Re: [389-users] Client Config on CentOS 6
*Hi * *I am using NSLCD, does your suggestion still work ? I am not using TLS on the ldap server* *Regards* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Password + anything works ?
Hi All I am trying to change the password using passwd, please see the below : [xyz@server ~]$ passwd Changing password for user xyz. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: *LDAP password information update failed: Confidentiality required* *Operation requires a secure connection.* The error log shows Nov 13 11:47:17 HA-Dev-Nymgo-100-45 passwd: pam_unix(passwd:chauthtok): user xyz does not exist in /etc/passwd Pam config follows : /etc/pam.d/passwd #%PAM-1.0 auth include system-auth accountinclude system-auth password include system-auth ~ /etc/pam.d/system-auth #/etc/pam.d/system-auth #%PAM-1.0 authrequired pam_env.so authsufficient pam_unix.so authsufficient pam_ldap.so use_first_pass authrequired pam_deny.so account sufficient pam_unix.so account sufficient pam_ldap.so use_first_pass account required pam_deny.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_ldap.so use_authtok passwordrequired pam_deny.so #passwordrequiredpam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0 #passwordsufficient pam_unix.so nullok use_authtok md5 shadow #passwordsufficient pam_ldap.so #passwordrequired pam_deny.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_unix.so session optional pam_ldap.so ~ ~ On Tue, Nov 13, 2012 at 11:15 AM, Arpit Tolani arpittol...@gmail.comwrote: Hello On Tue, Nov 13, 2012 at 1:10 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Arpit Actually I was attempting to change the password using command line passwd I.e. each user changes his own password, is passwd the right choice here ? Yes, passwd is right choice, considering you have pam_ldap.so properly configured yes passwd dont need ssl/tls to be configured. Regards On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani arpittol...@gmail.com wrote: Hello On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad ali.ja...@splendor.net wrote: In that case I have a major overhaul that I need to complete, change password is not working for me, my assumption is that it only works with TLS enabled between the client and the server, I have tried to get TLS to run a few times but could not get it to run so far. Am I right about the assumption that I need encryption between the server and the clients for password change to work ? Regards When using ldappasswd command, Yes ssl/tls is mandatory, Try changing password using ldapmodify, it doesnt required ssl/tls connection. On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds marey...@redhat.com wrote: Only crypt uses the first 8 characters, so any other scheme would be fine. After you change the scheme you will need to force all the users to change their passwords - otherwise their crypt passwords will still be present. On 11/12/2012 01:52 PM, Ali Jawad wrote: Hi All This is an all Linux environment with 389 being used as the sole authentication mechanism, I do believe I am using crypt, I am out of office right now, what should I use instead of crypt to match more characters ? Regards On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds marey...@redhat.com wrote: Also what password storage scheme are you using? For example crypt only checks the first 8 characters of a password. On 11/12/2012 11:18 AM, Dan Lavu wrote: In regards to a password policy? Just 389 or are you using winsync with AD? Because the password policy from AD does not transfer over. Also they are some extra steps if you want to setup an OU based password policy but if you just do it for the entire directory through ‘configuration’ it works with no issues. Dan From: Ali Jawad ali.ja...@splendor.net Sent: November 12, 2012 6:00 AM To: General discussion list for the 389 Directory server project. Subject: [389-users] Password + anything works ? Hi I just noticed that you can use the password+ANYLetters and it will work, I.e. if the password is xyz xyz99 or xyzABC will work as well, is this a misconfiguration on my part or a bug ? Regards Regards Arpit Tolani -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- Ali Jawad Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 -- 389 users mailing list 389-users
Re: [389-users] Password + anything works ?
