Sævaldur Arnar Gunnarsson
2006-Jul-16 20:31 UTC
[Fedora-directory-users] Disable TLS/SSL security check for password changing
I''m trying to configure Fedora Directory Server as a back-end to Samba 3.x and I''ve succeeded in doing that with just one exception. There seems to be a security mechanism that prevents users from changing their passwords over non-SSL/TLS connections. (and gives the following error: "Operation requires a secure connection") I''m assuming this can be specified somewhere on the administrative console so instead of wasting days looking I thought this would be a good place to ask this question :) Bottom line, how do I disable the security check that demands TLS/SSL connection in order to change passwords ?
David Boreham
2006-Jul-16 20:58 UTC
Re: [Fedora-directory-users] Disable TLS/SSL security check for password changing
Sævaldur Arnar Gunnarsson wrote:>Bottom line, how do I disable the security check that demands TLS/SSL >connection in order to change passwords ? > >You can''t, without editing the source code that is. RFC3062 says: 4. Security Considerations This operation is used to modify user passwords. The operation itself does not provide any security protection to ensure integrity and/or confidentiality of the information. Use of this operation is strongly discouraged when privacy protections are not in place to guarantee confidentiality and may result in the disclosure of the password to unauthorized parties. This extension MUST be used with confidentiality protection, such as Start TLS [RFC 2830]. The NULL cipher suite MUST NOT be used. There was a hack put in during development that allowed sanity to be preserved while debugging the feature, by disabling the requirement for SSL. You could flip that on and recompile. See here: http://cvs.fedora.redhat.com/lxr/dirsec/source/ldapserver/ldap/servers/slapd/passwd_extop.c#63
Jason Russler
2006-Jul-17 17:26 UTC
Re: [Fedora-directory-users] Disable TLS/SSL security check for password changing
Are you sure it''s not the LDAP client that''s requiring a secure connection? I''m pretty sure FDS will happily replace password entries without SSL/TLS. Since I''ve never done this with Samba I can''t help any more than that. Sævaldur Arnar Gunnarsson wrote:> I''m trying to configure Fedora Directory Server as a back-end to Samba > 3.x and I''ve succeeded in doing that with just one exception. > > There seems to be a security mechanism that prevents users from changing > their passwords over non-SSL/TLS connections. (and gives the following > error: "Operation requires a secure connection") > > I''m assuming this can be specified somewhere on the administrative > console so instead of wasting days looking I thought this would be a > good place to ask this question :) > > Bottom line, how do I disable the security check that demands TLS/SSL > connection in order to change passwords ? > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >