[Fedora-directory-users] Question on password changes
Richard Megginson
rmeggins at redhat.com
Tue Jan 24 20:04:30 UTC 2006
Bliss, Aaron wrote:
>I'm all set, in the fds on the consumer, I had to manually add the
>supplier as a referral as part of the replication link (even though the
>documentation says it will do this based upon replication link). Thanks
>again very much for such a great product.
>
>
This sounds like a bug. The supplier automatically sets the referral in
the consumer. You can confirm this by attempting to do an ldapmodify
against the consumer - you should get a referral back. If not, then
this is definitely a bug.
>Aaron
>
>-----Original Message-----
>From: fedora-directory-users-bounces at redhat.com
>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Bliss,
>Aaron
>Sent: Tuesday, January 24, 2006 2:11 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: RE: [Fedora-directory-users] Question on password changes
>
>Sorry, I meant to say that I don't see the MOD entry on the supplier's
>log file; I agree with you, it doesn't seem that the client is listening
>to the referral.
>
>Aaron
>
>-----Original Message-----
>From: fedora-directory-users-bounces at redhat.com
>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard
>Megginson
>Sent: Tuesday, January 24, 2006 2:10 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Question on password changes
>
>Bliss, Aaron wrote:
>
>
>
>>I see the MOD request in the consumer, but do not see the MOD request
>>in the client;
>>
>>
>>
>Where would you see the MOD request in the client? It just seems as
>though PAM is not following the referral and I'm not sure why. Perhaps
>there is some other PAM configuration required?
>
>
>
>>here are the relevant entries from
>>
>>/etc/ldap.conf and
>>host serverA serverB
>>base dc=myorg,dc=org
>>pam_lookup_policy yes
>>pam_check_host_attr yes
>>pam_password clear
>>ssl start_tls
>>
>>/etc/openldap/ldap.conf
>>BASE dc=myorg,dc=org
>>HOST serverA serverB
>>TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_REQCERT allow
>>
>>Any ideas? I've confirmed this behaviour on redhat 3 and redhat 4
>>boxes, further this is the error that I get from redhat 4 boxes
>>
>>LDAP password information update failed: Can't contact LDAP server
>>
>>passwd: Permission denied
>>
>>Thanks again for your help.
>>
>>Aaron
>>
>>-----Original Message-----
>>From: fedora-directory-users-bounces at redhat.com
>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard
>>
>>
>
>
>
>>Megginson
>>Sent: Tuesday, January 24, 2006 1:21 PM
>>To: General discussion list for the Fedora Directory server project.
>>Subject: Re: [Fedora-directory-users] Question on password changes
>>
>>Bliss, Aaron wrote:
>>
>>
>>
>>
>>
>>>I am not using the password extended operation to change passwords
>>>
>>>
>i.e.
>
>
>>>in /etc/ldap.conf pam_password exop is commented out; as such, what's
>>>the best way to being to debug this?
>>>
>>>
>>>
>>>
>>>
>>I'm not sure. If I understand you correctly, it seems that the
>>consumer is correctly sending the referral back to the client in
>>response to the MOD request to change the password. Can you examine
>>the supplier access log to see if the client is following the referral?
>>
>>
>
>
>
>>You should see a MOD request in the supplier access log shortly after
>>the MOD to the consumer that resulted in the err=10. If not, this
>>means the client is not following the referral, which is either a bug
>>or a mis-configuration of the client.
>>
>>
>>
>>
>>
>>>Also, what is the advantage of
>>>using the extended operation to change passwords? Thanks again.
>>>
>>>
>>>
>>>
>>>
>>>
>>The extended operation is meant to be used when you are not using a
>>simple userPassword (e.g. some SASL mechs, Kerberos).
>>
>>
>>
>>
>>
>>>Aaron
>>>
>>>-----Original Message-----
>>>From: fedora-directory-users-bounces at redhat.com
>>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of
>>>Richard
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>Megginson
>>>Sent: Tuesday, January 24, 2006 11:13 AM
>>>To: General discussion list for the Fedora Directory server project.
>>>Subject: Re: [Fedora-directory-users] Question on password changes
>>>
>>>Bliss, Aaron wrote:
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Thanks for getting back to me so quickly; I've seen the error
>>>>messages
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>>>that you referenced below; I can then assume then my only alternative
>>>>
>>>>
>
>
>
>>>>is to setup a multimaster environment? Thanks.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>Which error messages have you seen? Are you saying that the client is
>>>
>>>
>
>
>
>>>using the password modify extended operation? If so, then yes, you
>>>will have to use multi master. If not, then single master should be
>>>fine, and you'll need to debug the client to figure out why it's not
>>>following the referral to the supplier.
>>>
>>>BTW, I believe we have a bug - the consumer should send back a
>>>referral
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>to the supplier when it gets the password modify extended operation.
>>>We need to add support for sending back referrals when certain
>>>extended
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>>operations that modify data are received.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>>Aaron
>>>>
>>>>-----Original Message-----
>>>>From: fedora-directory-users-bounces at redhat.com
>>>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of
>>>>Richard
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>>>Megginson
>>>>Sent: Tuesday, January 24, 2006 10:35 AM
>>>>To: General discussion list for the Fedora Directory server project.