Hi nsswitch.conf contains the following relevant lines, the rest is unchanged passwd: ldap files shadow: ldap files group: ldap files Maybe it is my ldap settings, please see /etc/ldap.conf below bind_policy soft URI ldap://ldap.server.ip BASE dc=domain,dc=local TLS_CACERTDIR /etc/openldap/cacerts pam_password clear pam_lookup_policy yes pam_password exop # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600 idle_timelimit 900 On Tue, Nov 13, 2012 at 1:59 PM, Grzegorz Dwornicki gd1...@gmail.comwrote: What about NSS configuration? Maybe there is configuration making ssl mandatory? Greg 13 lis 2012 12:51, Ali Jawad ali.ja...@splendor.net napisał(a): Hi All I am trying to change the password using passwd, please see the below : [xyz@server ~]$ passwd Changing password for user xyz. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: *LDAP password information update failed: Confidentiality required* *Operation requires a secure connection.* The error log shows Nov 13 11:47:17 HA-Dev-Nymgo-100-45 passwd: pam_unix(passwd:chauthtok): user xyz does not exist in /etc/passwd Pam config follows : /etc/pam.d/passwd #%PAM-1.0 auth include system-auth accountinclude system-auth password include system-auth ~ /etc/pam.d/system-auth #/etc/pam.d/system-auth #%PAM-1.0 authrequired pam_env.so authsufficient pam_unix.so authsufficient pam_ldap.so use_first_pass authrequired pam_deny.so account sufficient pam_unix.so account sufficient pam_ldap.so use_first_pass account required pam_deny.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_ldap.so use_authtok passwordrequired pam_deny.so #passwordrequiredpam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0 #passwordsufficient pam_unix.so nullok use_authtok md5 shadow #passwordsufficient pam_ldap.so #passwordrequired pam_deny.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_unix.so session optional pam_ldap.so ~ ~ On Tue, Nov 13, 2012 at 11:15 AM, Arpit Tolani arpittol...@gmail.comwrote: Hello On Tue, Nov 13, 2012 at 1:10 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Arpit Actually I was attempting to change the password using command line passwd I.e. each user changes his own password, is passwd the right choice here ? Yes, passwd is right choice, considering you have pam_ldap.so properly configured yes passwd dont need ssl/tls to be configured. Regards On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani arpittol...@gmail.com wrote: Hello On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad ali.ja...@splendor.net wrote: In that case I have a major overhaul that I need to complete, change password is not working for me, my assumption is that it only works with TLS enabled between the client and the server, I have tried to get TLS to run a few times but could not get it to run so far. Am I right about the assumption that I need encryption between the server and the clients for password change to work ? Regards When using ldappasswd command, Yes ssl/tls is mandatory, Try changing password using ldapmodify, it doesnt required ssl/tls connection. On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds marey...@redhat.com wrote: Only crypt uses the first 8 characters, so any other scheme would be fine. After you change the scheme you will need to force all the users to change their passwords - otherwise their crypt passwords will still be present. On 11/12/2012 01:52 PM, Ali Jawad wrote: Hi All This is an all Linux environment with 389 being used as the sole authentication mechanism, I do believe I am using crypt, I am out of office right now, what should I use instead of crypt to match more characters ? Regards On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds marey...@redhat.com wrote: Also what password storage scheme are you using? For example crypt only checks the first 8 characters of a password. On 11/12/2012 11:18 AM, Dan Lavu wrote: In regards to a password policy? Just 389 or are you using winsync with AD? Because the password policy from AD does not transfer over. Also they are some extra steps if you want to setup an OU based password policy but if you just do it for the entire directory through ‘configuration’ it works with no issues
Re: [389-users] Password + anything works ?
