Dears, I have a problem with my passwords policies, I enabled "Enable fine-grained password policy", I apply this but is not working fine. I followed the steps of Administration Guide pag 364 - 7.1.1.2. Configuring a Subtree/User Password Policy Using the Console But it´s not working, i have that setting any more? Can you help me? Thanks a lot in advance! Allan Hougham _________________________________________________________________ ¿Vos ya tenés SMS Messenger en tu celular? Registrate Aquí http://www.somosmessengersiempre.com
Allan Gaston Hougham wrote:> Dears, > > I have a problem with my passwords policies, I enabled "Enable > fine-grained password policy", I apply this but is not working fine. > I followed the steps of Administration Guide pag 364 - > > *7.1.1.2. Configuring a Subtree/User Password Policy Using the Console* > > But it´s not working, i have that setting any more? > Can you help me? >What is your platform? What version of directory server? rpm -qi 389-ds-base (or fedora-ds-base)> > Thanks a lot in advance! > > Allan Hougham > > > ------------------------------------------------------------------------ > Internet Explorer 8 especial para MSN - ¡Gratis! Descargalo ahora > haciendo clic aquí > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Allan Gaston Hougham
2009-Dec-03 16:47 UTC
RE: [389-users] Password Policy not working fine
Hi, thanks for you response, We have Fedora-ds 1.2.2 2009.237.2054 Platform: Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux In this time we can apply any policies, but is not working "user must change password after reset" and change password later that it exipire This is the error with this ldap.conf: [root@yblhp35 openldap]# cat ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #use_sasl on URI ldap://zblhp36.ml.com/ BASE dc=ml,dc=com suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" #TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt TLS_REQCERT allow bind_policy soft ssl no TLS_CACERTDIR /etc/openldap/cacerts pam_password md5 ERROR: WARNING: Your password has expired. You must change your password now and login again! Changing password for user testsi. Enter login(LDAP) password: LDAP Password incorrect: try again Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Server is unwilling to perform user is not allowed to change password passwd: Permission denied And this is the error with this ldap.conf: [ahougham@dblvm32 ~]$ cat /etc/ldap.conf # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never #use_sasl on HOST 172.16.100.186 172.16.102.49 URI ldaps://172.16.100.186 ldaps://172.16.102.49 BASE dc=ml,dc=com suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" #TLS_CACERTDIR /etc/openldap/cacerts/ #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt TLS_REQCERT allow bind_policy soft ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 uri ldap://zblhp36.ml.com/ base dc=ml,dc=com # Search the root DSE for the password policy (works # with Netscape Directory Server) pam_lookup_policy yes # Use the OpenLDAP password change # extended operation to update the password. pam_password exop WARNING: Your password has expired. You must change your password now and login again! Changing password for user testsi. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Confidentiality required Operation requires a secure connection. Thanks in advance!!! Allan> Date: Mon, 30 Nov 2009 08:11:51 -0700 > From: rmeggins@redhat.com > To: fedora-directory-users@redhat.com > Subject: Re: [389-users] Password Policy not working fine > > Allan Gaston Hougham wrote: > > Dears, > > > > I have a problem with my passwords policies, I enabled "Enable > > fine-grained password policy", I apply this but is not working fine. > > I followed the steps of Administration Guide pag 364 - > > > > *7.1.1.2. Configuring a Subtree/User Password Policy Using the Console* > > > > But it´s not working, i have that setting any more? > > Can you help me? > > > What is your platform? What version of directory server? rpm -qi > 389-ds-base (or fedora-ds-base) > > > > Thanks a lot in advance! > > > > Allan Hougham > > > > > > ------------------------------------------------------------------------ > > Internet Explorer 8 especial para MSN - ¡Gratis! Descargalo ahora > > haciendo clic aquí > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > ------------------------------------------------------------------------ > > > > -- > > 389 users mailing list > > 389-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > >_________________________________________________________________ Toda la información que te interesa está en MSN Noticias. Clic aquí http://noticias.latam.msn.com/ar
Allan Gaston Hougham wrote:> Hi, thanks for you response, > > We have Fedora-ds 1.2.2 2009.237.2054 > > Platform: > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 EDT 2007 > x86_64 x86_64 x86_64 GNU/Linux > > In this time we can apply any policies, but is not working "user must > change password after reset" and change password later that it exipire > > This is the error with this ldap.conf: > > [root@yblhp35 openldap]# cat ldap.conf > # > # LDAP Defaults > # > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > #BASE dc=example, dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > #use_sasl on > URI ldap://zblhp36.ml.com/ > BASE dc=ml,dc=com > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > #TLS_CACERTDIR /etc/openldap/cacerts > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > TLS_REQCERT allow > bind_policy soft > ssl no > TLS_CACERTDIR /etc/openldap/cacerts > pam_password md5 > > ERROR: > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user testsi. > Enter login(LDAP) password: > LDAP Password incorrect: try again > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information update failed: Server is unwilling to > perform user is not allowed to change password > passwd: Permission denied > > > And this is the error with this ldap.conf: > > > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf > # > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > #BASE dc=example, dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > #use_sasl on > HOST 172.16.100.186 172.16.102.49 > URI ldaps://172.16.100.186 ldaps://172.16.102.49 > BASE dc=ml,dc=com > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > #TLS_CACERTDIR /etc/openldap/cacerts/ > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > TLS_REQCERT allow > bind_policy soft > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > uri ldap://zblhp36.ml.com/ > base dc=ml,dc=com > # Search the root DSE for the password policy (works > # with Netscape Directory Server) > pam_lookup_policy yes > # Use the OpenLDAP password change > # extended operation to update the password. > pam_password exop > > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user testsi. > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information update failed: Confidentiality required > Operation requires a secure connection. > > > > Thanks in advance!!!Does it work if you use the ldappasswd command line tool?> > > Allan > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700 > > From: rmeggins@redhat.com > > To: fedora-directory-users@redhat.com > > Subject: Re: [389-users] Password Policy not working fine > > > > Allan Gaston Hougham wrote: > > > Dears, > > > > > > I have a problem with my passwords policies, I enabled "Enable > > > fine-grained password policy", I apply this but is not working fine. > > > I followed the steps of Administration Guide pag 364 - > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy Using the > Console* > > > > > > But it´s not working, i have that setting any more? > > > Can you help me? > > > > > What is your platform? What version of directory server? rpm -qi > > 389-ds-base (or fedora-ds-base) > > > > > > Thanks a lot in advance! > > > > > > Allan Hougham > > > > > > > > > > ------------------------------------------------------------------------ > > > Internet Explorer 8 especial para MSN - ¡Gratis! Descargalo ahora > > > haciendo clic aquí > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > ------------------------------------------------------------------------ > > > > > > -- > > > 389 users mailing list > > > 389-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > ------------------------------------------------------------------------ > ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá carpetas > para todos tus correos! <http://mail.live.com/> > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Allan Gaston Hougham wrote:> Hi, thanks for you response, > > We have Fedora-ds 1.2.2 2009.237.2054 > > Platform: > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 EDT 2007 > x86_64 x86_64 x86_64 GNU/Linux > > In this time we can apply any policies, but is not working "user must > change password after reset" and change password later that it exipire > > This is the error with this ldap.conf: > > [root@yblhp35 openldap]# cat ldap.conf > # > # LDAP Defaults > # > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > #BASE dc=example, dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > #use_sasl on > URI ldap://zblhp36.ml.com/ > BASE dc=ml,dc=com > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > #TLS_CACERTDIR /etc/openldap/cacerts > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > TLS_REQCERT allow > bind_policy soft > ssl no > TLS_CACERTDIR /etc/openldap/cacerts > pam_password md5 > > ERROR: > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user testsi. > Enter login(LDAP) password: > LDAP Password incorrect: try again > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information update failed: Server is unwilling to > perform user is not allowed to change password > passwd: Permission denied > > > And this is the error with this ldap.conf: > > > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf > # > # See ldap.conf(5) for details > # This file should be world readable but not world writable. > #BASE dc=example, dc=com > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > #SIZELIMIT 12 > #TIMELIMIT 15 > #DEREF never > #use_sasl on > HOST 172.16.100.186 172.16.102.49 > URI ldaps://172.16.100.186 ldaps://172.16.102.49 > BASE dc=ml,dc=com > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > #TLS_CACERTDIR /etc/openldap/cacerts/ > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > TLS_REQCERT allow > bind_policy soft > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > uri ldap://zblhp36.ml.com/ > base dc=ml,dc=com > # Search the root DSE for the password policy (works > # with Netscape Directory Server) > pam_lookup_policy yes > # Use the OpenLDAP password change > # extended operation to update the password. > pam_password exop > > > WARNING: Your password has expired. > You must change your password now and login again! > Changing password for user testsi. > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information update failed: Confidentiality required > Operation requires a secure connection.Ah. By default, newer versions of the server require a secure connection for password changes, since the password is sent in clear text.> > > > Thanks in advance!!! > > > Allan > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700 > > From: rmeggins@redhat.com > > To: fedora-directory-users@redhat.com > > Subject: Re: [389-users] Password Policy not working fine > > > > Allan Gaston Hougham wrote: > > > Dears, > > > > > > I have a problem with my passwords policies, I enabled "Enable > > > fine-grained password policy", I apply this but is not working fine. > > > I followed the steps of Administration Guide pag 364 - > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy Using the > Console* > > > > > > But it´s not working, i have that setting any more? > > > Can you help me? > > > > > What is your platform? What version of directory server? rpm -qi > > 389-ds-base (or fedora-ds-base) > > > > > > Thanks a lot in advance! > > > > > > Allan Hougham > > > > > > > > > > ------------------------------------------------------------------------ > > > Internet Explorer 8 especial para MSN - ¡Gratis! Descargalo ahora > > > haciendo clic aquí > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > ------------------------------------------------------------------------ > > > > > > -- > > > 389 users mailing list > > > 389-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > ------------------------------------------------------------------------ > ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá carpetas > para todos tus correos! <http://mail.live.com/> > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Allan Gaston Hougham
2009-Dec-03 17:12 UTC
RE: [389-users] Password Policy not working fine
I can´t .. We have two errors:
[root@dblvm32 ~]# passwd testsi
Changing password for user testsi.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Confidentiality required
Operation requires a secure connection.
passwd: Permission denied
[root@dblvm32 ~]# ldappasswd testsi
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
[root@dblvm32 ~]#
What happend?? Thanks!!