>>>>Subject: Re: [Fedora-directory-users] Question on password changes
>>>>
>>>>Bliss, Aaron wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>I have a quick question on password changes; my current setup is the
>>>>>following: I have 2 directory servers, single master environment
>>>>>(supplier and consumer); I understand that all changes to the
>>>>>directory
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>have to be made by the supplier and are then replicated to the
>>>>>consumer; when a client server binds to the consumer and a user
>>>>>attempts to change their password, they receive an unknown error
>>>>>response from the server, and changes are not made; simply
>>>>>configuring
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
>>>
>>>>>the client's ldap.conf file to bind first with the supplier resolved
>>>>>
>>>>>
>
>
>
>>>>>this issue, however I was wondering if it's possible to configure
>>>>>the
>>>>>
>>>>>
>>>>>
>>>>>
>>
>>
>>
>>
>>>>>consumer in such a way that he will refer the update to take place
>>>>>on
>>>>>
>>>>>
>>>>>
>>>>>
>>
>>
>>
>>
>>>>>the supplier instead of rejecting the change to the database?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>Yes, that's what should be happening. When you send the modify
>>>>password request to the consumer, it should send back a referral to
>>>>the
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>supplier.
>>>
>>>
>>>
>>>
>>>
>>>
>>>>You can see this in the access log - a MOD request followed by a
>>>>response with err=10 (referral). If however the client is using the
>>>>password modify extended operation, I don't think that is referred to
>>>>
>>>>
>
>
>
>>>>the supplier. In this case, you will see EXT as the operation type
>>>>in
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>>>the access log for the request.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>I would have thought that the
>>>>>consumer would simply refer changes automatically to the supplier,
>>>>>but
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
>>>
>>>>>that doesn't seem to be the case. Any thoughts?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>Check the access logs, as above.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>I do know that I can
>>>>>configure both servers to be masters, but I was hoping to avoid this
>>>>>
>>>>>
>
>
>
>>>>>(I've read thru some of the directory server documentation citing
>>>>>errors and so forth in a multi-master environment) Thanks.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>http://directory.fedora.redhat.com/wiki/Howto:ChainOnUpdate
>>>>
>>>>However, I don't think we chain the password change extended
>>>>
>>>>
>>>>
>>>>
>>operation.
>>
>>
>>
>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Aaron
>>>>>
>>>>>www.preferredcare.org
>>>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J.
>>>>>
>>>>>
>D.
>
>
>>>>>
>>>>>
>>>>>
>>>>>
>>
>>
>>
>>
>>>>>Power and Associates
>>>>>
>>>>>Confidentiality Notice:
>>>>>The information contained in this electronic message is intended for
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>the exclusive use of the individual or entity named above and may
>>>>contain privileged or confidential information. If the reader of
>>>>this
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>>>message is not the intended recipient or the employee or agent
>>>>responsible to deliver it to the intended recipient, you are hereby
>>>>notified that dissemination, distribution or copying of this
>>>>information is prohibited. If you have received this communication
>>>>in
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>>
>>>>error, please notify the sender immediately by telephone and destroy
>>>>the copies you received.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>--
>>>>>Fedora-directory-users mailing list
>>>>>Fedora-directory-users at redhat.com
>>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>www.preferredcare.org
>>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>>>
>>>>
>
>
>
>>>>Power and Associates
>>>>
>>>>Confidentiality Notice:
>>>>The information contained in this electronic message is intended for
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>the exclusive use of the individual or entity named above and may
>>>contain privileged or confidential information. If the reader of this
>>>
>>>
>
>
>
>>>message is not the intended recipient or the employee or agent
>>>responsible to deliver it to the intended recipient, you are hereby
>>>notified that dissemination, distribution or copying of this
>>>information is prohibited. If you have received this communication in
>>>
>>>
>
>
>
>>>error, please notify the sender immediately by telephone and destroy
>>>the copies you received.
>>>
>>>
>>>
>>>
>>>
>>>
>>>>--
>>>>Fedora-directory-users mailing list
>>>>Fedora-directory-users at redhat.com
>>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>www.preferredcare.org
>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>>Power and Associates
>>>
>>>Confidentiality Notice:
>>>The information contained in this electronic message is intended for
>>>
>>>
>>>
>>>
>>the exclusive use of the individual or entity named above and may
>>contain privileged or confidential information. If the reader of this
>>message is not the intended recipient or the employee or agent
>>responsible to deliver it to the intended recipient, you are hereby
>>notified that dissemination, distribution or copying of this
>>information is prohibited. If you have received this communication in
>>error, please notify the sender immediately by telephone and destroy
>>the copies you received.
>>
>>
>>
>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users at redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>
>>>
>>>
>>>
>>www.preferredcare.org
>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>>Power and Associates
>>
>>Confidentiality Notice:
>>The information contained in this electronic message is intended for
>>
>>
>the exclusive use of the individual or entity named above and may
>contain privileged or confidential information. If the reader of this
>message is not the intended recipient or the employee or agent
>responsible to deliver it to the intended recipient, you are hereby
>notified that dissemination, distribution or copying of this information
>is prohibited. If you have received this communication in error, please
>notify the sender immediately by telephone and destroy the copies you
>received.
>
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>>
>
>
>www.preferredcare.org
>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>Power and Associates
>
>Confidentiality Notice:
>The information contained in this electronic message is intended for the
>exclusive use of the individual or entity named above and may contain
>privileged or confidential information. If the reader of this message
>is not the intended recipient or the employee or agent responsible to
>deliver it to the intended recipient, you are hereby notified that
>dissemination, distribution or copying of this information is
>prohibited. If you have received this communication in error, please
>notify the sender immediately by telephone and destroy the copies you
>received.
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060124/fa386121/attachment.bin>
More information about the Fedora-directory-users
mailing list