Ho Yes ldap.conf is only what is listed, yes you are right there are two pam_password that is wrong, I prefer not to use crypt if possible as I do not want to be limited to 8 char passwords, does that make sense ? Regards On Tue, Nov 13, 2012 at 2:38 PM, Grzegorz Dwornicki gd1...@gmail.comwrote: Sorry my bad i thinking about ldap.conf but said nss... Does ldap.conf contains only these lines? Why you use pam_password clear and then exop? try crypt. Greg. 13 lis 2012 13:18, Ali Jawad ali.ja...@splendor.net napisał(a): Hi nsswitch.conf contains the following relevant lines, the rest is unchanged passwd: ldap files shadow: ldap files group: ldap files Maybe it is my ldap settings, please see /etc/ldap.conf below bind_policy soft URI ldap://ldap.server.ip BASE dc=domain,dc=local TLS_CACERTDIR /etc/openldap/cacerts pam_password clear pam_lookup_policy yes pam_password exop # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600 idle_timelimit 900 On Tue, Nov 13, 2012 at 1:59 PM, Grzegorz Dwornicki gd1...@gmail.comwrote: What about NSS configuration? Maybe there is configuration making ssl mandatory? Greg 13 lis 2012 12:51, Ali Jawad ali.ja...@splendor.net napisał(a): Hi All I am trying to change the password using passwd, please see the below : [xyz@server ~]$ passwd Changing password for user xyz. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: *LDAP password information update failed: Confidentiality required* *Operation requires a secure connection.* The error log shows Nov 13 11:47:17 HA-Dev-Nymgo-100-45 passwd: pam_unix(passwd:chauthtok): user xyz does not exist in /etc/passwd Pam config follows : /etc/pam.d/passwd #%PAM-1.0 auth include system-auth accountinclude system-auth password include system-auth ~ /etc/pam.d/system-auth #/etc/pam.d/system-auth #%PAM-1.0 authrequired pam_env.so authsufficient pam_unix.so authsufficient pam_ldap.so use_first_pass authrequired pam_deny.so account sufficient pam_unix.so account sufficient pam_ldap.so use_first_pass account required pam_deny.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_ldap.so use_authtok passwordrequired pam_deny.so #passwordrequiredpam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0 #passwordsufficient pam_unix.so nullok use_authtok md5 shadow #passwordsufficient pam_ldap.so #passwordrequired pam_deny.so session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_unix.so session optional pam_ldap.so ~ ~ On Tue, Nov 13, 2012 at 11:15 AM, Arpit Tolani arpittol...@gmail.comwrote: Hello On Tue, Nov 13, 2012 at 1:10 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Arpit Actually I was attempting to change the password using command line passwd I.e. each user changes his own password, is passwd the right choice here ? Yes, passwd is right choice, considering you have pam_ldap.so properly configured yes passwd dont need ssl/tls to be configured. Regards On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani arpittol...@gmail.com wrote: Hello On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad ali.ja...@splendor.net wrote: In that case I have a major overhaul that I need to complete, change password is not working for me, my assumption is that it only works with TLS enabled between the client and the server, I have tried to get TLS to run a few times but could not get it to run so far. Am I right about the assumption that I need encryption between the server and the clients for password change to work ? Regards When using ldappasswd command, Yes ssl/tls is mandatory, Try changing password using ldapmodify, it doesnt required ssl/tls connection. On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds marey...@redhat.com wrote: Only crypt uses the first 8 characters, so any other scheme would be fine. After you change the scheme you will need to force all the users to change their passwords - otherwise their crypt passwords will still be present. On 11/12/2012 01:52 PM, Ali Jawad wrote: Hi All This is an all Linux environment with 389 being used as the sole authentication mechanism, I do believe I am using crypt, I am out of office right now, what should I use instead of crypt to match more characters ? Regards On Mon, Nov 12, 2012 at 7:02 PM, Mark
Re: [389-users] Password + anything works ?
In that case I have a major overhaul that I need to complete, change password is not working for me, my assumption is that it only works with TLS enabled between the client and the server, I have tried to get TLS to run a few times but could not get it to run so far. Am I right about the assumption that I need encryption between the server and the clients for password change to work ? Regards On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds marey...@redhat.com wrote: Only crypt uses the first 8 characters, so any other scheme would be fine. After you change the scheme you will need to force all the users to change their passwords - otherwise their crypt passwords will still be present. On 11/12/2012 01:52 PM, Ali Jawad wrote: Hi All This is an all Linux environment with 389 being used as the sole authentication mechanism, I do believe I am using crypt, I am out of office right now, what should I use instead of crypt to match more characters ? Regards On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds marey...@redhat.comwrote: Also what password storage scheme are you using? For example crypt only checks the first 8 characters of a password. On 11/12/2012 11:18 AM, Dan Lavu wrote: In regards to a password policy? Just 389 or are you using winsync with AD? Because the password policy from AD does not transfer over. Also they are some extra steps if you want to setup an OU based password policy but if you just do it for the entire directory through ‘configuration’ it works with no issues. Dan *From:* Ali Jawad ali.ja...@splendor.net *Sent:* November 12, 2012 6:00 AM *To:* General discussion list for the 389 Directory server project. *Subject:* [389-users] Password + anything works ? Hi I just noticed that you can use the password+ANYLetters and it will work, I.e. if the password is xyz xyz99 or xyzABC will work as well, is this a misconfiguration on my part or a bug ? Regards * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- Mark Reynolds Red Hat, incmreyno...@redhat.com -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- Mark Reynolds Red Hat, incmreyno...@redhat.com -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Password + anything works ?
Thanks I will try again and if I can not get password change to work I will post error + configs, thanks for the help so far. Regards On Mon, Nov 12, 2012 at 9:19 PM, Mark Reynolds marey...@redhat.com wrote: I'm not aware of passwords not being updated based off the connection type. It should work. On 11/12/2012 02:03 PM, Ali Jawad wrote: In that case I have a major overhaul that I need to complete, change password is not working for me, my assumption is that it only works with TLS enabled between the client and the server, I have tried to get TLS to run a few times but could not get it to run so far. Am I right about the assumption that I need encryption between the server and the clients for password change to work ? Regards On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds marey...@redhat.comwrote: Only crypt uses the first 8 characters, so any other scheme would be fine. After you change the scheme you will need to force all the users to change their passwords - otherwise their crypt passwords will still be present. On 11/12/2012 01:52 PM, Ali Jawad wrote: Hi All This is an all Linux environment with 389 being used as the sole authentication mechanism, I do believe I am using crypt, I am out of office right now, what should I use instead of crypt to match more characters ? Regards On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds marey...@redhat.comwrote: Also what password storage scheme are you using? For example crypt only checks the first 8 characters of a password. On 11/12/2012 11:18 AM, Dan Lavu wrote: In regards to a password policy? Just 389 or are you using winsync with AD? Because the password policy from AD does not transfer over. Also they are some extra steps if you want to setup an OU based password policy but if you just do it for the entire directory through ‘configuration’ it works with no issues. Dan *From:* Ali Jawad ali.ja...@splendor.net *Sent:* November 12, 2012 6:00 AM *To:* General discussion list for the 389 Directory server project. *Subject:* [389-users] Password + anything works ? Hi I just noticed that you can use the password+ANYLetters and it will work, I.e. if the password is xyz xyz99 or xyzABC will work as well, is this a misconfiguration on my part or a bug ? Regards * * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- Mark Reynolds Red Hat, incmreyno...@redhat.com -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- Mark Reynolds Red Hat, incmreyno...@redhat.com -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- Mark Reynolds Red Hat, incmreyno...@redhat.com -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Password + anything works ?