Allan
> Date: Thu, 3 Dec 2009 09:58:04 -0700
> From: rmeggins@redhat.com
> To: fedora-directory-users@redhat.com
> Subject: Re: [389-users] Password Policy not working fine
>
> Allan Gaston Hougham wrote:
> > Hi, thanks for you response,
> >
> > We have Fedora-ds 1.2.2 2009.237.2054
> >
> > Platform:
> >
> > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 EDT 2007
> > x86_64 x86_64 x86_64 GNU/Linux
> >
> > In this time we can apply any policies, but is not working "user
must
> > change password after reset" and change password later that it
exipire
> >
> > This is the error with this ldap.conf:
> >
> > [root@yblhp35 openldap]# cat ldap.conf
> > #
> > # LDAP Defaults
> > #
> > # See ldap.conf(5) for details
> > # This file should be world readable but not world writable.
> > #BASE dc=example, dc=com
> > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
> > #SIZELIMIT 12
> > #TIMELIMIT 15
> > #DEREF never
> > #use_sasl on
> > URI ldap://zblhp36.ml.com/
> > BASE dc=ml,dc=com
> > suffix
"ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > suffix
"ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > #TLS_CACERTDIR /etc/openldap/cacerts
> > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
> > TLS_REQCERT allow
> > bind_policy soft
> > ssl no
> > TLS_CACERTDIR /etc/openldap/cacerts
> > pam_password md5
> >
> > ERROR:
> >
> > WARNING: Your password has expired.
> > You must change your password now and login again!
> > Changing password for user testsi.
> > Enter login(LDAP) password:
> > LDAP Password incorrect: try again
> > Enter login(LDAP) password:
> > New UNIX password:
> > Retype new UNIX password:
> > LDAP password information update failed: Server is unwilling to
> > perform user is not allowed to change password
> > passwd: Permission denied
> >
> >
> > And this is the error with this ldap.conf:
> >
> >
> > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf
> > #
> > # See ldap.conf(5) for details
> > # This file should be world readable but not world writable.
> > #BASE dc=example, dc=com
> > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
> > #SIZELIMIT 12
> > #TIMELIMIT 15
> > #DEREF never
> > #use_sasl on
> > HOST 172.16.100.186 172.16.102.49
> > URI ldaps://172.16.100.186 ldaps://172.16.102.49
> > BASE dc=ml,dc=com
> > suffix
"ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > suffix
"ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > #TLS_CACERTDIR /etc/openldap/cacerts/
> > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
> > TLS_REQCERT allow
> > bind_policy soft
> > ssl no
> > tls_cacertdir /etc/openldap/cacerts
> > pam_password md5
> > uri ldap://zblhp36.ml.com/
> > base dc=ml,dc=com
> > # Search the root DSE for the password policy (works
> > # with Netscape Directory Server)
> > pam_lookup_policy yes
> > # Use the OpenLDAP password change
> > # extended operation to update the password.
> > pam_password exop
> >
> >
> > WARNING: Your password has expired.
> > You must change your password now and login again!
> > Changing password for user testsi.
> > Enter login(LDAP) password:
> > New UNIX password:
> > Retype new UNIX password:
> > LDAP password information update failed: Confidentiality required
> > Operation requires a secure connection.
> >
> >
> >
> > Thanks in advance!!!
> Does it work if you use the ldappasswd command line tool?
> >
> >
> > Allan
> >
> >
> > > Date: Mon, 30 Nov 2009 08:11:51 -0700
> > > From: rmeggins@redhat.com
> > > To: fedora-directory-users@redhat.com
> > > Subject: Re: [389-users] Password Policy not working fine
> > >
> > > Allan Gaston Hougham wrote:
> > > > Dears,
> > > >
> > > > I have a problem with my passwords policies, I enabled
"Enable
> > > > fine-grained password policy", I apply this but is not
working fine.
> > > > I followed the steps of Administration Guide pag 364 -
> > > >
> > > > *7.1.1.2. Configuring a Subtree/User Password Policy Using
the
> > Console*
> > > >
> > > > But it´s not working, i have that setting any more?
> > > > Can you help me?
> > > >
> > > What is your platform? What version of directory server? rpm -qi
> > > 389-ds-base (or fedora-ds-base)
> > > >
> > > > Thanks a lot in advance!
> > > >
> > > > Allan Hougham
> > > >
> > > >
> > > >
> >
------------------------------------------------------------------------
> > > > Internet Explorer 8 especial para MSN - ¡Gratis! Descargalo
ahora
> > > > haciendo clic aquí
> > > >
<http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx>
> > > >
> >
------------------------------------------------------------------------
> > > >
> > > > --
> > > > 389 users mailing list
> > > > 389-users@redhat.com
> > > >
https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > >
> > >
> > >
> >
> >
------------------------------------------------------------------------
> > ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá carpetas
> > para todos tus correos! <http://mail.live.com/>
> >
------------------------------------------------------------------------
> >
> > --
> > 389 users mailing list
> > 389-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
>
_________________________________________________________________
Windows Live Messenger GRATIS: lo que faltaba en tu BlackBerry
http://www.messengerentublackberry.com?ocid=WL_BB_LandPage_TagLine
Allan Gaston Hougham wrote:> I can´t .. We have two errors: > > [root@dblvm32 ~]# passwd testsi > Changing password for user testsi. > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information update failed: Confidentiality required > Operation requires a secure connection. > passwd: Permission deniedNeed to configure the directory server and nss_ldap/pam_ldap (/etc/ldap.conf) to use TLS> > [root@dblvm32 ~]# ldappasswd testsi > SASL/EXTERNAL authentication started > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > additional info: SASL(-4): no mechanism available: > [root@dblvm32 ~]#ldappasswd -x to disable SASL auth> > > What happend?? Thanks!! > > > Allan > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700 > > From: rmeggins@redhat.com > > To: fedora-directory-users@redhat.com > > Subject: Re: [389-users] Password Policy not working fine > > > > Allan Gaston Hougham wrote: > > > Hi, thanks for you response, > > > > > > We have Fedora-ds 1.2.2 2009.237.2054 > > > > > > Platform: > > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 EDT 2007 > > > x86_64 x86_64 x86_64 GNU/Linux > > > > > > In this time we can apply any policies, but is not working "user must > > > change password after reset" and change password later that it exipire > > > > > > This is the error with this ldap.conf: > > > > > > [root@yblhp35 openldap]# cat ldap.conf > > > # > > > # LDAP Defaults > > > # > > > # See ldap.conf(5) for details > > > # This file should be world readable but not world writable. > > > #BASE dc=example, dc=com > > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > > #SIZELIMIT 12 > > > #TIMELIMIT 15 > > > #DEREF never > > > #use_sasl on > > > URI ldap://zblhp36.ml.com/ > > > BASE dc=ml,dc=com > > > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > #TLS_CACERTDIR /etc/openldap/cacerts > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > TLS_REQCERT allow > > > bind_policy soft > > > ssl no > > > TLS_CACERTDIR /etc/openldap/cacerts > > > pam_password md5 > > > > > > ERROR: > > > > > > WARNING: Your password has expired. > > > You must change your password now and login again! > > > Changing password for user testsi. > > > Enter login(LDAP) password: > > > LDAP Password incorrect: try again > > > Enter login(LDAP) password: > > > New UNIX password: > > > Retype new UNIX password: > > > LDAP password information update failed: Server is unwilling to > > > perform user is not allowed to change password > > > passwd: Permission denied > > > > > > > > > And this is the error with this ldap.conf: > > > > > > > > > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf > > > # > > > # See ldap.conf(5) for details > > > # This file should be world readable but not world writable. > > > #BASE dc=example, dc=com > > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > > #SIZELIMIT 12 > > > #TIMELIMIT 15 > > > #DEREF never > > > #use_sasl on > > > HOST 172.16.100.186 172.16.102.49 > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49 > > > BASE dc=ml,dc=com > > > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > #TLS_CACERTDIR /etc/openldap/cacerts/ > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > TLS_REQCERT allow > > > bind_policy soft > > > ssl no > > > tls_cacertdir /etc/openldap/cacerts > > > pam_password md5 > > > uri ldap://zblhp36.ml.com/ > > > base dc=ml,dc=com > > > # Search the root DSE for the password policy (works > > > # with Netscape Directory Server) > > > pam_lookup_policy yes > > > # Use the OpenLDAP password change > > > # extended operation to update the password. > > > pam_password exop > > > > > > > > > WARNING: Your password has expired. > > > You must change your password now and login again! > > > Changing password for user testsi. > > > Enter login(LDAP) password: > > > New UNIX password: > > > Retype new UNIX password: > > > LDAP password information update failed: Confidentiality required > > > Operation requires a secure connection. > > > > > > > > > > > > Thanks in advance!!! > > Does it work if you use the ldappasswd command line tool? > > > > > > > > > Allan > > > > > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700 > > > > From: rmeggins@redhat.com > > > > To: fedora-directory-users@redhat.com > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > Allan Gaston Hougham wrote: > > > > > Dears, > > > > > > > > > > I have a problem with my passwords policies, I enabled "Enable > > > > > fine-grained password policy", I apply this but is not working > fine. > > > > > I followed the steps of Administration Guide pag 364 - > > > > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy Using the > > > Console* > > > > > > > > > > But it´s not working, i have that setting any more? > > > > > Can you help me? > > > > > > > > > What is your platform? What version of directory server? rpm -qi > > > > 389-ds-base (or fedora-ds-base) > > > > > > > > > > Thanks a lot in advance! > > > > > > > > > > Allan Hougham > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > Internet Explorer 8 especial para MSN - ¡Gratis! Descargalo ahora > > > > > haciendo clic aquí > > > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > 389 users mailing list > > > > > 389-users@redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá carpetas > > > para todos tus correos! <http://mail.live.com/> > > > > ------------------------------------------------------------------------ > > > > > > -- > > > 389 users mailing list > > > 389-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > ------------------------------------------------------------------------ > ¡Revisá de un vistazo si tenés correos nuevos! Ingresá a tu Hotmail > desde tu Messenger. ¡Probalo ahora! > <http://www.microsoft.com/latam/windows/windowslive/default.aspx> > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Allan Gaston Hougham
2009-Dec-04 17:40 UTC
RE: [389-users] Password Policy not working fine
Any sugesst?? Thanks!> Date: Thu, 3 Dec 2009 11:43:34 -0700 > From: rmeggins@redhat.com > To: fedora-directory-users@redhat.com > Subject: Re: [389-users] Password Policy not working fine > > Allan Gaston Hougham wrote: > > I can´t .. We have two errors: > > > > [root@dblvm32 ~]# passwd testsi > > Changing password for user testsi. > > Enter login(LDAP) password: > > New UNIX password: > > Retype new UNIX password: > > LDAP password information update failed: Confidentiality required > > Operation requires a secure connection. > > passwd: Permission denied > Need to configure the directory server and nss_ldap/pam_ldap > (/etc/ldap.conf) to use TLS > > > > [root@dblvm32 ~]# ldappasswd testsi > > SASL/EXTERNAL authentication started > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > > additional info: SASL(-4): no mechanism available: > > [root@dblvm32 ~]# > ldappasswd -x to disable SASL auth > > > > > > What happend?? Thanks!! > > > > > > Allan > > > > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700 > > > From: rmeggins@redhat.com > > > To: fedora-directory-users@redhat.com > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > Allan Gaston Hougham wrote: > > > > Hi, thanks for you response, > > > > > > > > We have Fedora-ds 1.2.2 2009.237.2054 > > > > > > > > Platform: > > > > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 EDT 2007 > > > > x86_64 x86_64 x86_64 GNU/Linux > > > > > > > > In this time we can apply any policies, but is not working "user must > > > > change password after reset" and change password later that it exipire > > > > > > > > This is the error with this ldap.conf: > > > > > > > > [root@yblhp35 openldap]# cat ldap.conf > > > > # > > > > # LDAP Defaults > > > > # > > > > # See ldap.conf(5) for details > > > > # This file should be world readable but not world writable. > > > > #BASE dc=example, dc=com > > > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > > > #SIZELIMIT 12 > > > > #TIMELIMIT 15 > > > > #DEREF never > > > > #use_sasl on > > > > URI ldap://zblhp36.ml.com/ > > > > BASE dc=ml,dc=com > > > > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > #TLS_CACERTDIR /etc/openldap/cacerts > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > TLS_REQCERT allow > > > > bind_policy soft > > > > ssl no > > > > TLS_CACERTDIR /etc/openldap/cacerts > > > > pam_password md5 > > > > > > > > ERROR: > > > > > > > > WARNING: Your password has expired. > > > > You must change your password now and login again! > > > > Changing password for user testsi. > > > > Enter login(LDAP) password: > > > > LDAP Password incorrect: try again > > > > Enter login(LDAP) password: > > > > New UNIX password: > > > > Retype new UNIX password: > > > > LDAP password information update failed: Server is unwilling to > > > > perform user is not allowed to change password > > > > passwd: Permission denied > > > > > > > > > > > > And this is the error with this ldap.conf: > > > > > > > > > > > > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf > > > > # > > > > # See ldap.conf(5) for details > > > > # This file should be world readable but not world writable. > > > > #BASE dc=example, dc=com > > > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > > > #SIZELIMIT 12 > > > > #TIMELIMIT 15 > > > > #DEREF never > > > > #use_sasl on > > > > HOST 172.16.100.186 172.16.102.49 > > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49 > > > > BASE dc=ml,dc=com > > > > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > #TLS_CACERTDIR /etc/openldap/cacerts/ > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > TLS_REQCERT allow > > > > bind_policy soft > > > > ssl no > > > > tls_cacertdir /etc/openldap/cacerts > > > > pam_password md5 > > > > uri ldap://zblhp36.ml.com/ > > > > base dc=ml,dc=com > > > > # Search the root DSE for the password policy (works > > > > # with Netscape Directory Server) > > > > pam_lookup_policy yes > > > > # Use the OpenLDAP password change > > > > # extended operation to update the password. > > > > pam_password exop > > > > > > > > > > > > WARNING: Your password has expired. > > > > You must change your password now and login again! > > > > Changing password for user testsi. > > > > Enter login(LDAP) password: > > > > New UNIX password: > > > > Retype new UNIX password: > > > > LDAP password information update failed: Confidentiality required > > > > Operation requires a secure connection. > > > > > > > > > > > > > > > > Thanks in advance!!! > > > Does it work if you use the ldappasswd command line tool? > > > > > > > > > > > > Allan > > > > > > > > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700 > > > > > From: rmeggins@redhat.com > > > > > To: fedora-directory-users@redhat.com > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > Dears, > > > > > > > > > > > > I have a problem with my passwords policies, I enabled "Enable > > > > > > fine-grained password policy", I apply this but is not working > > fine. > > > > > > I followed the steps of Administration Guide pag 364 - > > > > > > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy Using the > > > > Console* > > > > > > > > > > > > But it´s not working, i have that setting any more? > > > > > > Can you help me? > > > > > > > > > > > What is your platform? What version of directory server? rpm -qi > > > > > 389-ds-base (or fedora-ds-base) > > > > > > > > > > > > Thanks a lot in advance! > > > > > > > > > > > > Allan Hougham > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > Internet Explorer 8 especial para MSN - ¡Gratis! Descargalo ahora > > > > > > haciendo clic aquí > > > > > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > -- > > > > > > 389 users mailing list > > > > > > 389-users@redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá carpetas > > > > para todos tus correos! <http://mail.live.com/> > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > 389 users mailing list > > > > 389-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > ¡Revisá de un vistazo si tenés correos nuevos! Ingresá a tu Hotmail > > desde tu Messenger. ¡Probalo ahora! > > <http://www.microsoft.com/latam/windows/windowslive/default.aspx> > > ------------------------------------------------------------------------ > > > > -- > > 389 users mailing list > > 389-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users_________________________________________________________________ A tu BlackBerry le falta Messenger. Descargalo GRATIS aquí http://www.messengerentublackberry.com?ocid=WL_BB_LandPage_TagLine
Allan Gaston Hougham wrote:> Any sugesst??Did you not read my reply? See below> > Thanks! > > > Date: Thu, 3 Dec 2009 11:43:34 -0700 > > From: rmeggins@redhat.com > > To: fedora-directory-users@redhat.com > > Subject: Re: [389-users] Password Policy not working fine > > > > Allan Gaston Hougham wrote: > > > I can´t .. We have two errors: > > > > > > [root@dblvm32 ~]# passwd testsi > > > Changing password for user testsi. > > > Enter login(LDAP) password: > > > New UNIX password: > > > Retype new UNIX password: > > > LDAP password information update failed: Confidentiality required > > > Operation requires a secure connection. > > > passwd: Permission denied[begin rmeggins reply]> > Need to configure the directory server and nss_ldap/pam_ldap > > (/etc/ldap.conf) to use TLS[end rmeggins repl> > > > > > [root@dblvm32 ~]# ldappasswd testsi > > > SASL/EXTERNAL authentication started > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > > > additional info: SASL(-4): no mechanism available: > > > [root@dblvm32 ~]#[begin rmeggins reply]> > ldappasswd -x to disable SASL auth[end rmeggins reply]> > > > > > > > > What happend?? Thanks!! > > > > > > > > > Allan > > > > > > > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700 > > > > From: rmeggins@redhat.com > > > > To: fedora-directory-users@redhat.com > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > Allan Gaston Hougham wrote: > > > > > Hi, thanks for you response, > > > > > > > > > > We have Fedora-ds 1.2.2 2009.237.2054 > > > > > > > > > > Platform: > > > > > > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 EDT > 2007 > > > > > x86_64 x86_64 x86_64 GNU/Linux > > > > > > > > > > In this time we can apply any policies, but is not working > "user must > > > > > change password after reset" and change password later that it > exipire > > > > > > > > > > This is the error with this ldap.conf: > > > > > > > > > > [root@yblhp35 openldap]# cat ldap.conf > > > > > # > > > > > # LDAP Defaults > > > > > # > > > > > # See ldap.conf(5) for details > > > > > # This file should be world readable but not world writable. > > > > > #BASE dc=example, dc=com > > > > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > > > > #SIZELIMIT 12 > > > > > #TIMELIMIT 15 > > > > > #DEREF never > > > > > #use_sasl on > > > > > URI ldap://zblhp36.ml.com/ > > > > > BASE dc=ml,dc=com > > > > > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > #TLS_CACERTDIR /etc/openldap/cacerts > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > TLS_REQCERT allow > > > > > bind_policy soft > > > > > ssl no > > > > > TLS_CACERTDIR /etc/openldap/cacerts > > > > > pam_password md5 > > > > > > > > > > ERROR: > > > > > > > > > > WARNING: Your password has expired. > > > > > You must change your password now and login again! > > > > > Changing password for user testsi. > > > > > Enter login(LDAP) password: > > > > > LDAP Password incorrect: try again > > > > > Enter login(LDAP) password: > > > > > New UNIX password: > > > > > Retype new UNIX password: > > > > > LDAP password information update failed: Server is unwilling to > > > > > perform user is not allowed to change password > > > > > passwd: Permission denied > > > > > > > > > > > > > > > And this is the error with this ldap.conf: > > > > > > > > > > > > > > > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf > > > > > # > > > > > # See ldap.conf(5) for details > > > > > # This file should be world readable but not world writable. > > > > > #BASE dc=example, dc=com > > > > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > > > > #SIZELIMIT 12 > > > > > #TIMELIMIT 15 > > > > > #DEREF never > > > > > #use_sasl on > > > > > HOST 172.16.100.186 172.16.102.49 > > > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49 > > > > > BASE dc=ml,dc=com > > > > > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > #TLS_CACERTDIR /etc/openldap/cacerts/ > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > TLS_REQCERT allow > > > > > bind_policy soft > > > > > ssl no > > > > > tls_cacertdir /etc/openldap/cacerts > > > > > pam_password md5 > > > > > uri ldap://zblhp36.ml.com/ > > > > > base dc=ml,dc=com > > > > > # Search the root DSE for the password policy (works > > > > > # with Netscape Directory Server) > > > > > pam_lookup_policy yes > > > > > # Use the OpenLDAP password change > > > > > # extended operation to update the password. > > > > > pam_password exop > > > > > > > > > > > > > > > WARNING: Your password has expired. > > > > > You must change your password now and login again! > > > > > Changing