[389-users] Disable password change prompt

2013-12-12 Thread Darcy Hodgson 
Hey everyone,

I have setup the directory server with version 1.2.11. I am running a
subtree password policy and was wondering if it's possible to disabled
the feature that requests a password changed once the user's password
has expired. If a user let's their password expire I just want them to
get an "access denied" or "password expired" message and not let them
in. Is this possible?

There is a flow chart on the Redhat website
[https://access.redhat.com/site/documentation/resources/docs/en-US/Red_Hat_Directory_Server/8.1/html/Deployment_Guide/images/pwdpolicy.png]
that shows what is happening. In the bottom right if you follow Grace
Logins? > No > Prompt: Password Change


Thanks,

Darcy
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Re: [389-users] Fwd: Some cipher suites not working

2013-07-19 Thread Darcy Hodgson 
On Fri, Jul 19, 2013 at 10:00 AM, Rich Megginson wrote:

>  On 07/19/2013 06:43 AM, Darcy Hodgson wrote:
>
> Hello,
>
> I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I have been able
> to get it working and can connect with LDAPS. However when I started to
> disabled some of the ciphers I noticed that my server wasn't accepting any
> of the DHE ciphers. I enabled all the ciphers with +all and used sslmap to
> confirm that the server was only choosing RSA.
>
> I checked the logs and the only thing they say is "Cannot communicate
> securely with peer: no common encryption algorithm(s)."
>
> Any help getting the DHE ciphers to work or pointing me to some
> documentation would be appreciated.
>
>
> Can you please provide the exact steps to reproduce the issue?  Please
> include the versions of the nspr, nss, openldap, and 389-ds-base packages.
> Have you tried openssl s_client?
>
>
>
> Thanks,
>
> Darcy
>
>
>  Here is the requested software installed.

openssh-5.3p1-84.1.el6.x86_64
389-ds-base-libs-1.2.11.15-14.el6_4.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
nspr-4.9.2-1.el6.x86_64
nss-sysinit-3.14.0.0-12.el6.x86_64
openldap-2.4.23-32.el6_4.1.x86_64
nss-softokn-freebl-3.12.9-11.el6.x86_64
openssh-server-5.3p1-84.1.el6.x86_64
nss-softokn-3.12.9-11.el6.x86_64
openldap-clients-2.4.23-32.el6_4.1.x86_64
389-ds-base-1.2.11.15-14.el6_4.x86_64
nss-util-3.14.0.0-2.el6.x86_64
nss-3.14.0.0-12.el6.x86_64
openssl-1.0.0-27.el6_4.2.x86_64
nss-tools-3.14.0.0-12.el6.x86_64

Here is my encryption settings.

dn: cn=encryption,cn=config
objectClass: top
objectClass: nsEncryptionConfig
cn: encryption
nsSSLSessionTimeout: 0
nsSSLClientAuth: allowed
nsSSL2: off
nsSSL3: off
nsSSL3Ciphers: +all
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config
createTimestamp: 20130702171319Z
modifyTimestamp: 20130702171319Z
numSubordinates: 1

dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectclass: top
objectclass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: test-cert
nsSSLToken: internal (software)
nsSSLActivation: on


I installed everything via Yum and only added the encryption settings and
"nsslapd-security: on" after going through the setup-ds script.

When I run openssl s_client -connect localhost:636 it connects fine with
AES256-SHA


When I specify a cipher it fails the handshake.

root@ldap01 ~]# openssl s_client -connect localhost:636 -cipher
DHE-DSS-AES128-SHA
CONNECTED(0003)
139667370157896:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:674:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 58 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[root@ldap01 ~]#

I checked on the redhat site and DHE-DSS-AES128-SHA should be included
(tls_dhe_dss_aes_128_sha).


-Darcy
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

[389-users] Fwd: Some cipher suites not working

2013-07-19 Thread Darcy Hodgson 
Hello,

I have been setting up SSL/TLS with 389 DS on CentOS 6.4. I have been able
to get it working and can connect with LDAPS. However when I started to
disabled some of the ciphers I noticed that my server wasn't accepting any
of the DHE ciphers. I enabled all the ciphers with +all and used sslmap to
confirm that the server was only choosing RSA.

I checked the logs and the only thing they say is "Cannot communicate
securely with peer: no common encryption algorithm(s)."

Any help getting the DHE ciphers to work or pointing me to some
documentation would be appreciated.


Thanks,

Darcy
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users