<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
you need modify the file <BR>
<BR>
[root@zblhp40 ~]# cat /etc/ldap.conf<BR>#LDAP Defaults<BR>#<BR>
# See ldap.conf(5) for details<BR># This file should be world readable but not world writable.<BR>
#BASE dc=example, dc=com<BR>#URI <A href="ldap://ldap.example.com">ldap://ldap.example.com</A> <A href="ldap://ldap-master.example.com:666">ldap://ldap-master.example.com:666</A><BR>
#SIZELIMIT 12<BR>#TIMELIMIT 15<BR>#DEREF never<BR>URI <A href="ldap://1X.XX.XX.XX">ldap://1X.XX.XX.XX</A> <A href="ldap://172.X.XX.XX">ldap://172.X.XX.XX</A><BR>BASE dc=XX,dc=com<BR>#TLS_CACERTDIR /etc/openldap/cacerts<BR>TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt<BR>TLS_REQCERT never<BR>uri <A href="ldap://SERVER.COM/">ldap://SERVER.COM/</A><BR>base dc=ml,dc=com<BR>ssl no<BR>tls_cacertdir /etc/openldap/cacerts<BR>pam_password md5<BR><BR>
<BR>
<BR>
<BR>
<BR>
Add in
<TABLE style="WIDTH: 320pt; BORDER-COLLAPSE: collapse" border=0 cellSpacing=0 cellPadding=0 width=426>
<COLGROUP>
<COL style="WIDTH: 320pt; mso-width-source: userset; mso-width-alt: 15579" width=426>
<TBODY>
<TR style="HEIGHT: 15.75pt" height=21>
<TD style="BORDER-BOTTOM: #ece9d8; BORDER-LEFT: #ece9d8; BACKGROUND-COLOR: transparent; WIDTH: 320pt; HEIGHT: 15.75pt; BORDER-TOP: #ece9d8; BORDER-RIGHT: #ece9d8" height=21 width=426><FONT size=2 face=Calibri> /etc/pam.d/system-auth :</FONT></TD></TR>
<TR style="HEIGHT: 18.75pt" height=25>
<TD style="BORDER-BOTTOM: #ece9d8; BORDER-LEFT: #ece9d8; BACKGROUND-COLOR: transparent; WIDTH: 320pt; HEIGHT: 18.75pt; BORDER-TOP: #ece9d8; BORDER-RIGHT: #ece9d8" class=xl63 height=25 width=426><FONT size=2 face=Calibri><STRONG>account<SPAN style="mso-spacerun: yes"> </SPAN>sufficient<SPAN style="mso-spacerun: yes"> </SPAN>pam_localuser.so </STRONG> << this on seccond line</FONT></TD></TR></TBODY></TABLE><BR> <BR>
Restart sshd service<BR>
<BR>
<BR>
Regards!<BR>
<BR>
Allan<BR>
<BR>
<BR>
<HR id=stopSpelling>
Date: Thu, 14 Jan 2010 13:35:23 -0600<BR>From: Paul.Fulda@ngc.com<BR>To: 389-users@lists.fedoraproject.org<BR>Subject: Re: [389-users] Help with setiting up Password Policy and SSL/TLS<BR><BR>
<STYLE>
.ExternalClass p.ecxMsoNormal, .ExternalClass li.ecxMsoNormal, .ExternalClass div.ecxMsoNormal
{margin-bottom:.0001pt;font-size:12.0pt;font-family:'Times New Roman','serif';color:black;}
.ExternalClass a:link, .ExternalClass span.ecxMsoHyperlink
{color:blue;text-decoration:underline;}
.ExternalClass a:visited, .ExternalClass span.ecxMsoHyperlinkFollowed
{color:purple;text-decoration:underline;}
.ExternalClass p
{margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:'Times New Roman','serif';color:black;}
.ExternalClass pre
{margin-bottom:.0001pt;font-size:10.0pt;font-family:'Courier New';color:black;}
.ExternalClass span.ecxHTMLPreformattedChar
{font-family:Consolas;color:black;}
.ExternalClass span.ecxEmailStyle20
{font-family:'Calibri','sans-serif';color:#1F497D;}
.ExternalClass .ecxMsoChpDefault
{font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;}
.ExternalClass div.ecxSection1
{page:Section1;}
.ExternalClass ol
{margin-bottom:0in;}
.ExternalClass ul
{margin-bottom:0in;}
</STYLE>
<DIV class=ecxSection1>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt">Do not remember where I read that the SSL/TLS is required. But if that is the case, I cannot get the Password Policy to work. For instance, prior to messing around with SSL, I set in the Password Policy to require the user to choose a new password after reset. I reset the users password in the Directory Server and when the user typed that password in on a client machine it did not prompt him to change his password. Also, none of the password complexity settings worked either. Could it be that PAM is overriding the Directory Server and if it is how do I bypass PAM?</SPAN></P>
<P class=ecxMsoNormal><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'; COLOR: #1f497d; FONT-SIZE: 11pt"> </SPAN></P>
<DIV>
<DIV style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<P class=ecxMsoNormal><B><SPAN style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: windowtext; FONT-SIZE: 10pt">From:</SPAN></B><SPAN style="FONT-FAMILY: 'Tahoma','sans-serif'; COLOR: windowtext; FONT-SIZE: 10pt"> 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] <B>On Behalf Of </B>Nathan Kinder<BR><B>Sent:</B> Thursday, January 14, 2010 1:14 PM<BR><B>To:</B> General discussion list for the 389 Directory server project.<BR><B>Subject:</B> Re: [389-users] Help with setiting up Password Policy and SSL/TLS</SPAN></P></DIV></DIV>
<P class=ecxMsoNormal> </P>
<P class=ecxMsoNormal>On 01/14/2010 10:56 AM, Fulda, Paul R (IS) wrote: </P>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">Hi,</SPAN><BR>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">I am trying to configure the Password Policy for my users and read that you would not be able to use the Policy unless you set up SSL/TLS. </SPAN><BR>
