[389-users] Password Policy not working fine

Rich Megginson rmeggins at redhat.com
Fri Dec 4 20:25:34 UTC 2009 

Allan Gaston Hougham wrote:
> Hi Rich,
>  
> Sorry, I saw you answer now..
> With our settings on ldap.conf the error is:
>  
>  
> > > > > Changing password for user testsi.
> > > > > Enter login(LDAP) password:
> > > > > New UNIX password:
> > > > > Retype new UNIX password:
> > > > > LDAP password information update failed: Confidentiality required
> > > > > Operation requires a secure connection.
> > > > > passwd: Permission denied
>
>  
> What is the shorcut for to resolve this problem?
>  
> 1 - We need run this command: ldappasswd -x to disable SASL auth
>  
>  
> 2- We need make this settings?
>  
> Need to configure the directory server and nss_ldap/pam_ldap
> (/etc/ldap.conf) to use TLS
>
>  
> Is not important have a secure conection in authentication
> We need that ours policies working fine
>  
> I think that we aren´t using ldappasswd...
ldappasswd uses the password extended operation, just like pam_password 
exop.  In order to use this extended operation, you must use a secure 
connection, which means TLS/SSL or SASL with a negotiated security layer.

So you either need to configure your LDAP server and client to use TLS, 
or use something like ldapmodify to change the userPassword attribute 
directly (i.e. don't use the passwd command).
>  
>  
>
> Thanks in adavance!!
>  
>  
> Allan
>  
>  
>  
>  
>  
> > Date: Fri, 4 Dec 2009 11:03:53 -0700
> > From: rmeggins at redhat.com
> > To: fedora-directory-users at redhat.com
> > Subject: Re: [389-users] Password Policy not working fine
> >
> > Allan Gaston Hougham wrote:
> > > Any sugesst??
> >
> > Did you not read my reply? See below
> > >
> > > Thanks!
> > >
> > > > Date: Thu, 3 Dec 2009 11:43:34 -0700
> > > > From: rmeggins at redhat.com
> > > > To: fedora-directory-users at redhat.com
> > > > Subject: Re: [389-users] Password Policy not working fine
> > > >
> > > > Allan Gaston Hougham wrote:
> > > > > I can´t .. We have two errors:
> > > > >
> > > > > [root at dblvm32 ~]# passwd testsi
> > > > > Changing password for user testsi.
> > > > > Enter login(LDAP) password:
> > > > > New UNIX password:
> > > > > Retype new UNIX password:
> > > > > LDAP password information update failed: Confidentiality required
> > > > > Operation requires a secure connection.
> > > > > passwd: Permission denied
> > [begin rmeggins reply]
> > > > Need to configure the directory server and nss_ldap/pam_ldap
> > > > (/etc/ldap.conf) to use TLS
> > [end rmeggins repl
> > > > >
> > > > > [root at dblvm32 ~]# ldappasswd testsi
> > > > > SASL/EXTERNAL authentication started
> > > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> > > > > additional info: SASL(-4): no mechanism available:
> > > > > [root at dblvm32 ~]#
> > [begin rmeggins reply]
> > > > ldappasswd -x to disable SASL auth
> > [end rmeggins reply]
> > > > >
> > > > >
> > > > > What happend?? Thanks!!
> > > > >
> > > > >
> > > > > Allan
> > > > >
> > > > >
> > > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700
> > > > > > From: rmeggins at redhat.com
> > > > > > To: fedora-directory-users at redhat.com
> > > > > > Subject: Re: [389-users] Password Policy not working fine
> > > > > >
> > > > > > Allan Gaston Hougham wrote:
> > > > > > > Hi, thanks for you response,
> > > > > > >
> > > > > > > We have Fedora-ds 1.2.2 2009.237.2054
> > > > > > >
> > > > > > > Platform:
> > > > > > >
> > > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 
> EDT
> > > 2007
> > > > > > > x86_64 x86_64 x86_64 GNU/Linux
> > > > > > >
> > > > > > > In this time we can apply any policies, but is not working
> > > "user must
> > > > > > > change password after reset" and change password later 
> that it
> > > exipire
> > > > > > >
> > > > > > > This is the error with this ldap.conf:
> > > > > > >
> > > > > > > [root at yblhp35 openldap]# cat ldap.conf
> > > > > > > #
> > > > > > > # LDAP Defaults
> > > > > > > #
> > > > > > > # See ldap.conf(5) for details
> > > > > > > # This file should be world readable but not world writable.
> > > > > > > #BASE dc=example, dc=com
> > > > > > > #URI ldap://ldap.example.com 
> ldap://ldap-master.example.com:666
> > > > > > > #SIZELIMIT 12
> > > > > > > #TIMELIMIT 15
> > > > > > > #DEREF never
> > > > > > > #use_sasl on
> > > > > > > URI ldap://zblhp36.ml.com/
> > > > > > > BASE dc=ml,dc=com
> > > > > > > suffix 
> "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts
> > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
> > > > > > > TLS_REQCERT allow
> > > > > > > bind_policy soft
> > > > > > > ssl no
> > > > > > > TLS_CACERTDIR /etc/openldap/cacerts
> > > > > > > pam_password md5
> > > > > > >
> > > > > > > ERROR:
> > > > > > >
> > > > > > > WARNING: Your password has expired.
> > > > > > > You must change your password now and login again!
> > > > > > > Changing password for user testsi.
> > > > > > > Enter login(LDAP) password:
> > > > > > > LDAP Password incorrect: try again
> > > > > > > Enter login(LDAP) password:
> > > > > > > New UNIX password:
> > > > > > > Retype new UNIX password:
> > > > > > > LDAP password information update failed: Server is 
> unwilling to
> > > > > > > perform user is not allowed to change password
> > > > > > > passwd: Permission denied
> > > > > > >
> > > > > > >