password for user testsi. > > > > > Enter login(LDAP) password: > > > > > New UNIX password: > > > > > Retype new UNIX password: > > > > > LDAP password information update failed: Confidentiality required > > > > > Operation requires a secure connection. > > > > > > > > > > > > > > > > > > > > Thanks in advance!!! > > > > Does it work if you use the ldappasswd command line tool? > > > > > > > > > > > > > > > Allan > > > > > > > > > > > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700 > > > > > > From: rmeggins@redhat.com > > > > > > To: fedora-directory-users@redhat.com > > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > Dears, > > > > > > > > > > > > > > I have a problem with my passwords policies, I enabled "Enable > > > > > > > fine-grained password policy", I apply this but is not > working > > > fine. > > > > > > > I followed the steps of Administration Guide pag 364 - > > > > > > > > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy Using the > > > > > Console* > > > > > > > > > > > > > > But it´s not working, i have that setting any more? > > > > > > > Can you help me? > > > > > > > > > > > > > What is your platform? What version of directory server? rpm -qi > > > > > > 389-ds-base (or fedora-ds-base) > > > > > > > > > > > > > > Thanks a lot in advance! > > > > > > > > > > > > > > Allan Hougham > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > Internet Explorer 8 especial para MSN - ¡Gratis! > Descargalo ahora > > > > > > > haciendo clic aquí > > > > > > > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > -- > > > > > > > 389 users mailing list > > > > > > > 389-users@redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá > carpetas > > > > > para todos tus correos! <http://mail.live.com/> > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > 389 users mailing list > > > > > 389-users@redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > ¡Revisá de un vistazo si tenés correos nuevos! Ingresá a tu Hotmail > > > desde tu Messenger. ¡Probalo ahora! > > > <http://www.microsoft.com/latam/windows/windowslive/default.aspx> > > > > ------------------------------------------------------------------------ > > > > > > -- > > > 389 users mailing list > > > 389-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > 389 users mailing list > > 389-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Allan Gaston Hougham
2009-Dec-04 19:09 UTC
RE: [389-users] Password Policy not working fine
Hi Rich, Sorry, I saw you answer now.. With our settings on ldap.conf the error is:> > > > Changing password for user testsi. > > > > Enter login(LDAP) password: > > > > New UNIX password: > > > > Retype new UNIX password: > > > > LDAP password information update failed: Confidentiality required > > > > Operation requires a secure connection. > > > > passwd: Permission deniedWhat is the shorcut for to resolve this problem? 1 - We need run this command: ldappasswd -x to disable SASL auth 2- We need make this settings? Need to configure the directory server and nss_ldap/pam_ldap (/etc/ldap.conf) to use TLS Is not important have a secure conection in authentication We need that ours policies working fine I think that we aren´t using ldappasswd... Thanks in adavance!! Allan> Date: Fri, 4 Dec 2009 11:03:53 -0700 > From: rmeggins@redhat.com > To: fedora-directory-users@redhat.com > Subject: Re: [389-users] Password Policy not working fine > > Allan Gaston Hougham wrote: > > Any sugesst?? > > Did you not read my reply? See below > > > > Thanks! > > > > > Date: Thu, 3 Dec 2009 11:43:34 -0700 > > > From: rmeggins@redhat.com > > > To: fedora-directory-users@redhat.com > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > Allan Gaston Hougham wrote: > > > > I can´t .. We have two errors: > > > > > > > > [root@dblvm32 ~]# passwd testsi > > > > Changing password for user testsi. > > > > Enter login(LDAP) password: > > > > New UNIX password: > > > > Retype new UNIX password: > > > > LDAP password information update failed: Confidentiality required > > > > Operation requires a secure connection. > > > > passwd: Permission denied > [begin rmeggins reply] > > > Need to configure the directory server and nss_ldap/pam_ldap > > > (/etc/ldap.conf) to use TLS > [end rmeggins repl > > > > > > > > [root@dblvm32 ~]# ldappasswd testsi > > > > SASL/EXTERNAL authentication started > > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > > > > additional info: SASL(-4): no mechanism available: > > > > [root@dblvm32 ~]# > [begin rmeggins reply] > > > ldappasswd -x to disable SASL auth > [end rmeggins reply] > > > > > > > > > > > > What happend?? Thanks!! > > > > > > > > > > > > Allan > > > > > > > > > > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700 > > > > > From: rmeggins@redhat.com > > > > > To: fedora-directory-users@redhat.com > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > Hi, thanks for you response, > > > > > > > > > > > > We have Fedora-ds 1.2.2 2009.237.2054 > > > > > > > > > > > > Platform: > > > > > > > > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 EDT > > 2007 > > > > > > x86_64 x86_64 x86_64 GNU/Linux > > > > > > > > > > > > In this time we can apply any policies, but is not working > > "user must > > > > > > change password after reset" and change password later that it > > exipire > > > > > > > > > > > > This is the error with this ldap.conf: > > > > > > > > > > > > [root@yblhp35 openldap]# cat ldap.conf > > > > > > # > > > > > > # LDAP Defaults > > > > > > # > > > > > > # See ldap.conf(5) for details > > > > > > # This file should be world readable but not world writable. > > > > > > #BASE dc=example, dc=com > > > > > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > > > > > #SIZELIMIT 12 > > > > > > #TIMELIMIT 15 > > > > > > #DEREF never > > > > > > #use_sasl on > > > > > > URI ldap://zblhp36.ml.com/ > > > > > > BASE dc=ml,dc=com > > > > > > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > > TLS_REQCERT allow > > > > > > bind_policy soft > > > > > > ssl no > > > > > > TLS_CACERTDIR /etc/openldap/cacerts > > > > > > pam_password md5 > > > > > > > > > > > > ERROR: > > > > > > > > > > > > WARNING: Your password has expired. > > > > > > You must change your password now and login again! > > > > > > Changing password for user testsi. > > > > > > Enter login(LDAP) password: > > > > > > LDAP Password incorrect: try again > > > > > > Enter login(LDAP) password: > > > > > > New UNIX password: > > > > > > Retype new UNIX password: > > > > > > LDAP password information update failed: Server is unwilling to > > > > > > perform user is not allowed to change password > > > > > > passwd: Permission denied > > > > > > > > > > > > > > > > > > And this is the error with this ldap.conf: > > > > > > > > > > > > > > > > > > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf > > > > > > # > > > > > > # See ldap.conf(5) for details > > > > > > # This file should be world readable but not world writable. > > > > > > #BASE dc=example, dc=com > > > > > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 > > > > > > #SIZELIMIT 12 > > > > > > #TIMELIMIT 15 > > > > > > #DEREF never > > > > > > #use_sasl on > > > > > > HOST 172.16.100.186 172.16.102.49 > > > > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49 > > > > > > BASE dc=ml,dc=com > > > > > > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts/ > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > > TLS_REQCERT allow > > > > > > bind_policy soft > > > > > > ssl no > > > > > > tls_cacertdir /etc/openldap/cacerts > > > > > > pam_password md5 > > > > > > uri ldap://zblhp36.ml.com/ > > > > > > base dc=ml,dc=com > > > > > > # Search the root DSE for the password policy (works > > > > > > # with Netscape Directory Server) > > > > > > pam_lookup_policy yes > > > > > > # Use the OpenLDAP password change > > > > > > # extended operation to update the password. > > > > > > pam_password exop > > > > > > > > > > > > > > > > > > WARNING: Your password has expired. > > > > > > You must change your password now and login again! > > > > > > Changing password for user testsi. > > > > > > Enter login(LDAP) password: > > > > > > New UNIX password: > > > > > > Retype new UNIX password: > > > > > > LDAP password information update failed: Confidentiality required > > > > > > Operation requires a secure connection. > > > > > > > > > > > > > > > > > > > > > > > > Thanks in advance!!! > > > > > Does it work if you use the ldappasswd command line tool? > > > > > > > > > > > > > > > > > > Allan > > > > > > > > > > > > > > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700 > > > > > > > From: rmeggins@redhat.com > > > > > > > To: fedora-directory-users@redhat.com > > > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > > Dears, > > > > > > > > > > > > > > > > I have a problem with my passwords policies, I enabled "Enable > > > > > > > > fine-grained password policy", I apply this but is not > > working > > > > fine. > > > > > > > > I followed the steps of Administration Guide pag 364 - > > > > > > > > > > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy Using the > > > > > > Console* > > > > > > > > > > > > > > > > But it´s not working, i have that setting any more? > > > > > > > > Can you help me? > > > > > > > > > > > > > > > What is your platform? What version of directory server? rpm -qi > > > > > > > 389-ds-base (or fedora-ds-base) > > > > > > > > > > > > > > > > Thanks a lot in advance! > > > > > > > > > > > > > > > > Allan Hougham > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > Internet Explorer 8 especial para MSN - ¡Gratis! > > Descargalo ahora > > > > > > > > haciendo clic aquí > > > > > > > > > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > -- > > > > > > > > 389 users mailing list > > > > > > > > 389-users@redhat.com > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá > > carpetas > > > > > > para todos tus correos! <http://mail.live.com/> > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > -- > > > > > > 389 users mailing list > > > > > > 389-users@redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > ¡Revisá de un vistazo si tenés correos nuevos! Ingresá a tu Hotmail > > > > desde tu Messenger. ¡Probalo ahora! > > > > <http://www.microsoft.com/latam/windows/windowslive/default.aspx> > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > 389 users mailing list > > > > 389-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > > 389 users mailing list > > > 389-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > ------------------------------------------------------------------------ > > > > -- > > 389 users mailing list > > 389-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users_________________________________________________________________ ¿Buscás compañero de viaje para estas vacaciones? Aprovechá MSN Amor y Amistad http://match.ar.msn.com/channel/index.aspx?trackingid=1056241
