<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
Hi Rich,<BR>
<BR>
Sorry, I saw you answer now..<BR>
With our settings on ldap.conf the error is:<BR>
<BR>
<BR>
> > > > Changing password for user testsi.<BR>> > > > Enter login(LDAP) password:<BR>> > > > New UNIX password:<BR>> > > > Retype new UNIX password:<BR>> > > > LDAP password information update failed: Confidentiality required<BR>> > > > Operation requires a secure connection.<BR>> > > > passwd: Permission denied<BR><BR>
<BR>
What is the shorcut for to resolve this problem?<BR>
<BR>
1 - We need run this command: ldappasswd -x to disable SASL auth<BR>
<BR>
<BR>
2- We need make this settings?<BR>
<BR>
Need to configure the directory server and nss_ldap/pam_ldap<BR>(/etc/ldap.conf) to use TLS<BR>
<BR> <BR>
Is not important have a secure conection in authentication<BR>
We need that ours policies working fine<BR>
<BR>
I think that we aren´t using ldappasswd...<BR>
<BR>
<BR>
<BR>Thanks in adavance!!<BR>
<BR>
<BR>
Allan<BR>
<BR>
<BR>
<BR>
<BR>
<BR>> Date: Fri, 4 Dec 2009 11:03:53 -0700<BR>> From: rmeggins@redhat.com<BR>> To: fedora-directory-users@redhat.com<BR>> Subject: Re: [389-users] Password Policy not working fine<BR>> <BR>> Allan Gaston Hougham wrote:<BR>> > Any sugesst??<BR>> <BR>> Did you not read my reply? See below<BR>> > <BR>> > Thanks!<BR>> > <BR>> > > Date: Thu, 3 Dec 2009 11:43:34 -0700<BR>> > > From: rmeggins@redhat.com<BR>> > > To: fedora-directory-users@redhat.com<BR>> > > Subject: Re: [389-users] Password Policy not working fine<BR>> > ><BR>> > > Allan Gaston Hougham wrote:<BR>> > > > I can´t .. We have two errors:<BR>> > > ><BR>> > > > [root@dblvm32 ~]# passwd testsi<BR>> > > > Changing password for user testsi.<BR>> > > > Enter login(LDAP) password:<BR>> > > > New UNIX password:<BR>> > > > Retype new UNIX password:<BR>> > > > LDAP password information update failed: Confidentiality required<BR>> > > > Operation requires a secure connection.<BR>> > > > passwd: Permission denied<BR>> [begin rmeggins reply]<BR>> > > Need to configure the directory server and nss_ldap/pam_ldap<BR>> > > (/etc/ldap.conf) to use TLS<BR>> [end rmeggins repl<BR>> > > ><BR>> > > > [root@dblvm32 ~]# ldappasswd testsi<BR>> > > > SASL/EXTERNAL authentication started<BR>> > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)<BR>> > > > additional info: SASL(-4): no mechanism available:<BR>> > > > [root@dblvm32 ~]#<BR>> [begin rmeggins reply]<BR>> > > ldappasswd -x to disable SASL auth<BR>> [end rmeggins reply]<BR>> > > ><BR>> > > ><BR>> > > > What happend?? Thanks!!<BR>> > > ><BR>> > > ><BR>> > > > Allan<BR>> > > ><BR>> > > ><BR>> > > > > Date: Thu, 3 Dec 2009 09:58:04 -0700<BR>> > > > > From: rmeggins@redhat.com<BR>> > > > > To: fedora-directory-users@redhat.com<BR>> > > > > Subject: Re: [389-users] Password Policy not working fine<BR>> > > > ><BR>> > > > > Allan Gaston Hougham wrote:<BR>> > > > > > Hi, thanks for you response,<BR>> > > > > ><BR>> > > > > > We have Fedora-ds 1.2.2 2009.237.2054<BR>> > > > > ><BR>> > > > > > Platform:<BR>> > > > > ><BR>> > > > > > Linux zblhp36 2.6.18-8.1.14.el5 #1 SMP Tue Sep 25 11:45:55 EDT <BR>> > 2007<BR>> > > > > > x86_64 x86_64 x86_64 GNU/Linux<BR>> > > > > ><BR>> > > > > > In this time we can apply any policies, but is not working <BR>> > "user must<BR>> > > > > > change password after reset" and change password later that it <BR>> > exipire<BR>> > > > > ><BR>> > > > > > This is the error with this ldap.conf:<BR>> > > > > ><BR>> > > > > > [root@yblhp35 openldap]# cat ldap.conf<BR>> > > > > > #<BR>> > > > > > # LDAP Defaults<BR>> > > > > > #<BR>> > > > > > # See ldap.conf(5) for details<BR>> > > > > > # This file should be world readable but not world writable.