<P class=ecxMsoNormal>Where did you read this? SSL/TLS is not required to use the password policy features.<BR><BR></P>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">I am</SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">using 389 Server version 1.2.2. Also I am running the Server on Fedora 11 64 bit. All clients are also Fedora 11 64 bit.</SPAN><BR>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">I followed the instructions in setting up SSL here at </SPAN> <A><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">http://directory.fedoraproject.org/wiki/Howto:SSL</SPAN></A><BR>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">I ran the setupssl2.sh script and it completed with no errors. In the 389 Admin Console I could see the certificates for both the Admin Server</SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">and DS Server</SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">in the </SPAN><BR>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">Manage Certificates screens.</SPAN><BR>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">Also, I do not want to use SSL for the Admin Server or the Admin Console. I just want to be able to use it for user authentication so the Password Policy works.</SPAN><BR>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">Bottom line is that I cannot get</SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">both features (Password Policies and SSL) working. Any help would be greatly appreciated.</SPAN><BR>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">Up to this point here are my questions:</SPAN><BR>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">1) </SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'"> In the Directory Server GUI from the 389 Admin Console what certificate do I use to populate</SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">the Certificate field in the Encryption Tab?</SPAN><BR>
<P style="MARGIN-LEFT: 1in"><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">There are 3 choices it provides after running the sslsetup2.sh script which are CA Certificate, server-cert, and server-Cert.</SPAN></P>
<P class=ecxMsoNormal>The one named "Server-Cert" should be used for the Directory Server.<BR><BR></P>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">2) </SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">In the Client Authentication Block in the same Encryption Tab as #1 above, I have selected</SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">“Require client authentication”. Is this correct?</SPAN><BR>
<P style="MARGIN-LEFT: 1in"><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">Is this how you force the Directory Server to use</SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">only port 636 for secure communications? If not, how do you do that?</SPAN></P>
<P class=ecxMsoNormal>No. Client authentication refers to using a client certificate to authenticate as opposed to a bind DN and password. You most likely don't want to do this. If you truly want to only use port 636, you can set nsslapd-listenport to "0", but all of your clients will be required to use LDAPS over port 636. You should be really sure that this is what you want.<BR><BR></P>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">3) </SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">What are the differences between /etc/openldap/ldap.conf and /etc/ldap.conf? What are the</SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">client</SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">configurations</SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">needed to make this work?</SPAN><BR>
<P class=ecxMsoNormal>/etc/openldap/ldap.conf is the OpenLDAP client config file. /etc/ldap.conf is the config file for nss_ldap and pam_ldap.<BR><BR></P>
<P style="MARGIN-LEFT: 1in"><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">The only ldap.conf file that</SPAN> <A><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">http://directory.fedoraproject.org/wiki/Howto:SSL</SPAN></A><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'"> talks about</SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">configuring is the /etc/openldap/ldap.conf file.</SPAN></P>
<P style="MARGIN-LEFT: 1in"><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">My /etc/openldap/ldap.conf file looks like this:</SPAN></P>
<P style="MARGIN-LEFT: 1in"><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">URI <A>ldap://hadmina.eidev.ngc.com/</A></SPAN></P>
<P style="MARGIN-LEFT: 1in"><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">BASE dc=eidev, dc=ngc, dc=com</SPAN></P>
<P style="MARGIN-LEFT: 1in"><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">TLS_CACERT /etc/openldap/cacerts</SPAN></P>
<P style="MARGIN-LEFT: 1in"><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">TLS_REQCERT allow</SPAN></P>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">4) </SPAN> <SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">How do you get the certificate on the client machines? What I did was copy from the server the cacert.asc file that is located in /etc/dirsrv/slapd-hadmina</SPAN><BR>
<P style="MARGIN-LEFT: 1in"><SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">to the client machine in /etc/openldap/cacerts directory. Is this correct?</SPAN></P>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">Thanks and I hope there is someone out there that can help me get this working!</SPAN><BR>
<SPAN style="FONT-FAMILY: 'Calibri','sans-serif'">Paul</SPAN><BR><PRE> </PRE><PRE> </PRE><PRE>--</PRE><PRE>389 users mailing list</PRE><PRE><A>389-users@lists.fedoraproject.org</A></PRE><PRE><A>https://admin.fedoraproject.org/mailman/listinfo/389-users</A></PRE>
<P class=ecxMsoNormal> </P></DIV>                                            <br /><hr />Ya no vas a saber más nada de extrañas ofertas en inglés. <a href='http://mail.live.com/mail/spamfighting.aspx' target='_new'>Nueva tecnología anti-spam de Hotmail. Conocé más aquí.</a></body>
</html>