Hi Arpit Actually I was attempting to change the password using command line passwd I.e. each user changes his own password, is passwd the right choice here ? Regards On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani arpittol...@gmail.comwrote: Hello On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad ali.ja...@splendor.net wrote: In that case I have a major overhaul that I need to complete, change password is not working for me, my assumption is that it only works with TLS enabled between the client and the server, I have tried to get TLS to run a few times but could not get it to run so far. Am I right about the assumption that I need encryption between the server and the clients for password change to work ? Regards When using ldappasswd command, Yes ssl/tls is mandatory, Try changing password using ldapmodify, it doesnt required ssl/tls connection. On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds marey...@redhat.com wrote: Only crypt uses the first 8 characters, so any other scheme would be fine. After you change the scheme you will need to force all the users to change their passwords - otherwise their crypt passwords will still be present. On 11/12/2012 01:52 PM, Ali Jawad wrote: Hi All This is an all Linux environment with 389 being used as the sole authentication mechanism, I do believe I am using crypt, I am out of office right now, what should I use instead of crypt to match more characters ? Regards On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds marey...@redhat.com wrote: Also what password storage scheme are you using? For example crypt only checks the first 8 characters of a password. On 11/12/2012 11:18 AM, Dan Lavu wrote: In regards to a password policy? Just 389 or are you using winsync with AD? Because the password policy from AD does not transfer over. Also they are some extra steps if you want to setup an OU based password policy but if you just do it for the entire directory through ‘configuration’ it works with no issues. Dan From: Ali Jawad ali.ja...@splendor.net Sent: November 12, 2012 6:00 AM To: General discussion list for the 389 Directory server project. Subject: [389-users] Password + anything works ? Hi I just noticed that you can use the password+ANYLetters and it will work, I.e. if the password is xyz xyz99 or xyzABC will work as well, is this a misconfiguration on my part or a bug ? Regards Regards Arpit Tolani -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA * *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554 * -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Clients freezing during boot
Hi I have been running 389 dir server for around 8 months now, recently whenever I restart or setup a new machine and connect it to the 389 server using the same settings as the other servers it will freeze during startup at INIT, I am using an IP in my config files. Once I remove ldap from nsswitch.conf the servers all boot normally, I did restart the ldap server and I am sure it is not a firewall issue. Any input please ? Regards -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] No password change forced at first logon
On further checking the attribute passwordMustChange does not exist in my users I did check using command line and I even tried to set it using command line, it says Object Not found On Thu, May 10, 2012 at 2:55 PM, Ali Jawad ali.ja...@splendor.net wrote: I did check using debug log but everything looks fine in the logs. On Wed, May 9, 2012 at 5:28 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Any help please ? Thanks ! On Tue, May 8, 2012 at 5:27 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Mark With I do logon to the GUI and I logon as the directory manager, and I do set the password for an existing user, and I try to create a new user with a new password. But the user does not get prompted for a pwd on first logon after that. How do I reset the pwd ? Thanks On Tue, May 8, 2012 at 5:17 PM, Mark Reynolds marey...@redhat.comwrote: Ali, You need to reset the users password by cn=directory manager or the admin account for this feature to take effect. Just turning it on will do nothing until you reset a password. Then when the user authenticates, they should not be able to do anything but change their password. Mark On 05/08/2012 07:26 AM, Ali Jawad wrote: Hi I did check the box that says User Must Change Password After Reset in Data under configuration I also did set the same policy for specific users. However, I am not being asked to change password on first logons through ssh or direct console on server, the same is true when I do change the password of a user I guess this is what password reset means. I am not using Fine Grain Password settings. Any ideas ? Thanks -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] idle_timelimit 60