Allan Gaston Hougham wrote:> Hi Rich, > > Sorry, I saw you answer now.. > With our settings on ldap.conf the error is: > > > > > > > Changing password for user testsi. > > > > > Enter login(LDAP) password: > > > > > New UNIX password: > > > > > Retype new UNIX password: > > > > > LDAP password information update failed: Confidentiality required > > > > > Operation requires a secure connection. > > > > > passwd: Permission denied > > > What is the shorcut for to resolve this problem? > > 1 - We need run this command: ldappasswd -x to disable SASL auth > > > 2- We need make this settings? > > Need to configure the directory server and nss_ldap/pam_ldap > (/etc/ldap.conf) to use TLS > > > Is not important have a secure conection in authentication > We need that ours policies working fine > > I think that we aren´t using ldappasswd...ldappasswd uses the password extended operation, just like pam_password exop. In order to use this extended operation, you must use a secure connection, which means TLS/SSL or SASL with a negotiated security layer. So you either need to configure your LDAP server and client to use TLS, or use something like ldapmodify to change the userPassword attribute directly (i.e. don''t use the passwd command).> > > > Thanks in adavance!! > > > Allan > > > > > > > Date: Fri, 4 Dec 2009 11:03:53 -0700 > > From: rmeggins@redhat.com > > To: fedora-directory-users@redhat.com > > Subject: Re: [389-users] Password Policy not working fine > > > > Allan Gaston Hougham wrote: > > > Any sugesst?? > > > > Did you not read my reply? See below > > > > > > Thanks! > > > > > > > Date: Thu, 3 Dec 2009 11:43:34 -0700 > > > > From: rmeggins@redhat.com > > > > To: fedora-directory-users@redhat.com > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > Allan Gaston Hougham wrote: > > > > > I can´t .. We have two errors: > > > > > > > > > > [root@dblvm32 ~]# passwd testsi > > > > > Changing password for user testsi. > > > > > Enter login(LDAP) password: > > > > > New UNIX password: > > > > > Retype new UNIX password: > > > > > LDAP password information update failed: Confidentiality required > > > > > Operation requires a secure connection. > > > > > passwd: Permission denied > > [begin rmeggins reply] > > > > Need to configure the directory server and nss_ldap/pam_ldap > > > > (/etc/ldap.conf) to use TLS > > [end rmeggins repl > > > > > > > > > > [root@dblvm32 ~]# ldappasswd testsi > > > > > SASL/EXTERNAL authentication started > > > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > > > > > additional info: SASL(-4): no mechanism available: > > > > > [root@dblvm32 ~]# > > [begin rmeggins reply] > > > > ldappasswd -x to disable SASL auth > > [end rmeggins reply] > > > > > > > > > > > > > > > What happend?? Thanks!! > > > > > > > > > > > > > > > Allan > > > > > > > > > > > > > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700 > > > > > > From: rmeggins@redhat.com > > > > > > To: fedora-directory-users@redhat.com > > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > Hi, thanks for you response, > > > > > > > > > > > > > > We have Fedora-ds 1.2.2 2009.237.2054 > > > > > > > > > > > > > > Platform: > > > > > > > > > > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 > EDT > > > 2007 > > > > > > > x86_64 x86_64 x86_64 GNU/Linux > > > > > > > > > > > > > > In this time we can apply any policies, but is not working > > > "user must > > > > > > > change password after reset" and change password later > that it > > > exipire > > > > > > > > > > > > > > This is the error with this ldap.conf: > > > > > > > > > > > > > > [root@yblhp35 openldap]# cat ldap.conf > > > > > > > # > > > > > > > # LDAP Defaults > > > > > > > # > > > > > > > # See ldap.conf(5) for details > > > > > > > # This file should be world readable but not world writable. > > > > > > > #BASE dc=example, dc=com > > > > > > > #URI ldap://ldap.example.com > ldap://ldap-master.example.com:666 > > > > > > > #SIZELIMIT 12 > > > > > > > #TIMELIMIT 15 > > > > > > > #DEREF never > > > > > > > #use_sasl on > > > > > > > URI ldap://zblhp36.ml.com/ > > > > > > > BASE dc=ml,dc=com > > > > > > > suffix > "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts > > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > > > TLS_REQCERT allow > > > > > > > bind_policy soft > > > > > > > ssl no > > > > > > > TLS_CACERTDIR /etc/openldap/cacerts > > > > > > > pam_password md5 > > > > > > > > > > > > > > ERROR: > > > > > > > > > > > > > > WARNING: Your password has expired. > > > > > > > You must change your password now and login again! > > > > > > > Changing password for user testsi. > > > > > > > Enter login(LDAP) password: > > > > > > > LDAP Password incorrect: try again > > > > > > > Enter login(LDAP) password: > > > > > > > New UNIX password: > > > > > > > Retype new UNIX password: > > > > > > > LDAP password information update failed: Server is > unwilling to > > > > > > > perform user is not allowed to change password > > > > > > > passwd: Permission denied > > > > > > > > > > > > > > > > > > > > > And this is the error with this ldap.conf: > > > > > > > > > > > > > > > > > > > > > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf > > > > > > > # > > > > > > > # See ldap.conf(5) for details > > > > > > > # This file should be world readable but not world writable. > > > > > > > #BASE dc=example, dc=com > > > > > > > #URI ldap://ldap.example.com > ldap://ldap-master.example.com:666 > > > > > > > #SIZELIMIT 12 > > > > > > > #TIMELIMIT 15 > > > > > > > #DEREF never > > > > > > > #use_sasl on > > > > > > > HOST 172.16.100.186 172.16.102.49 > > > > > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49 > > > > > > > BASE dc=ml,dc=com > > > > > > > suffix > "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts/ > > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > > > TLS_REQCERT allow > > > > > > > bind_policy soft > > > > > > > ssl no > > > > > > > tls_cacertdir /etc/openldap/cacerts > > > > > > > pam_password md5 > > > > > > > uri ldap://zblhp36.ml.com/ > > > > > > > base dc=ml,dc=com > > > > > > > # Search the root DSE for the password policy (works > > > > > > > # with Netscape Directory Server) > > > > > > > pam_lookup_policy yes > > > > > > > # Use the OpenLDAP password change > > > > > > > # extended operation to update the password. > > > > > > > pam_password exop > > > > > > > > > > > > > > > > > > > > > WARNING: Your password has expired. > > > > > > > You must change your password now and login again! > > > > > > > Changing password for user testsi. > > > > > > > Enter login(LDAP) password: > > > > > > > New UNIX password: > > > > > > > Retype new UNIX password: > > > > > > > LDAP password information update failed: Confidentiality > required > > > > > > > Operation requires a secure connection. > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks in advance!!! > > > > > > Does it work if you use the ldappasswd command line tool? > > > > > > > > > > > > > > > > > > > > > Allan > > > > > > > > > > > > > > > > > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700 > > > > > > > > From: rmeggins@redhat.com > > > > > > > > To: fedora-directory-users@redhat.com > > > > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > > > Dears, > > > > > > > > > > > > > > > > > > I have a problem with my passwords policies, I enabled > "Enable > > > > > > > > > fine-grained password policy", I apply this but is not > > > working > > > > > fine. > > > > > > > > > I followed the steps of Administration Guide pag 364 - > > > > > > > > > > > > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy > Using the > > > > > > > Console* > > > > > > > > > > > > > > > > > > But it´s not working, i have that setting any more? > > > > > > > > > Can you help me? > > > > > > > > > > > > > > > > > What is your platform? What version of directory server? > rpm -qi > > > > > > > > 389-ds-base (or fedora-ds-base) > > > > > > > > > > > > > > > > > > Thanks a lot in advance! > > > > > > > > > > > > > > > > > > Allan Hougham > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > Internet Explorer 8 especial para MSN - ¡Gratis! > > > Descargalo ahora > > > > > > > > > haciendo clic aquí > > > > > > > > > > > > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > -- > > > > > > > > > 389 users mailing list > > > > > > > > > 389-users@redhat.com > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá > > > carpetas > > > > > > > para todos tus correos! <http://mail.live.com/> > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > -- > > > > > > > 389 users mailing list > > > > > > > 389-users@redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > ¡Revisá de un vistazo si tenés correos nuevos! Ingresá a tu > Hotmail > > > > > desde tu Messenger. ¡Probalo ahora! > > > > > <http://www.microsoft.com/latam/windows/windowslive/default.aspx> > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > 389 users mailing list > > > > > 389-users@redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > -- > > > > 389 users mailing list > > > > 389-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > ------------------------------------------------------------------------ > > > Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > ------------------------------------------------------------------------ > > > > > > -- > > > 389 users mailing list > > > 389-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > 389 users mailing list > > 389-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > ¿Cansado de borrar spam de tu bandea de entrada? ¡Ganá tiempo con el > nuevo filtro anti spam de Hotmail! <http://mail.live.com> > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Allan Gaston Hougham
2009-Dec-07 15:22 UTC
RE: [389-users] Password Policy not working fine
