients for password change to work ? Regards On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds marey...@redhat.comwrote: Only crypt uses the first 8 characters, so any other scheme would be fine. After you change the scheme you will need to force all the users to change their passwords - otherwise their crypt passwords will still be present. On 11/12/2012 01:52 PM, Ali Jawad wrote: Hi All This is an all Linux environment with 389 being used as the sole authentication mechanism, I do believe I am using crypt, I am out of office right now, what should I use instead of crypt to match more characters ? Regards On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds marey...@redhat.comwrote: Also what password storage scheme are you using? For example crypt only checks the first 8 characters of a password. On 11/12/2012 11:18 AM, Dan Lavu wrote: In regards to a password policy? Just 389 or are you using winsync with AD? Because the password policy from AD does not transfer over. Also they are some extra steps if you want to setup an OU based password policy but if you just do it for the entire directory through ‘configuration’ it works with no issues. Dan *From:* Ali Jawad ali.ja...@splendor.net *Sent:* November 12, 2012 6:00 AM *To:* General discussion list for the 389 Directory server project. *Subject:* [389-users] Password + anything works ? Hi I just noticed that you can use the password+ANYLetters and it will work, I.e. if the password is xyz xyz99 or xyzABC will work as well, is this a misconfiguration on my part or a bug ? Regards * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- Mark Reynolds Red Hat, incmreyno...@redhat.com -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- Mark Reynolds Red Hat, incmreyno...@redhat.com -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- Mark Reynolds Red Hat, incmreyno...@redhat.com -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Nested group and ssh login against 389-dir
Hello, I have an issue when I try to authenticate my openssh against 389-dir when using nested groups. If I add an user to one group only there aren't issues, but if I use nested groups it doesn't work ! This is the log I copied from 389-dir server : [12/Nov/2012:23:05:03 +0100] conn=147 fd=81 slot=81 SSL connection from 192.168.xxx.117 to 192.168.xxx.216 [12/Nov/2012:23:05:03 +0100] conn=147 SSL 256-bit AES [12/Nov/2012:23:05:03 +0100] conn=147 op=0 BIND dn=uid=binduser,cn=config method=128 version=3 [12/Nov/2012:23:05:03 +0100] conn=147 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=binduser,cn=config [12/Nov/2012:23:05:03 +0100] conn=147 op=1 SRCH base=dc=,dc=local scope=2 filter=(uid=demo) attrs=ALL [12/Nov/2012:23:05:03 +0100] conn=147 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [12/Nov/2012:23:05:03 +0100] conn=147 op=2 BIND dn=uid=demo,ou=IT_Operation,ou=Company,dc=,dc=local method=128 version=3 [12/Nov/2012:23:05:03 +0100] conn=147 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=demo,ou=it_operation,ou=company,dc=,dc=local [12/Nov/2012:23:05:03 +0100] conn=147 op=3 BIND dn=uid=binduser,cn=config method=128 version=3 [12/Nov/2012:23:05:03 +0100] conn=147 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn=uid=binduser,cn=config [12/Nov/2012:23:05:03 +0100] conn=147 op=4 CMP dn=cn=lin17_access,ou=production,ou=hosts,dc=,dc=local attr=uniquemember [12/Nov/2012:23:05:03 +0100] conn=147 op=4 RESULT err=16 tag=111 nentries=0 etime=0 [12/Nov/2012:23:05:05 +0100] conn=147 op=5 UNBIND This is my /etc/ldap.conf : host 389-svr01..local 389-svr02..local port 636 base dc=,dc=local pam_password md5 ssl yes tls_cacertdir /etc/openldap/cacerts tls_checkpeer no bind_policy soft bind_timelimit 15 timelimit 15 pam_groupdn cn=lin17_access,ou=production,ou=hosts,dc=,dc=local ldap_version 3 binddn uid=binduser,cn=config bindpw Can you help me please ? My desire is to create groups where only some people can log on certain servers. Regards . -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Password + anything works ?
Hi Arpit Actually I was attempting to change the password using command line passwd I.e. each user changes his own password, is passwd the right choice here ? Regards On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani arpittol...@gmail.comwrote: Hello On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad ali.ja...@splendor.net wrote: In that case I have a major overhaul that I need to complete, change password is not working for me, my assumption is that it only works with TLS enabled between the client and the server, I have tried to get TLS to run a few times but could not get it to run so far. Am I right about the assumption that I need encryption between the server and the clients for password change to work ? Regards When using ldappasswd command, Yes ssl/tls is mandatory, Try changing password using ldapmodify, it doesnt required ssl/tls connection. On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds marey...@redhat.com wrote: Only crypt uses the first 8 characters, so any other scheme would be fine. After you change the scheme you will need to force all the users to change their passwords - otherwise their crypt passwords will still be present. On 11/12/2012 01:52 PM, Ali Jawad wrote: Hi All This is an all Linux environment with 389 being used as the sole authentication mechanism, I do believe I am using crypt, I am out of office right now, what should I use instead of crypt to match more characters ? Regards On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds marey...@redhat.com wrote: Also what password storage scheme are you using? For example crypt only checks the first 8 characters of a password. On 11/12/2012 11:18 AM, Dan Lavu wrote: In regards to a password policy? Just 389 or are you using winsync with AD? Because the password policy from AD does not transfer over. Also they are some extra steps if you want to setup an OU based password policy but if you just do it for the entire directory through ‘configuration’ it works with no issues. Dan From: Ali Jawad ali.ja...@splendor.net Sent: November 12, 2012 6:00 AM To: General discussion list for the 389 Directory server project. Subject: [389-users] Password + anything works ? Hi I just noticed that you can use the password+ANYLetters and it will work, I.e. if the password is xyz xyz99 or xyzABC will work as well, is this a misconfiguration on my part or a bug ? Regards Regards Arpit Tolani -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users