Hi I know this is not a strictly 389 DS related question. I did set idle_timelimit 60 in my /etc/ldap.conf client file but connections stay running and do not time out. Is there any setting I need to add on the server side ? My Full Ldap file at /etc/ldap.conf bind_policy soft URI ldap://xx.xx.xx.xx BASE dc=xxx,dc=local TLS_CACERTDIR /etc/openldap/cacerts pam_password clear pam_lookup_policy yes idle_timelimit 60 Regards -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] idle_timelimit 60
Thanks Guys, I figured this one out, my other post about force change password on reset is killing me though. On Wed, May 9, 2012 at 4:22 PM, Paul Robert Marino prmari...@gmail.comwrote: Its gennerally a goot idea on the server to set a shorter tcp keepalive interval in /etc/sysctl.conf The default is 2 hours. Set it to slightly more than the idle time limit on your clients. On May 9, 2012 4:05 AM, Ali Jawad ali.ja...@splendor.net wrote: Hi I know this is not a strictly 389 DS related question. I did set idle_timelimit 60 in my /etc/ldap.conf client file but connections stay running and do not time out. Is there any setting I need to add on the server side ? My Full Ldap file at /etc/ldap.conf bind_policy soft URI ldap://xx.xx.xx.xx BASE dc=xxx,dc=local TLS_CACERTDIR /etc/openldap/cacerts pam_password clear pam_lookup_policy yes idle_timelimit 60 Regards -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Disable Inactive Users After 90 days
Hi Rich Your help is highly appreciated, I got it working, thanks for your patience. Regards On Wed, May 9, 2012 at 5:19 PM, Rich Megginson rmegg...@redhat.com wrote: On 05/09/2012 08:17 AM, Ali Jawad wrote: Hi Thanks Rich, just what I was searching for, I am facing a problem though ldapmodify: No such object (32) matched DN: dc=domain,dc=localat : [user@server ~]$ ldapmodify *-a* -D cn=directory manager -w secret -p 389 -h server.example.com -x dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject*objectClass: accountpolicy**accountInactivityLimit: 2592000* cn: Account Inactivation Policy I am doing [root@386-100-16 dirsrv]# ldapmodify -D cn=directory manager -w password -p 389 -h x.x.x.x -x dn: cn=Account Inactivation Policy,dc=domain,dc=local objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 2592000 cn: Account Inactivation Policy modifying entry cn=Account Inactivation Policy,dc=domain,dc=local ldapmodify: No such object (32) matched DN: dc=domain,dc=local Right. You are missing the ldapmodify -a - see the original instructions On Wed, May 9, 2012 at 4:47 PM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 07:45 AM, Ali Jawad wrote: Hi I have a requirement to disable inactive users after 90 days. I did read http://directory.fedoraproject.org/wiki/Account_Policy_Design but I am not sure whether this is a design proposal or the actual implementation. My DS version is : rpm -qa | grep 389 389-admin-console-1.1.8-1.el5 389-ds-base-1.2.9.9-1.el5 389-dsgw-1.1.7-2.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.14-1.el5 389-admin-1.1.23-1.el5 389-admin-console-doc-1.1.8-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 I got [root@386-100-16 dirsrv]# ldapsearch -x -D cn=Directory manager -w Password -b cn=config -s base lastLoginTime # extended LDIF # # LDAPv3 # base cn=config with scope baseObject # filter: (objectclass=*) # requesting: lastLoginTime # # config dn: cn=config # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and [root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/* /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax) /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' I am not sure how to implement this though, please advice. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html Regards -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] No password change forced at first logon
Hi Any help please ? Thanks ! On Tue, May 8, 2012 at 5:27 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Mark With I do logon to the GUI and I logon as the directory manager, and I do set the password for an existing user, and I try to create a new user with a new password. But the user does not get prompted for a pwd on first logon after that. How do I reset the pwd ? Thanks On Tue, May 8, 2012 at 5:17 PM, Mark Reynolds marey...@redhat.com wrote: Ali, You need to reset the users password by cn=directory manager or the admin account for this feature to take effect. Just turning it on will do nothing until you reset a password. Then when the user authenticates, they should not be able to do anything but change their password. Mark On 05/08/2012 07:26 AM, Ali Jawad wrote: Hi I did check the box that says User Must Change Password After Reset in Data under configuration I also did set the same policy for specific users. However, I am not being asked to change password on first logons through ssh or direct console on server, the same is true when I do change the password of a user I guess this is what password reset means. I am not using Fine Grain Password settings. Any ideas ? Thanks -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Disable Inactive Users After 90 days
Hi Rich Seems I still got a problem, the users can't logon anymore, I did try to dn: uid=username,ou=people,dc=domain,dc=local changetype: delete delete: lastLoginTime But I keep getting ldapmodify: extra lines at end (line 3 of entry uid=username,ou=people,dc=domain,dc=local) I checked for whitespaces, extra lines..but still same issue I did also check for lastLoginTime values in the users in the interface, but the value is empty..so not sure if this is the problem at all Regards On Wed, May 9, 2012 at 5:26 PM, Ali Jawad ali.ja...@splendor.net wrote: Hi Rich Your help is highly appreciated, I got it working, thanks for your patience. Regards On Wed, May 9, 2012 at 5:19 PM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 08:17 AM, Ali Jawad wrote: Hi Thanks Rich, just what I was searching for, I am facing a problem though ldapmodify: No such object (32) matched DN: dc=domain,dc=localat : [user@server ~]$ ldapmodify *-a* -D cn=directory manager -w secret -p 389 -h server.example.com -x dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject*objectClass: accountpolicy**accountInactivityLimit: 2592000* cn: Account Inactivation Policy I am doing [root@386-100-16 dirsrv]# ldapmodify -D cn=directory manager -w password -p 389 -h x.x.x.x -x dn: cn=Account Inactivation Policy,dc=domain,dc=local objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 2592000 cn: Account Inactivation Policy modifying entry cn=Account Inactivation Policy,dc=domain,dc=local ldapmodify: No such object (32) matched DN: dc=domain,dc=local Right. You are missing the ldapmodify -a - see the original instructions On Wed, May 9, 2012 at 4:47 PM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 07:45 AM, Ali Jawad wrote: Hi I have a requirement to disable inactive users after 90 days. I did read http://directory.fedoraproject.org/wiki/Account_Policy_Design but I am not sure whether this is a design proposal or the actual implementation. My DS version is : rpm -qa | grep 389 389-admin-console-1.1.8-1.el5 389-ds-base-1.2.9.9-1.el5 389-dsgw-1.1.7-2.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.14-1.el5 389-admin-1.1.23-1.el5 389-admin-console-doc-1.1.8-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 I got [root@386-100-16 dirsrv]# ldapsearch -x -D cn=Directory manager -w Password -b cn=config -s base lastLoginTime # extended LDIF # # LDAPv3 # base cn=config with scope baseObject # filter: (objectclass=*) # requesting: lastLoginTime # # config dn: cn=config # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and [root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/* /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax) /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' I am not sure how to implement this though, please advice. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html Regards -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Disable Inactive Users After 90 days
Stdin, problem is even new users cant register anymore. Not just existing ones..will tset your suggestion Regards On Wed, May 9, 2012 at 7:13 PM, Jim Finn jamespf...@gmail.com wrote: Are you doing this via an ldif file or stdin? Try echo -e dn: uid=username,ou=people,dc=domain,dc=local\nchangetype: delete\ndelete: lastLoginTime\n\n | ldapmodify -x -h yourhost -Dcn=directory manager -wPaSsWoRd Jim On Wed, May 9, 2012 at 11:09 AM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 10:09 AM, Ali Jawad wrote: Hi Rich Seems I still got a problem, the users can't logon anymore, I did try to dn: uid=username,ou=people,dc=domain,dc=local changetype: delete delete: lastLoginTime But I keep getting ldapmodify: extra lines at end (line 3 of entry uid=username,ou=people,dc=domain,dc=local) I checked for whitespaces, extra lines..but still same issue I did also check for lastLoginTime values in the users in the interface, but the value is empty..so not sure if this is the problem at all does ldapmodify -d 1 give any more useful information? Regards On Wed, May 9, 2012 at 5:26 PM, Ali Jawad ali.ja...@splendor.netwrote: Hi Rich Your help is highly appreciated, I got it working, thanks for your patience. Regards On Wed, May 9, 2012 at 5:19 PM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 08:17 AM, Ali Jawad wrote: Hi Thanks Rich, just what I was searching for, I am facing a problem though ldapmodify: No such object (32) matched DN: dc=domain,dc=localat : [user@server ~]$ ldapmodify *-a* -D cn=directory manager -w secret -p 389 -h server.example.com -x dn: cn=Account Inactivation Policy,dc=example,dc=com objectClass: top objectClass: ldapsubentry objectClass: extensibleObject*objectClass: accountpolicy**accountInactivityLimit: 2592000* cn: Account Inactivation Policy I am doing [root@386-100-16 dirsrv]# ldapmodify -D cn=directory manager -w password -p 389 -h x.x.x.x -x dn: cn=Account Inactivation Policy,dc=domain,dc=local objectClass: top objectClass: ldapsubentry objectClass: extensibleObject objectClass: accountpolicy accountInactivityLimit: 2592000 cn: Account Inactivation Policy modifying entry cn=Account Inactivation Policy,dc=domain,dc=local ldapmodify: No such object (32) matched DN: dc=domain,dc=local Right. You are missing the ldapmodify -a - see the original instructions On Wed, May 9, 2012 at 4:47 PM, Rich Megginson rmegg...