Hi Rich, thanks for you support, I will try it Do you have any white papper or guide for implementing LDAP server and client to use TLS? I read the Administration Guide but if you have any tutorial, better! Thanks! Allan> Date: Fri, 4 Dec 2009 13:25:34 -0700 > From: rmeggins@redhat.com > To: fedora-directory-users@redhat.com > Subject: Re: [389-users] Password Policy not working fine > > Allan Gaston Hougham wrote: > > Hi Rich, > > > > Sorry, I saw you answer now.. > > With our settings on ldap.conf the error is: > > > > > > > > > > Changing password for user testsi. > > > > > > Enter login(LDAP) password: > > > > > > New UNIX password: > > > > > > Retype new UNIX password: > > > > > > LDAP password information update failed: Confidentiality required > > > > > > Operation requires a secure connection. > > > > > > passwd: Permission denied > > > > > > What is the shorcut for to resolve this problem? > > > > 1 - We need run this command: ldappasswd -x to disable SASL auth > > > > > > 2- We need make this settings? > > > > Need to configure the directory server and nss_ldap/pam_ldap > > (/etc/ldap.conf) to use TLS > > > > > > Is not important have a secure conection in authentication > > We need that ours policies working fine > > > > I think that we aren´t using ldappasswd... > ldappasswd uses the password extended operation, just like pam_password > exop. In order to use this extended operation, you must use a secure > connection, which means TLS/SSL or SASL with a negotiated security layer. > > So you either need to configure your LDAP server and client to use TLS, > or use something like ldapmodify to change the userPassword attribute > directly (i.e. don''t use the passwd command). > > > > > > > > Thanks in adavance!! > > > > > > Allan > > > > > > > > > > > > > Date: Fri, 4 Dec 2009 11:03:53 -0700 > > > From: rmeggins@redhat.com > > > To: fedora-directory-users@redhat.com > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > Allan Gaston Hougham wrote: > > > > Any sugesst?? > > > > > > Did you not read my reply? See below > > > > > > > > Thanks! > > > > > > > > > Date: Thu, 3 Dec 2009 11:43:34 -0700 > > > > > From: rmeggins@redhat.com > > > > > To: fedora-directory-users@redhat.com > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > I can´t .. We have two errors: > > > > > > > > > > > > [root@dblvm32 ~]# passwd testsi > > > > > > Changing password for user testsi. > > > > > > Enter login(LDAP) password: > > > > > > New UNIX password: > > > > > > Retype new UNIX password: > > > > > > LDAP password information update failed: Confidentiality required > > > > > > Operation requires a secure connection. > > > > > > passwd: Permission denied > > > [begin rmeggins reply] > > > > > Need to configure the directory server and nss_ldap/pam_ldap > > > > > (/etc/ldap.conf) to use TLS > > > [end rmeggins repl > > > > > > > > > > > > [root@dblvm32 ~]# ldappasswd testsi > > > > > > SASL/EXTERNAL authentication started > > > > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > > > > > > additional info: SASL(-4): no mechanism available: > > > > > > [root@dblvm32 ~]# > > > [begin rmeggins reply] > > > > > ldappasswd -x to disable SASL auth > > > [end rmeggins reply] > > > > > > > > > > > > > > > > > > What happend?? Thanks!! > > > > > > > > > > > > > > > > > > Allan > > > > > > > > > > > > > > > > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700 > > > > > > > From: rmeggins@redhat.com > > > > > > > To: fedora-directory-users@redhat.com > > > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > > Hi, thanks for you response, > > > > > > > > > > > > > > > > We have Fedora-ds 1.2.2 2009.237.2054 > > > > > > > > > > > > > > > > Platform: > > > > > > > > > > > > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 > > EDT > > > > 2007 > > > > > > > > x86_64 x86_64 x86_64 GNU/Linux > > > > > > > > > > > > > > > > In this time we can apply any policies, but is not working > > > > "user must > > > > > > > > change password after reset" and change password later > > that it > > > > exipire > > > > > > > > > > > > > > > > This is the error with this ldap.conf: > > > > > > > > > > > > > > > > [root@yblhp35 openldap]# cat ldap.conf > > > > > > > > # > > > > > > > > # LDAP Defaults > > > > > > > > # > > > > > > > > # See ldap.conf(5) for details > > > > > > > > # This file should be world readable but not world writable. > > > > > > > > #BASE dc=example, dc=com > > > > > > > > #URI ldap://ldap.example.com > > ldap://ldap-master.example.com:666 > > > > > > > > #SIZELIMIT 12 > > > > > > > > #TIMELIMIT 15 > > > > > > > > #DEREF never > > > > > > > > #use_sasl on > > > > > > > > URI ldap://zblhp36.ml.com/ > > > > > > > > BASE dc=ml,dc=com > > > > > > > > suffix > > "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts > > > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > > > > TLS_REQCERT allow > > > > > > > > bind_policy soft > > > > > > > > ssl no > > > > > > > > TLS_CACERTDIR /etc/openldap/cacerts > > > > > > > > pam_password md5 > > > > > > > > > > > > > > > > ERROR: > > > > > > > > > > > > > > > > WARNING: Your password has expired. > > > > > > > > You must change your password now and login again! > > > > > > > > Changing password for user testsi. > > > > > > > > Enter login(LDAP) password: > > > > > > > > LDAP Password incorrect: try again > > > > > > > > Enter login(LDAP) password: > > > > > > > > New UNIX password: > > > > > > > > Retype new UNIX password: > > > > > > > > LDAP password information update failed: Server is > > unwilling to > > > > > > > > perform user is not allowed to change password > > > > > > > > passwd: Permission denied > > > > > > > > > > > > > > > > > > > > > > > > And this is the error with this ldap.conf: > > > > > > > > > > > > > > > > > > > > > > > > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf > > > > > > > > # > > > > > > > > # See ldap.conf(5) for details > > > > > > > > # This file should be world readable but not world writable. > > > > > > > > #BASE dc=example, dc=com > > > > > > > > #URI ldap://ldap.example.com > > ldap://ldap-master.example.com:666 > > > > > > > > #SIZELIMIT 12 > > > > > > > > #TIMELIMIT 15 > > > > > > > > #DEREF never > > > > > > > > #use_sasl on > > > > > > > > HOST 172.16.100.186 172.16.102.49 > > > > > > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49 > > > > > > > > BASE dc=ml,dc=com > > > > > > > > suffix > > "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts/ > > > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > > > > TLS_REQCERT allow > > > > > > > > bind_policy soft > > > > > > > > ssl no > > > > > > > > tls_cacertdir /etc/openldap/cacerts > > > > > > > > pam_password md5 > > > > > > > > uri ldap://zblhp36.ml.com/ > > > > > > > > base dc=ml,dc=com > > > > > > > > # Search the root DSE for the password policy (works > > > > > > > > # with Netscape Directory Server) > > > > > > > > pam_lookup_policy yes > > > > > > > > # Use the OpenLDAP password change > > > > > > > > # extended operation to update the password. > > > > > > > > pam_password exop > > > > > > > > > > > > > > > > > > > > > > > > WARNING: Your password has expired. > > > > > > > > You must change your password now and login again! > > > > > > > > Changing password for user testsi. > > > > > > > > Enter login(LDAP) password: > > > > > > > > New UNIX password: > > > > > > > > Retype new UNIX password: > > > > > > > > LDAP password information update failed: Confidentiality > > required > > > > > > > > Operation requires a secure connection. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks in advance!!! > > > > > > > Does it work if you use the ldappasswd command line tool? > > > > > > > > > > > > > > > > > > > > > > > > Allan > > > > > > > > > > > > > > > > > > > > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700 > > > > > > > > > From: rmeggins@redhat.com > > > > > > > > > To: fedora-directory-users@redhat.com > > > > > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > > > > Dears, > > > > > > > > > > > > > > > > > > > > I have a problem with my passwords policies, I enabled > > "Enable > > > > > > > > > > fine-grained password policy", I apply this but is not > > > > working > > > > > > fine. > > > > > > > > > > I followed the steps of Administration Guide pag 364 - > > > > > > > > > > > > > > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy > > Using the > > > > > > > > Console* > > > > > > > > > > > > > > > > > > > > But it´s not working, i have that setting any more? > > > > > > > > > > Can you help me? > > > > > > > > > > > > > > > > > > > What is your platform? What version of directory server? > > rpm -qi > > > > > > > > > 389-ds-base (or fedora-ds-base) > > > > > > > > > > > > > > > > > > > > Thanks a lot in advance! > > > > > > > > > > > > > > > > > > > > Allan Hougham > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > Internet Explorer 8 especial para MSN - ¡Gratis! > > > > Descargalo ahora > > > > > > > > > > haciendo clic aquí > > > > > > > > > > > > > > > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > 389 users mailing list > > > > > > > > > > 389-users@redhat.com > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá > > > > carpetas > > > > > > > > para todos tus correos! <http://mail.live.com/> > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > -- > > > > > > > > 389 users mailing list > > > > > > > > 389-users@redhat.com > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > ¡Revisá de un vistazo si tenés correos nuevos! Ingresá a tu > > Hotmail > > > > > > desde tu Messenger. ¡Probalo ahora! > > > > > > <http://www.microsoft.com/latam/windows/windowslive/default.aspx> > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > -- > > > > > > 389 users mailing list > > > > > > 389-users@redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > -- > > > > > 389 users mailing list > > > > > 389-users@redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > ------------------------------------------------------------------------ > > > > Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > ------------------------------------------------------------------------ > > > > > > > > -- > > > > 389 users mailing list > > > > 389-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > -- > > > 389 users mailing list > > > 389-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > ------------------------------------------------------------------------ > > ¿Cansado de borrar spam de tu bandea de entrada? ¡Ganá tiempo con el > > nuevo filtro anti spam de Hotmail! <http://mail.live.com> > > ------------------------------------------------------------------------ > > > > -- > > 389 users mailing list > > 389-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users_________________________________________________________________ A tu BlackBerry le falta Messenger. Descargalo GRATIS aquí http://www.messengerentublackberry.com?ocid=WL_BB_LandPage_TagLine
You should choose pam_password clear on /etc/ldap.conf, then it will work for password change with passwd. However my problem is that password expiration policy never works for my client, even the passwordexpwarned is set to 1 on the server. Does anybody has password expiration works? -- Shouben Zhou Science Systems and Applications Inc.