using ldappasswd with zLinux and LDAP
We are trying to allow users to change their mainframe password through LDAP via ldappasswd command: home/user1)#ldappasswd -A -S -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: We are using Top Secret on the mainframe; we have IBM LDAP on the mainframe with NATIVEAUTH active (so it is getting the password directly from Top Secret). However this command is failing to change the Top Secret stored password. Any suggestions where to look or make changes to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: using ldappasswd with zLinux and LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Unless you've explicitly set up a SASL authentication method, you're probably using simple authentication. Indicate this to linux via the -x command line option to most ldap utils. Test it via ldapsearch, first. E.g.: ldapsearch -H ldap://hostname uid=some_known_uid should fail with a similar error. whereas: ldapsearch -x -H ldap://hostname uid=some_known_uid should work. Another note. You should be able to put most of the necessary default host, search base and similar information into /etc/ldap.conf and /etc/openldap/ldap.conf (you can cheat and make them symlinks to each other) so that you don't have to enter -H options, and suchlike. - -- Pat CHAPLIN, JAMES (CTR) wrote: We are trying to allow users to change their mainframe password through LDAP via ldappasswd command: home/user1)#ldappasswd -A -S -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: We are using Top Secret on the mainframe; we have IBM LDAP on the mainframe with NATIVEAUTH active (so it is getting the password directly from Top Secret). However this command is failing to change the Top Secret stored password. Any suggestions where to look or make changes to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknLntQACgkQNObCqA8uBswM7ACghYxhK8En+SB9NF3x1dBW1lv0 M8AAn3w56kG9xvDsGk3mEMvxAfS3J+hH =0mCU -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: using ldappasswd with zLinux and LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 One more thing before I forget, if you have a password sufficient pam_ldap.so ... statement in the appropriate /etc/pam.d/... file, with the appropriate defaults in /etc/ldap.conf, then users should be able to use the standard unix 'passwd' command. Warnings: pam_ldap didn't used to set the shadow_last_changed ldap attribute. So expired passwords stayed expired no matter how many times they were changed. This was two years ago+ though, so test it and it might be fixed. insure that if you're working from a master - slave ldap replication environment that your slaves properly give referrals to your masters, and that your clients follow referrals. Luck, - -- Pat CHAPLIN, JAMES (CTR) wrote: We are trying to allow users to change their mainframe password through LDAP via ldappasswd command: home/user1)#ldappasswd -A -S -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: We are using Top Secret on the mainframe; we have IBM LDAP on the mainframe with NATIVEAUTH active (so it is getting the password directly from Top Secret). However this command is failing to change the Top Secret stored password. Any suggestions where to look or make changes to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknLoDAACgkQNObCqA8uBsy/CACgntk5lD1zZQbaLZMMrxkouQEl ONYAnR+8c6W6H4r8+RGHXcrX/m51VouP =c1IP -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: using ldappasswd with zLinux and LDAP
What you are looking for can be done. It will require a connector between the LDAP server and Top Secret. I've set this up to run between eDirectory and RACF using a DirXML RACF connector that we bought from Novell. You would need to find a similar tool that would run between your LDAP server and Top Secret. Jerry Ekegren IT - Infrastructure Architecture jerry.ekeg...@thrivent.com Office: 612-844-3320 Mobile: 612-791-5223 CHAPLIN, JAMES (CTR) james.chap...@associates.dhs.gov Sent by: Linux on 390 Port LINUX-390@VM.MARIST.EDU 03/26/2009 08:44 AM Please respond to Linux on 390 Port LINUX-390@VM.MARIST.EDU To LINUX-390@VM.MARIST.EDU cc Subject using ldappasswd with zLinux and LDAP We are trying to allow users to change their mainframe password through LDAP via ldappasswd command: home/user1)#ldappasswd -A -S -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: We are using Top Secret on the mainframe; we have IBM LDAP on the mainframe with NATIVEAUTH active (so it is getting the password directly from Top Secret). However this command is failing to change the Top Secret stored password. Any suggestions where to look or make changes to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: using ldappasswd with zLinux and LDAP
I like you're thinking and tested your idea however got a different error: ldappasswd -A -S -x -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: Result: Protocol error (2) Additional info: No backend for OID=1.3.6.1.4.1.4203.1.11.1 James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of Patrick Spinler Sent: Thursday, March 26, 2009 11:27 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: using ldappasswd with zLinux and LDAP -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Unless you've explicitly set up a SASL authentication method, you're probably using simple authentication. Indicate this to linux via the -x command line option to most ldap utils. Test it via ldapsearch, first. E.g.: ldapsearch -H ldap://hostname uid=some_known_uid should fail with a similar error. whereas: ldapsearch -x -H ldap://hostname uid=some_known_uid should work. Another note. You should be able to put most of the necessary default host, search base and similar information into /etc/ldap.conf and /etc/openldap/ldap.conf (you can cheat and make them symlinks to each other) so that you don't have to enter -H options, and suchlike. - -- Pat CHAPLIN, JAMES (CTR) wrote: We are trying to allow users to change their mainframe password through LDAP via ldappasswd command: home/user1)#ldappasswd -A -S -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: SASL/EXTERNAL authentication started ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: We are using Top Secret on the mainframe; we have IBM LDAP on the mainframe with NATIVEAUTH active (so it is getting the password directly from Top Secret). However this command is failing to change the Top Secret stored password. Any suggestions where to look or make changes to resolve this? James Chaplin Systems Programmer, MVS, zVM zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknLntQACgkQNObCqA8uBswM7ACghYxhK8En+SB9NF3x1dBW1lv0 M8AAn3w56kG9xvDsGk3mEMvxAfS3J+hH =0mCU -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: using ldappasswd with zLinux and LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CHAPLIN, JAMES (CTR) wrote: I like you're thinking and tested your idea however got a different error: ldappasswd -A -S -x -H ldap://hostname:port# user1 Old password: Re-enter old password: New password: Re-enter new password: Result: Protocol error (2) Additional info: No backend for OID=1.3.6.1.4.1.4203.1.11.1 My apologies. I misunderstood the implications of the involvement of the Top Secret product, since I know literally nothing about it. Pretty much disregard what I said, since my notes were all with regard to keeping the password in an LDAP server. - -- Pat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJy7D2NObCqA8uBswRAlwiAJ4gqTc7CCXQhzL/J5bOLcBhAuH8nwCfRNh0 Tz/sHyEq+yx1fPAtHBPE95M= =19DW -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390