> > > > > > > And this is the error with this ldap.conf:
> > > > > > >
> > > > > > >
> > > > > > > [ahougham at dblvm32 ~]$ cat /etc/ldap.conf
> > > > > > > #
> > > > > > > # See ldap.conf(5) for details
> > > > > > > # This file should be world readable but not world writable.
> > > > > > > #BASE dc=example, dc=com
> > > > > > > #URI ldap://ldap.example.com 
> ldap://ldap-master.example.com:666
> > > > > > > #SIZELIMIT 12
> > > > > > > #TIMELIMIT 15
> > > > > > > #DEREF never
> > > > > > > #use_sasl on
> > > > > > > HOST 172.16.100.186 172.16.102.49
> > > > > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49
> > > > > > > BASE dc=ml,dc=com
> > > > > > > suffix 
> "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina"
> > > > > > > #TLS_CACERTDIR /etc/openldap/cacerts/
> > > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt
> > > > > > > TLS_REQCERT allow
> > > > > > > bind_policy soft
> > > > > > > ssl no
> > > > > > > tls_cacertdir /etc/openldap/cacerts
> > > > > > > pam_password md5
> > > > > > > uri ldap://zblhp36.ml.com/
> > > > > > > base dc=ml,dc=com
> > > > > > > # Search the root DSE for the password policy (works
> > > > > > > # with Netscape Directory Server)
> > > > > > > pam_lookup_policy yes
> > > > > > > # Use the OpenLDAP password change
> > > > > > > # extended operation to update the password.
> > > > > > > pam_password exop
> > > > > > >
> > > > > > >
> > > > > > > WARNING: Your password has expired.
> > > > > > > You must change your password now and login again!
> > > > > > > Changing password for user testsi.
> > > > > > > Enter login(LDAP) password:
> > > > > > > New UNIX password:
> > > > > > > Retype new UNIX password:
> > > > > > > LDAP password information update failed: Confidentiality 
> required
> > > > > > > Operation requires a secure connection.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Thanks in advance!!!
> > > > > > Does it work if you use the ldappasswd command line tool?
> > > > > > >
> > > > > > >
> > > > > > > Allan
> > > > > > >
> > > > > > >
> > > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700
> > > > > > > > From: rmeggins at redhat.com
> > > > > > > > To: fedora-directory-users at redhat.com
> > > > > > > > Subject: Re: [389-users] Password Policy not working fine
> > > > > > > >
> > > > > > > > Allan Gaston Hougham wrote:
> > > > > > > > > Dears,
> > > > > > > > >
> > > > > > > > > I have a problem with my passwords policies, I enabled 
> "Enable
> > > > > > > > > fine-grained password policy", I apply this but is not
> > > working
> > > > > fine.
> > > > > > > > > I followed the steps of Administration Guide pag 364 -
> > > > > > > > >
> > > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy 
> Using the
> > > > > > > Console*
> > > > > > > > >
> > > > > > > > > But it´s not working, i have that setting any more?
> > > > > > > > > Can you help me?
> > > > > > > > >
> > > > > > > > What is your platform? What version of directory server? 
> rpm -qi
> > > > > > > > 389-ds-base (or fedora-ds-base)
> > > > > > > > >
> > > > > > > > > Thanks a lot in advance!
> > > > > > > > >
> > > > > > > > > Allan Hougham
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > > > > > > Internet Explorer 8 especial para MSN - ¡Gratis!
> > > Descargalo ahora
> > > > > > > > > haciendo clic aquí
> > > > > > > > >
> > > > > 
> <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx>
> > > > > > > > >
> > > > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > 389 users mailing list
> > > > > > > > > 389-users at redhat.com
> > > > > > > > > 
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > > > > ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá
> > > carpetas
> > > > > > > para todos tus correos! <http://mail.live.com/>
> > > > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > > > >
> > > > > > > --
> > > > > > > 389 users mailing list
> > > > > > > 389-users at redhat.com
> > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > > ¡Revisá de un vistazo si tenés correos nuevos! Ingresá a tu 
> Hotmail
> > > > > desde tu Messenger. ¡Probalo ahora!
> > > > > <http://www.microsoft.com/latam/windows/windowslive/default.aspx>
> > > > >
> > > 
> ------------------------------------------------------------------------
> > > > >
> > > > > --
> > > > > 389 users mailing list
> > > > > 389-users at redhat.com
> > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > > >
> > > >
> > > > --
> > > > 389 users mailing list
> > > > 389-users at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> > > 
> ------------------------------------------------------------------------
> > > Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí
> > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx>
> > > 
> ------------------------------------------------------------------------
> > >
> > > --
> > > 389 users mailing list
> > > 389-users at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > >
> >
> > --
> > 389 users mailing list
> > 389-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
> ------------------------------------------------------------------------
> ¿Cansado de borrar spam de tu bandea de entrada? ¡Ganá tiempo con el 
> nuevo filtro anti spam de Hotmail! <http://mail.live.com>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

More information about the Fedora-directory-users mailing list