(SSAI) 1 Enterprise Pkwy, Hampton, VA 23666 Tel: (757)951-1905 Fax: (757)951-1900 Email: Shouben.Zhou@nasa.gov Allan Gaston Hougham wrote:> Hi Rich, > > thanks for you support, I will try it > Do you have any white papper or guide for implementing LDAP server and > client to use TLS? > I read the Administration Guide but if you have any tutorial, better! > > Thanks! > > Allan > > > > Date: Fri, 4 Dec 2009 13:25:34 -0700 > > From: rmeggins@redhat.com > > To: fedora-directory-users@redhat.com > > Subject: Re: [389-users] Password Policy not working fine > > > > Allan Gaston Hougham wrote: > > > Hi Rich, > > > > > > Sorry, I saw you answer now.. > > > With our settings on ldap.conf the error is: > > > > > > > > > > > > > Changing password for user testsi. > > > > > > > Enter login(LDAP) password: > > > > > > > New UNIX password: > > > > > > > Retype new UNIX password: > > > > > > > LDAP password information update failed: Confidentiality > required > > > > > > > Operation requires a secure connection. > > > > > > > passwd: Permission denied > > > > > > > > > What is the shorcut for to resolve this problem? > > > > > > 1 - We need run this command: ldappasswd -x to disable SASL auth > > > > > > > > > 2- We need make this settings? > > > > > > Need to configure the directory server and nss_ldap/pam_ldap > > > (/etc/ldap.conf) to use TLS > > > > > > > > > Is not important have a secure conection in authentication > > > We need that ours policies working fine > > > > > > I think that we aren´t using ldappasswd... > > ldappasswd uses the password extended operation, just like pam_password > > exop. In order to use this extended operation, you must use a secure > > connection, which means TLS/SSL or SASL with a negotiated security > layer. > > > > So you either need to configure your LDAP server and client to use TLS, > > or use something like ldapmodify to change the userPassword attribute > > directly (i.e. don''t use the passwd command). > > > > > > > > > > > > Thanks in adavance!! > > > > > > > > > Allan > > > > > > > > > > > > > > > > > > > Date: Fri, 4 Dec 2009 11:03:53 -0700 > > > > From: rmeggins@redhat.com > > > > To: fedora-directory-users@redhat.com > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > Allan Gaston Hougham wrote: > > > > > Any sugesst?? > > > > > > > > Did you not read my reply? See below > > > > > > > > > > Thanks! > > > > > > > > > > > Date: Thu, 3 Dec 2009 11:43:34 -0700 > > > > > > From: rmeggins@redhat.com > > > > > > To: fedora-directory-users@redhat.com > > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > I can´t .. We have two errors: > > > > > > > > > > > > > > [root@dblvm32 ~]# passwd testsi > > > > > > > Changing password for user testsi. > > > > > > > Enter login(LDAP) password: > > > > > > > New UNIX password: > > > > > > > Retype new UNIX password: > > > > > > > LDAP password information update failed: Confidentiality > required > > > > > > > Operation requires a secure connection. > > > > > > > passwd: Permission denied > > > > [begin rmeggins reply] > > > > > > Need to configure the directory server and nss_ldap/pam_ldap > > > > > > (/etc/ldap.conf) to use TLS > > > > [end rmeggins repl > > > > > > > > > > > > > > [root@dblvm32 ~]# ldappasswd testsi > > > > > > > SASL/EXTERNAL authentication started > > > > > > > ldap_sasl_interactive_bind_s: Unknown authentication > method (-6) > > > > > > > additional info: SASL(-4): no mechanism available: > > > > > > > [root@dblvm32 ~]# > > > > [begin rmeggins reply] > > > > > > ldappasswd -x to disable SASL auth > > > > [end rmeggins reply] > > > > > > > > > > > > > > > > > > > > > What happend?? Thanks!! > > > > > > > > > > > > > > > > > > > > > Allan > > > > > > > > > > > > > > > > > > > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700 > > > > > > > > From: rmeggins@redhat.com > > > > > > > > To: fedora-directory-users@redhat.com > > > > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > > > Hi, thanks for you response, > > > > > > > > > > > > > > > > > > We have Fedora-ds 1.2.2 2009.237.2054 > > > > > > > > > > > > > > > > > > Platform: > > > > > > > > > > > > > > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 > 11:45:55 > > > EDT > > > > > 2007 > > > > > > > > > x86_64 x86_64 x86_64 GNU/Linux > > > > > > > > > > > > > > > > > > In this time we can apply any policies, but is not working > > > > > "user must > > > > > > > > > change password after reset" and change password later > > > that it > > > > > exipire > > > > > > > > > > > > > > > > > > This is the error with this ldap.conf: > > > > > > > > > > > > > > > > > > [root@yblhp35 openldap]# cat ldap.conf > > > > > > > > > # > > > > > > > > > # LDAP Defaults > > > > > > > > > # > > > > > > > > > # See ldap.conf(5) for details > > > > > > > > > # This file should be world readable but not world > writable. > > > > > > > > > #BASE dc=example, dc=com > > > > > > > > > #URI ldap://ldap.example.com > > > ldap://ldap-master.example.com:666 > > > > > > > > > #SIZELIMIT 12 > > > > > > > > > #TIMELIMIT 15 > > > > > > > > > #DEREF never > > > > > > > > > #use_sasl on > > > > > > > > > URI ldap://zblhp36.ml.com/ > > > > > > > > > BASE dc=ml,dc=com > > > > > > > > > suffix > > > "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > > suffix > "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts > > > > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > > > > > TLS_REQCERT allow > > > > > > > > > bind_policy soft > > > > > > > > > ssl no > > > > > > > > > TLS_CACERTDIR /etc/openldap/cacerts > > > > > > > > > pam_password md5 > > > > > > > > > > > > > > > > > > ERROR: > > > > > > > > > > > > > > > > > > WARNING: Your password has expired. > > > > > > > > > You must change your password now and login again! > > > > > > > > > Changing password for user testsi. > > > > > > > > > Enter login(LDAP) password: > > > > > > > > > LDAP Password incorrect: try again > > > > > > > > > Enter login(LDAP) password: > > > > > > > > > New UNIX password: > > > > > > > > > Retype new UNIX password: > > > > > > > > > LDAP password information update failed: Server is > > > unwilling to > > > > > > > > > perform user is not allowed to change password > > > > > > > > > passwd: Permission denied > > > > > > > > > > > > > > > > > > > > > > > > > > > And this is the error with this ldap.conf: > > > > > > > > > > > > > > > > > > > > > > > > > > > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf > > > > > > > > > # > > > > > > > > > # See ldap.conf(5) for details > > > > > > > > > # This file should be world readable but not world > writable. > > > > > > > > > #BASE dc=example, dc=com > > > > > > > > > #URI ldap://ldap.example.com > > > ldap://ldap-master.example.com:666 > > > > > > > > > #SIZELIMIT 12 > > > > > > > > > #TIMELIMIT 15 > > > > > > > > > #DEREF never > > > > > > > > > #use_sasl on > > > > > > > > > HOST 172.16.100.186 172.16.102.49 > > > > > > > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49 > > > > > > > > > BASE dc=ml,dc=com > > > > > > > > > suffix > > > "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > > suffix > "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts/ > > > > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > > > > > TLS_REQCERT allow > > > > > > > > > bind_policy soft > > > > > > > > > ssl no > > > > > > > > > tls_cacertdir /etc/openldap/cacerts > > > > > > > > > pam_password md5 > > > > > > > > > uri ldap://zblhp36.ml.com/ > > > > > > > > > base dc=ml,dc=com > > > > > > > > > # Search the root DSE for the password policy (works > > > > > > > > > # with Netscape Directory Server) > > > > > > > > > pam_lookup_policy yes > > > > > > > > > # Use the OpenLDAP password change > > > > > > > > > # extended operation to update the password. > > > > > > > > > pam_password exop > > > > > > > > > > > > > > > > > > > > > > > > > > > WARNING: Your password has expired. > > > > > > > > > You must change your password now and login again! > > > > > > > > > Changing password for user testsi. > > > > > > > > > Enter login(LDAP) password: > > > > > > > > > New UNIX password: > > > > > > > > > Retype new UNIX password: > > > > > > > > > LDAP password information update failed: Confidentiality > > > required > > > > > > > > > Operation requires a secure connection. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks in advance!!! > > > > > > > > Does it work if you use the ldappasswd command line tool? > > > > > > > > > > > > > > > > > > > > > > > > > > > Allan > > > > > > > > > > > > > > > > > > > > > > > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700 > > > > > > > > > > From: rmeggins@redhat.com > > > > > > > > > > To: fedora-directory-users@redhat.com > > > > > > > > > > Subject: Re: [389-users] Password Policy not working > fine > > > > > > > > > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > > > > > Dears, > > > > > > > > > > > > > > > > > > > > > > I have a problem with my passwords policies, I > enabled > > > "Enable > > > > > > > > > > > fine-grained password policy", I apply this but is not > > > > > working > > > > > > > fine. > > > > > > > > > > > I followed the steps of Administration Guide pag 364 - > > > > > > > > > > > > > > > > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy > > > Using the > > > > > > > > > Console* > > > > > > > > > > > > > > > > > > > > > > But it´s not working, i have that setting any more? > > > > > > > > > > > Can you help me? > > > > > > > > > > > > > > > > > > > > > What is your platform? What version of directory > server? > > > rpm -qi > > > > > > > > > > 389-ds-base (or fedora-ds-base) > > > > > > > > > > > > > > > > > > > > > > Thanks a lot in advance! > > > > > > > > > > > > > > > > > > > > > > Allan Hougham > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > Internet Explorer 8 especial para MSN - ¡Gratis! > > > > > Descargalo ahora > > > > > > > > > > > haciendo clic aquí > > > > > > > > > > > > > > > > > > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > 389 users mailing list > > > > > > > > > > > 389-users@redhat.com > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > ¿Te llegan demasiados emails? Organizate con Hotmail. > ¡Creá > > > > > carpetas > > > > > > > > > para todos tus correos! <http://mail.live.com/> > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > -- > > > > > > > > > 389 users mailing list > > > > > > > > > 389-users@redhat.com > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > ¡Revisá de un vistazo si tenés correos nuevos! Ingresá a tu > > > Hotmail > > > > > > > desde tu Messenger. ¡Probalo ahora! > > > > > > > > <http://www.microsoft.com/latam/windows/windowslive/default.aspx> > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > -- > > > > > > > 389 users mailing list > > > > > > > 389-users@redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > -- > > > > > > 389 users mailing list > > > > > > 389-users@redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí > > > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > 389 users mailing list > > > > > 389-users@redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > -- > > > > 389 users mailing list > > > > 389-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > ------------------------------------------------------------------------ > > > ¿Cansado de borrar spam de tu bandea de entrada? ¡Ganá tiempo con el > > > nuevo filtro anti spam de Hotmail! <http://mail.live.com> > > > > ------------------------------------------------------------------------ > > > > > > -- > > > 389 users mailing list > > > 389-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > 389 users mailing list > > 389-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx>