<BR>> > > > > > #BASE dc=example, dc=com<BR>> > > > > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666<BR>> > > > > > #SIZELIMIT 12<BR>> > > > > > #TIMELIMIT 15<BR>> > > > > > #DEREF never<BR>> > > > > > #use_sasl on<BR>> > > > > > URI ldap://zblhp36.ml.com/<BR>> > > > > > BASE dc=ml,dc=com<BR>> > > > > > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina"<BR>> > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina"<BR>> > > > > > #TLS_CACERTDIR /etc/openldap/cacerts<BR>> > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt<BR>> > > > > > TLS_REQCERT allow<BR>> > > > > > bind_policy soft<BR>> > > > > > ssl no<BR>> > > > > > TLS_CACERTDIR /etc/openldap/cacerts<BR>> > > > > > pam_password md5<BR>> > > > > ><BR>> > > > > > ERROR:<BR>> > > > > ><BR>> > > > > > WARNING: Your password has expired.<BR>> > > > > > You must change your password now and login again!<BR>> > > > > > Changing password for user testsi.<BR>> > > > > > Enter login(LDAP) password:<BR>> > > > > > LDAP Password incorrect: try again<BR>> > > > > > Enter login(LDAP) password:<BR>> > > > > > New UNIX password:<BR>> > > > > > Retype new UNIX password:<BR>> > > > > > LDAP password information update failed: Server is unwilling to<BR>> > > > > > perform user is not allowed to change password<BR>> > > > > > passwd: Permission denied<BR>> > > > > ><BR>> > > > > ><BR>> > > > > > And this is the error with this ldap.conf:<BR>> > > > > ><BR>> > > > > ><BR>> > > > > > [ahougham@dblvm32 ~]$ cat /etc/ldap.conf<BR>> > > > > > #<BR>> > > > > > # See ldap.conf(5) for details<BR>> > > > > > # This file should be world readable but not world writable.<BR>> > > > > > #BASE dc=example, dc=com<BR>> > > > > > #URI ldap://ldap.example.com ldap://ldap-master.example.com:666<BR>> > > > > > #SIZELIMIT 12<BR>> > > > > > #TIMELIMIT 15<BR>> > > > > > #DEREF never<BR>> > > > > > #use_sasl on<BR>> > > > > > HOST 172.16.100.186 172.16.102.49<BR>> > > > > > URI ldaps://172.16.100.186 ldaps://172.16.102.49<BR>> > > > > > BASE dc=ml,dc=com<BR>> > > > > > suffix "ou=Infraestructura,ou=Sistemas,ou=Tronador,ou=Argentina"<BR>> > > > > > suffix "ou=Arquitectura,ou=Sistemas,ou=Tronador,ou=Argentina"<BR>> > > > > > #TLS_CACERTDIR /etc/openldap/cacerts/<BR>> > > > > > #TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt<BR>> > > > > > TLS_REQCERT allow<BR>> > > > > > bind_policy soft<BR>> > > > > > ssl no<BR>> > > > > > tls_cacertdir /etc/openldap/cacerts<BR>> > > > > > pam_password md5<BR>> > > > > > uri ldap://zblhp36.ml.com/<BR>> > > > > > base dc=ml,dc=com<BR>> > > > > > # Search the root DSE for the password policy (works<BR>> > > > > > # with Netscape Directory Server)<BR>> > > > > > pam_lookup_policy yes<BR>> > > > > > # Use the OpenLDAP password change<BR>> > > > > > # extended operation to update the password.<BR>> > > > > > pam_password exop<BR>> > > > > ><BR>> > > > > ><BR>> > > > > > WARNING: Your password has expired.<BR>> > > > > > You must change your password now and login again!<BR>> > > > > > Changing password for user testsi.<BR>> > > > > > Enter login(LDAP) password:<BR>> > > > > > New UNIX password:<BR>> > > > > > Retype new UNIX password:<BR>> > > > > > LDAP password information update failed: Confidentiality required<BR>> > > > > > Operation requires a secure connection.<BR>> > > > > ><BR>> > > > > ><BR>> > > > > ><BR>> > > > > > Thanks in advance!!!<BR>> > > > > Does it work if you use the ldappasswd command line tool?<BR>> > > > > ><BR>> > > > > ><BR>> > > > > > Allan<BR>> > > > > ><BR>> > > > > ><BR>> > > > > > > Date: Mon, 30 Nov 2009 08:11:51 -0700<BR>> > > > > > > From: rmeggins@redhat.com<BR>> > > > > > > To: fedora-directory-users@redhat.com<BR>> > > > > > > Subject: Re: [389-users] Password Policy not working fine<BR>> > > > > > ><BR>> > > > > > > Allan Gaston Hougham wrote:<BR>> > > > > > > > Dears,<BR>> > > > > > > ><BR>> > > > > > > > I have a problem with my passwords policies, I enabled "Enable<BR>> > > > > > > > fine-grained password policy", I apply this but is not <BR>> > working<BR>> > > > fine.<BR>> > > > > > > > I followed the steps of Administration Guide pag 364 -<BR>> > > > > > > ><BR>> > > > > > > > *7.1.1.2. Configuring a Subtree/User Password Policy Using the<BR>> > > > > > Console*<BR>> > > > > > > ><BR>> > > > > > > > But it´s not working, i have that setting any more?<BR>> > > > > > > > Can you help me?<BR>> > > > > > > ><BR>> > > > > > > What is your platform? What version of directory server? rpm -qi<BR>> > > > > > > 389-ds-base (or fedora-ds-base)<BR>> > > > > > > ><BR>> > > > > > > > Thanks a lot in advance!<BR>> > > > > > > ><BR>> > > > > > > > Allan Hougham<BR>> > > > > > > ><BR>> > > > > > > ><BR>> > > > > > > ><BR>> > > > > ><BR>> > > > <BR>> > ------------------------------------------------------------------------<BR>> > > > > > > > Internet Explorer 8 especial para MSN - ¡Gratis! <BR>> > Descargalo ahora<BR>> > > > > > > > haciendo clic aquí<BR>> > > > > > > ><BR>> > > > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx><BR>> > > > > > > ><BR>> > > > > ><BR>> > > > <BR>> > ------------------------------------------------------------------------<BR>> > > > > > > ><BR>> > > > > > > > --<BR>> > > > > > > > 389 users mailing list<BR>> > > > > > > > 389-users@redhat.com<BR>> > > > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users<BR>> > > > > > > ><BR>> > > > > > ><BR>> > > > > > ><BR>> > > > > ><BR>> > > > > ><BR>> > > > <BR>> > ------------------------------------------------------------------------<BR>> > > > > > ¿Te llegan demasiados emails? Organizate con Hotmail. ¡Creá <BR>> > carpetas<BR>> > > > > > para todos tus correos! <http://mail.live.com/><BR>> > > > > ><BR>> > > > <BR>> > ------------------------------------------------------------------------<BR>> > > > > ><BR>> > > > > > --<BR>> > > > > > 389 users mailing list<BR>> > > > > > 389-users@redhat.com<BR>> > > > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users<BR>> > > > > ><BR>> > > > ><BR>> > > > ><BR>> > > ><BR>> > > > <BR>> > ------------------------------------------------------------------------<BR>> > > > ¡Revisá de un vistazo si tenés correos nuevos! Ingresá a tu Hotmail<BR>> > > > desde tu Messenger. ¡Probalo ahora!<BR>> > > > <http://www.microsoft.com/latam/windows/windowslive/default.aspx><BR>> > > > <BR>> > ------------------------------------------------------------------------<BR>> > > ><BR>> > > > --<BR>> > > > 389 users mailing list<BR>> > > > 389-users@redhat.com<BR>> > > > https://www.redhat.com/mailman/listinfo/fedora-directory-users<BR>> > > ><BR>> > ><BR>> > > --<BR>> > > 389 users mailing list<BR>> > > 389-users@redhat.com<BR>> > > https://www.redhat.com/mailman/listinfo/fedora-directory-users<BR>> ><BR>> > ------------------------------------------------------------------------<BR>> > Internet Explorer 8 especial para MSN - ¡Gratis! Hacé clic aquí <BR>> > <http://www.ie8.msn.com/microsoft/internet-explorer-8/es-ar/ie8.aspx><BR>> > ------------------------------------------------------------------------<BR>> ><BR>> > --<BR>> > 389 users mailing list<BR>> > 389-users@redhat.com<BR>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users<BR>> > <BR>> <BR>> --<BR>> 389 users mailing list<BR>> 389-users@redhat.com<BR>> https://www.redhat.com/mailman/listinfo/fedora-directory-users<BR> <br /><hr />¿Cansado de borrar spam de tu bandea de entrada? <a href='http://mail.live.com' target='_new'>¡Ganá tiempo con el nuevo filtro anti spam de Hotmail!</a></body>
</html>