@redhat.comwrote: On 05/09/2012 07:45 AM, Ali Jawad wrote: Hi I have a requirement to disable inactive users after 90 days. I did read http://directory.fedoraproject.org/wiki/Account_Policy_Design but I am not sure whether this is a design proposal or the actual implementation. My DS version is : rpm -qa | grep 389 389-admin-console-1.1.8-1.el5 389-ds-base-1.2.9.9-1.el5 389-dsgw-1.1.7-2.el5 389-console-1.1.7-3.el5 389-adminutil-1.1.14-1.el5 389-admin-1.1.23-1.el5 389-admin-console-doc-1.1.8-1.el5 389-ds-1.2.1-1.el5 389-ds-base-libs-1.2.9.9-1.el5 389-ds-console-1.2.6-1.el5 389-ds-console-doc-1.2.6-1.el5 I got [root@386-100-16 dirsrv]# ldapsearch -x -D cn=Directory manager -w Password -b cn=config -s base lastLoginTime # extended LDIF # # LDAPv3 # base cn=config with scope baseObject # filter: (objectclass=*) # requesting: lastLoginTime # # config dn: cn=config # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 and [root@386-100-16 dirsrv]# grep -i lastlogintime /etc/dirsrv/slapd-386-100-16/schema/* /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:## lastLoginTime holds login state in user entries (GeneralizedTime syntax) /etc/dirsrv/slapd-386-100-16/schema/60acctpolicy.ldif:attributeTypes: ( 2.16.840.1.113719.1.1.4.1.35 NAME 'lastLoginTime' I am not sure how to implement this though, please advice. http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-policy-plugin.html Regards -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut
Re: [389-users] No password change forced at first logon
Hi Mark With I do logon to the GUI and I logon as the directory manager, and I do set the password for an existing user, and I try to create a new user with a new password. But the user does not get prompted for a pwd on first logon after that. How do I reset the pwd ? Thanks On Tue, May 8, 2012 at 5:17 PM, Mark Reynolds marey...@redhat.com wrote: Ali, You need to reset the users password by cn=directory manager or the admin account for this feature to take effect. Just turning it on will do nothing until you reset a password. Then when the user authenticates, they should not be able to do anything but change their password. Mark On 05/08/2012 07:26 AM, Ali Jawad wrote: Hi I did check the box that says User Must Change Password After Reset in Data under configuration I also did set the same policy for specific users. However, I am not being asked to change password on first logons through ssh or direct console on server, the same is true when I do change the password of a user I guess this is what password reset means. I am not using Fine Grain Password settings. Any ideas ? Thanks -- 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Per host access
Hi The users are authenticating using their passwords, pam_ldap is being called in /etc/pam.d/system-auth. Please see cat system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_sss.so use_first_pass authsufficientpam_krb5.so use_first_pass authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so Openssh version is latest stable for CentOS 5.x which is openssh-4.3p2-72.el5_7.5 As said ldap authentication using 389 dir server works fine, I just want to limit access to certain hosts per user. Thanks On Mon, Mar 5, 2012 at 8:03 PM, Iain Morgan iain.mor...@nasa.gov wrote: On Mon, Mar 05, 2012 at 08:09:04 -0600, Ali Jawad wrote: Hi I did install 389 and LDAP authentication, what i need to do now is allow access to users only to certain systems, I did checkout : http://directory.fedoraproject.org/wiki/Howto:Posix#How_to_set_up_host_based_access_control I tried the old method because I could not figure out the new method, I did enable pam_check_host_attr did not change any pam settings though and I have use_pam enabled in sshd_config, but the user was still able to logon through SSH even though no hosts were listed in his attributes. Please advice. Regards Hello, What version of OpenSSH are you using and how did the user authenticate? For example, did the user use publickey authentication instead of password or challenge-response? Are you calling pam_ldap in the account portion of your PAM stack? What do you see in the LDAP server's access log when the user authenticates? -- Iain Morgan -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- *Ali Jawad * *Information Systems Manager* *Splendor Telecom (www.splendor.net) Beirut, Lebanon Phone: +9611373725/ext 116 FAX: +9611375554* -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users