Allan Gaston Hougham wrote:> Hi Rich, > > thanks for you support, I will try it > Do you have any white papper or guide for implementing LDAP server and > client to use TLS?directory server - http://directory.fedoraproject.org/wiki/Howto:SSL> I read the Administration Guide but if you have any tutorial, better! > > Thanks! > > Allan > > > > Date: Fri, 4 Dec 2009 13:25:34 -0700 > > From: rmeggins@redhat.com > > To: fedora-directory-users@redhat.com > > Subject: Re: [389-users] Password Policy not working fine > > > > Allan Gaston Hougham wrote: > > > Hi Rich, > > > > > > Sorry, I saw you answer now.. > > > With our settings on ldap.conf the error is: > > > > > > > > > > > > > Changing password for user testsi. > > > > > > > Enter login(LDAP) password: > > > > > > > New UNIX password: > > > > > > > Retype new UNIX password: > > > > > > > LDAP password information update failed: Confidentiality > required > > > > > > > Operation requires a secure connection. > > > > > > > passwd: Permission denied > > > > > > > > > What is the shorcut for to resolve this problem? > > > > > > 1 - We need run this command: ldappasswd -x to disable SASL auth > > > > > > > > > 2- We need make this settings? > > > > > > Need to configure the directory server and nss_ldap/pam_ldap > > > (/etc/ldap.conf) to use TLS > > > > > > > > > Is not important have a secure conection in authentication > > > We need that ours policies working fine > > > > > > I think that we aren´t using ldappasswd... > > ldappasswd uses the password extended operation, just like pam_password > > exop. In order to use this extended operation, you must use a secure > > connection, which means TLS/SSL or SASL with a negotiated security > layer. > > > > So you either need to configure your LDAP server and client to use TLS, > > or use something like ldapmodify to change the userPassword attribute > > directly (i.e. don''t use the passwd command). > > > > > > > > > > > > Thanks in adavance!! > > > > > > > > > Allan > > > > > > > > > > > > > > > > > > > Date: Fri, 4 Dec 2009 11:03:53 -0700 > > > > From: rmeggins@redhat.com > > > > To: fedora-directory-users@redhat.com > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > Allan Gaston Hougham wrote: > > > > > Any sugesst?? > > > > > > > > Did you not read my reply? See below > > > > > > > > > > Thanks! > > > > > > > > > > > Date: Thu, 3 Dec 2009 11:43:34 -0700 > > > > > > From: rmeggins@redhat.com > > > > > > To: fedora-directory-users@redhat.com > > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > I can´t .. We have two errors: > > > > > > > > > > > > > > [root@dblvm32 ~]# passwd testsi > > > > > > > Changing password for user testsi. > > > > > > > Enter login(LDAP) password: > > > > > > > New UNIX password: > > > > > > > Retype new UNIX password: > > > > > > > LDAP password information update failed: Confidentiality > required > > > > > > > Operation requires a secure connection. > > > > > > > passwd: Permission denied > > > > [begin rmeggins reply] > > > > > > Need to configure the directory server and nss_ldap/pam_ldap > > > > > > (/etc/ldap.conf) to use TLS > > > > [end rmeggins repl > > > > > > > > > > > > > > [root@dblvm32 ~]# ldappasswd testsi > > > > > > > SASL/EXTERNAL authentication started > > > > > > > ldap_sasl_interactive_bind_s: Unknown authentication > method (-6) > > > > > > > additional info: SASL(-4): no mechanism available: > > > > > > > [root@dblvm32 ~]# > > > > [begin rmeggins reply] > > > > > > ldappasswd -x to disable SASL auth > > > > [end rmeggins reply] > > > > > > > > > > > > > > > > > > > > > What happend?? Thanks!! > > > > > > > > > > > > > > > > > > > > > Allan > > > > > > > > > > > > > > > > > > > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700 > > > > > > > > From: rmeggins@redhat.com > > > > > > > > To: fedora-directory-users@redhat.com > > > > > > > > Subject: Re: [389-users] Password Policy not working fine > > > > > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > > > Hi, thanks for you response, > > > > > > > > > > > > > > > > > > We have Fedora-ds 1.2.2 2009.237.2054 > > > > > > > > > > > > > > > > > > Platform: > > > > > > > > > > > > > > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 > 11:45:55 > > > EDT > > > > > 2007 > > > > > > > > > x86_64 x86_64 x86_64 GNU/Linux > > > > > > > > > > > > > > > > > > In this time we can apply any policies, but is not working > > > > > "user must > > > > > > > > > change password after reset" and change password later > > > that it > > > > > exipire > > > > > > > > > > > > > > > > > > This is the error with this ldap.conf: > > > > > > > > > > > > > > > > > > [root@yblhp35 openldap]# cat ldap.conf > > > > > > > > > # > > > > > > > > > # LDAP Defaults > > > > > > > > > # > > > > > > > > > # See ldap.conf(5) for details > > > > > > > > > # This file should be world readable but not world > writable. > > > > > > > > > #BASE dc=example, dc=com > > > > > > > > > #URI ldap://ldap.example.com > > > ldap://ldap-master.example.com:666 > > > > > > > > > #SIZELIMIT 12 > > > > > > > > > #TIMELIMIT 15 > > > > > > > > > #DEREF never > > > > > > > > > #use_sasl on > > > > > > > > > URI ldap://zblhp36.ml.com/ > > > > > > > > > BASE dc=ml,dc=com > > > > > > > > > suffix > > > "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > > suffix > "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts > > > > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > > > > > TLS_REQCERT allow > > > > > > > > > bind_policy soft > > > > > > > > > ssl no > > > > > > > > > TLS_CACERTDIR /etc/openldap/cacerts > > > > > > > > > pam_password md5 > > > > > > > > > > > > > > > > > > ERROR: > > > > > > > > > > > > > > > > > > WARNING: Your password has expired. > > > > > > > > > You must change your password now and login again! > > > > > > > > > Changing password for user testsi. > > > > > > > > > Enter login(LDAP) password: > > > > > > > > > LDAP Password incorrect: try again > > > > > > > > > Enter login(LDAP) password: > > > > > > > > > New UNIX password: > > > > > > > > > Retype new UNIX password: > > > > > > > > > LDAP password information update failed: Server is > > > unwilling to > > > > > > > > > perform user is not allowed to change password > > > > > > > > > passwd: Permission denied > > > > > > > > > > > > > > > > > > > > > > > > > > > And this is the error with this ldap.conf: > > > > > > > > > > > > > > > > > > > > > > > > > > > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf > > > > > > > > > # > > > > > > > > > # See ldap.conf(5) for details > > > > > > > > > # This file should be world readable but not world > writable. > > > > > > > > > #BASE dc=example, dc=com > > > > > > > > > #URI ldap://ldap.example.com > > > ldap://ldap-master.example.com:666 > > > > > > > > > #SIZELIMIT 12 > > > > > > > > > #TIMELIMIT 15 > > > > > > > > > #DEREF never > > > > > > > > > #use_sasl on > > > > > > > > > HOST 172.16.100.186 172.16.102.49 > > > > > > > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49 > > > > > > > > > BASE dc=ml,dc=com > > > > > > > > > suffix > > > "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > > suffix > "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina" > > > > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts/ > > > > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt > > > > > > > > > TLS_REQCERT allow > > > > > > > > > bind_policy soft > > > > > > > > > ssl no > > > > > > > > > tls_cacertdir /etc/openldap/cacerts > > > > > > > > > pam_password md5 > > > > > > > > > uri ldap://zblhp36.ml.com/ > > > > > > > > > base dc=ml,dc=com > > > > > > > > > # Search the root DSE for the password policy (works > > > > > > > > > # with Netscape Directory Server) > > > > > > > > > pam_lookup_policy yes > > > > > > > > > # Use the OpenLDAP password change > > > > > > > > > # extended operation to update the password. > > > > > > > > > pam_password exop > > > > > > > > > > > > > > > > > > > > > > > > > > > WARNING: Your password has expired. > > > > > > > > > You must change your password now and login again! > > > > > > > > > Changing password for user testsi. > > > > > > > > > Enter login(LDAP) password: > > > > > > > > > New UNIX password: > > > > > > > > > Retype new UNIX password: > > > > > > > > > LDAP password information update failed: Confidentiality > > > required > > > > > > > > > Operation requires a secure connection. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks in advance!!! > > > > > > > > Does it work if you use the ldappasswd command line tool? > > > > > > > > > > > > > > > > > > > > > > > > > > > Allan > > > > > > > > > > > > > > > > > > > > > > > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700 > > > > > > > > > > From: rmeggins@redhat.com > > > > > > > > > > To: fedora-directory-users@redhat.com > > > > > > > > > > Subject: Re: [389-users] Password Policy not working > fine > > > > > > > > > > > > > > > > > > > > Allan Gaston Hougham wrote: > > > > > > > > > > > Dears, > > > > > > > > > > > > > > > > > > > > > > I have a problem with my passwords policies, I > enabled > > > "Enable > > > > > > > > > > > fine-grained password policy", I apply this but is not > > > > > working > > > > > > > fine. > > > > > > > > > > > I followed the steps of Administration Guide pag 364 - > > > > > > > > > > > > > > > > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy > > > Using the > > > > > > > > > Console* > > > > > > > > > > > > > > > > > > > > > > But it´s not working, i have that setting any more? > > > > > > > > > > > Can you help me? > > > > > > > > > > > > > > > > > > > > > What is your platform? What version of directory > server? > > > rpm -qi > > > > > > > > > > 389-ds-base (or fedora-ds-base) > > > > > > > > > > > > > > > > > > > > > > Thanks a lot in advance! > > > > > > > > > > > > > > > > > > > > > > Allan Hougham > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > Internet Explorer 8 especial para MSN - ¡Gratis! > > > > > Descargalo ahora > > > > > > > > > > > haciendo clic aquí > > > > > > > > > > > > > > > > > > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > 389 users mailing list > > > > > > > > > > > 389-users@redhat.com > > > > > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > ¿Te llegan demasiados emails? Organizate con Hotmail. > ¡Creá > > > > > carpetas > > > > > > > > > para todos tus correos! <http://mail.live.com/> > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > -- > > > > > > > > > 389 users mailing list > > > > > > > > > 389-users@redhat.com > > > > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > ¡Revisá de un vistazo si tenés correos nuevos! Ingresá a tu > > > Hotmail > > > > > > > desde tu Messenger. ¡Probalo ahora! > > > > > > > > <http://www.microsoft.com/latam/windows/windowslive/default.aspx> > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > -- > > > > > > > 389 users mailing list > > > > > > > 389-users@redhat.com > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > > > > > > -- > > > > > > 389 users mailing list > > > > > > 389-users@redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí > > > > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > -- > > > > > 389 users mailing list > > > > > 389-users@redhat.com > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > > > > > > > -- > > > > 389 users mailing list > > > > 389-users@redhat.com > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > ------------------------------------------------------------------------ > > > ¿Cansado de borrar spam de tu bandea de entrada? ¡Ganá tiempo con el > > > nuevo filtro anti spam de Hotmail! <http://mail.live.com> > > > > ------------------------------------------------------------------------ > > > > > > -- > > > 389 users mailing list > > > 389-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > > > > -- > > 389 users mailing list > > 389-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > ------------------------------------------------------------------------ > Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx> > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >