Hello, I''ve finally got the SSL working. Thanks for all the help. When I try to login with an imported account from OpenLDAP I get the message that my account is expired and that I need to change my LDAP password immediately. When trying this I get an error # ssh jdtroy@ldapserver jdtroy@ldapserver''s password: You are required to change your password immediately (password aged) You are required to change your LDAP password immediately. Last login: Fri Jan 13 14:38:12 2006 from ldapserver WARNING: Your password has expired. You must change your password now and login again! Changing password for user jdtroy. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can''t contact LDAP server Current passwd must be supplied by the user. passwd: Permission denied Connection to ldapserver closed. In /var/log/messages I get pam_ldap: ldap_extended_operation_s Unknow error Any idea on what I''m doing wrong? In /etc/ldap.conf I do have pam_lookup_policy yes pam_password exop pam_password md5 ssl on ssl start_tls tls_cacertfile /path/to/cacertfile Thanks in advance, Jo
For host-based access control, the new method says to do the following: New Method There is already an AUXILIARY objectclass provided with the pam/nss ldap distribution on Linux systems: hostObject. On a RHEL4 system, this is in the schema file /usr/share/doc/nss_ldap-226/ldapns.schema in OpenLDAP format. You can convert to Fedora DS schema format using Howto:OpenLDAPMigration like so: perl ol-schema-migrate.pl /usr/share/doc/nss_ldap-226/ldapns.schema > /opt/fedora-ds/slapd-localhost/config/schema/61ldapns.ldif However, I was able to get that working without the schema conversion, by adding ''account'' objectClass and then the host attribute. It works fine and is much simpler, really... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Richard Megginson
2006-Jan-13 20:42 UTC
Re: [Fedora-directory-users] is the howto:Posix wiki correct?
Susan wrote:>For host-based access control, the new method says to do the following: > >New Method > >There is already an AUXILIARY objectclass provided with the pam/nss ldap distribution on Linux >systems: hostObject. On a RHEL4 system, this is in the schema file >/usr/share/doc/nss_ldap-226/ldapns.schema in OpenLDAP format. You can convert to Fedora DS schema >format using Howto:OpenLDAPMigration like so: > >perl ol-schema-migrate.pl /usr/share/doc/nss_ldap-226/ldapns.schema > >/opt/fedora-ds/slapd-localhost/config/schema/61ldapns.ldif > >However, I was able to get that working without the schema conversion, by adding ''account'' >objectClass and then the host attribute. It works fine and is much simpler, really... > >Yes, but it is not LDAP standard and not portable. account is a structural objectclass - that means you are not supposed to add it to an entry that already has a structural objectclass. See the NOTE under Old Method - http://directory.fedora.redhat.com/wiki/Howto:Posix>__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
--- Richard Megginson <rmeggins@redhat.com> wrote:> Yes, but it is not LDAP standard and not portable. account is a > structural objectclass - that means you are not supposed to add it to an > entry that already has a structural objectclass. See the NOTE under Old > Method - http://directory.fedora.redhat.com/wiki/Howto:Posixthe problem is that you cannot add the host attribute (or the hostObject objectclass) from the gui UNTIL you add the account objectClass. Neither one is on the list, even with the newly created 61ldapns schema imported. There must a bug in the UI or something... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Richard Megginson
2006-Jan-14 16:50 UTC
Re: [Fedora-directory-users] is the howto:Posix wiki correct?
Susan wrote:>--- Richard Megginson <rmeggins@redhat.com> wrote: > > > > >>Yes, but it is not LDAP standard and not portable. account is a >>structural objectclass - that means you are not supposed to add it to an >>entry that already has a structural objectclass. See the NOTE under Old >>Method - http://directory.fedora.redhat.com/wiki/Howto:Posix >> >> > > >the problem is that you cannot add the host attribute (or the hostObject objectclass) from the gui >UNTIL you add the account objectClass. Neither one is on the list, even with the newly created >61ldapns schema imported. There must a bug in the UI or something... > >You have to restart the server to read in the new schema file, then you have to restart the console in order for it to pick up the new schema from the server. If you''ve done that, and still no luck, then this is a console bug.>__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > >-- >Fedora-directory-users mailing list >Fedora-directory-users@redhat.com >https://www.redhat.com/mailman/listinfo/fedora-directory-users > >
--- Richard Megginson <rmeggins@redhat.com> wrote:> You have to restart the server to read in the new schema file, then you > have to restart the console in order for it to pick up the new schema > from the server. If you''ve done that, and still no luck, then this is a > console bug.restarting the console made the hostObject objectclass available but still no ''host'' attribute. Must be a bug then... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com