[Fedora-directory-users] FreeRadius LDAP Extensions
by Roger Spencer
Has anyone had any luck getting the FreeRadius LDAP extensions into DS?
I've modified the RADIUS-LDAPv3.schema file that comes with FreeRadius
(as of version 1.0.5) to what seems to match the format DS is expecting
and placed it in the slapd config/schema directory as 75radius.ldif (see
attached). When I restart slapd, the file loads fine and I see it in
the schema. But when I try to add RadiusProfile to the Object class
section of a user account (using the advanced settings), I get "Unknown
error with naming attribute."
Any ideas?
# This is a LDAPv3 schema for RADIUS attributes.
# Tested on OpenLDAP 2.0.7
# Posted by Javier Fernandez-Sanguino Pena <jfernandez(a)sgi.es>
# LDAP v3 version by Jochen Friedrich <jochen(a)scram.de>
# Updates by Adrian Pavlykevych <pam(a)polynet.lviv.ua>
# RWS: Mofified - added dn: schema, removed empty lines
##############
dn: cn=schema
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.1
NAME 'radiusArapFeatures'
DESC 'radiusArapFeatures'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.2
NAME 'radiusArapSecurity'
DESC 'radiusArapSecurity'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.3
NAME 'radiusArapZoneAccess'
DESC 'radiusArapZoneAccess'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.44
NAME 'radiusAuthType'
DESC 'radiusAuthType'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.4
NAME 'radiusCallbackId'
DESC 'radiusCallbackId'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.5
NAME 'radiusCallbackNumber'
DESC 'radiusCallbackNumber'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.6
NAME 'radiusCalledStationId'
DESC 'radiusCalledStationId'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.7
NAME 'radiusCallingStationId'
DESC 'radiusCallingStationId'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.8
NAME 'radiusClass'
DESC 'radiusClass'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.45
NAME 'radiusClientIPAddress'
DESC 'radiusClientIPAddress'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.9
NAME 'radiusFilterId'
DESC 'radiusFilterId'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.10
NAME 'radiusFramedAppleTalkLink'
DESC 'radiusFramedAppleTalkLink'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.11
NAME 'radiusFramedAppleTalkNetwork'
DESC 'radiusFramedAppleTalkNetwork'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.12
NAME 'radiusFramedAppleTalkZone'
DESC 'radiusFramedAppleTalkZone'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.13
NAME 'radiusFramedCompression'
DESC 'radiusFramedCompression'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.14
NAME 'radiusFramedIPAddress'
DESC 'radiusFramedIPAddress'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.15
NAME 'radiusFramedIPNetmask'
DESC 'radiusFramedIPNetmask'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.16
NAME 'radiusFramedIPXNetwork'
DESC 'radiusFramedIPXNetwork'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.17
NAME 'radiusFramedMTU'
DESC 'radiusFramedMTU'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.18
NAME 'radiusFramedProtocol'
DESC 'radiusFramedProtocol'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.19
NAME 'radiusFramedRoute'
DESC 'radiusFramedRoute'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.20
NAME 'radiusFramedRouting'
DESC 'radiusFramedRouting'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.46
NAME 'radiusGroupName'
DESC 'radiusGroupName'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.47
NAME 'radiusHint'
DESC 'radiusHint'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.48
NAME 'radiusHuntgroupName'
DESC 'radiusHuntgroupName'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.21
NAME 'radiusIdleTimeout'
DESC 'radiusIdleTimeout'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.22
NAME 'radiusLoginIPHost'
DESC 'radiusLoginIPHost'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.23
NAME 'radiusLoginLATGroup'
DESC 'radiusLoginLATGroup'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.24
NAME 'radiusLoginLATNode'
DESC 'radiusLoginLATNode'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.25
NAME 'radiusLoginLATPort'
DESC 'radiusLoginLATPort'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.26
NAME 'radiusLoginLATService'
DESC 'radiusLoginLATService'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.27
NAME 'radiusLoginService'
DESC 'radiusLoginService'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.28
NAME 'radiusLoginTCPPort'
DESC 'radiusLoginTCPPort'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.29
NAME 'radiusPasswordRetry'
DESC 'radiusPasswordRetry'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.30
NAME 'radiusPortLimit'
DESC 'radiusPortLimit'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.49
NAME 'radiusProfileDn'
DESC 'radiusProfileDn'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.31
NAME 'radiusPrompt'
DESC 'radiusPrompt'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.50
NAME 'radiusProxyToRealm'
DESC 'radiusProxyToRealm'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.51
NAME 'radiusReplicateToRealm'
DESC 'radiusReplicateToRealm'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.52
NAME 'radiusRealm'
DESC 'radiusRealm'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.32
NAME 'radiusServiceType'
DESC 'radiusServiceType'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.33
NAME 'radiusSessionTimeout'
DESC 'radiusSessionTimeout'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.34
NAME 'radiusTerminationAction'
DESC 'radiusTerminationAction'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.35
NAME 'radiusTunnelAssignmentId'
DESC 'radiusTunnelAssignmentId'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.36
NAME 'radiusTunnelMediumType'
DESC 'radiusTunnelMediumType'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.37
NAME 'radiusTunnelPassword'
DESC 'radiusTunnelPassword'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.38
NAME 'radiusTunnelPreference'
DESC 'radiusTunnelPreference'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.39
NAME 'radiusTunnelPrivateGroupId'
DESC 'radiusTunnelPrivateGroupId'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.40
NAME 'radiusTunnelServerEndpoint'
DESC 'radiusTunnelServerEndpoint'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.41
NAME 'radiusTunnelType'
DESC 'radiusTunnelType'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.42
NAME 'radiusVSA'
DESC 'radiusVSA'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.43
NAME 'radiusTunnelClientEndpoint'
DESC 'radiusTunnelClientEndpoint'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.53
NAME 'radiusSimultaneousUse'
DESC 'radiusSimultaneousUse'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.54
NAME 'radiusLoginTime'
DESC 'radiusLoginTime'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.55
NAME 'radiusUserCategory'
DESC 'radiusUserCategory'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.56
NAME 'radiusStripUserName'
DESC 'radiusStripUserName'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.57
NAME 'dialupAccess'
DESC 'dialupAccess'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.58
NAME 'radiusExpiration'
DESC 'radiusExpiration'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
SINGLE-VALUE
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.59
NAME 'radiusCheckItem'
DESC 'radiusCheckItem'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
attributeTypes:
( 1.3.6.1.4.1.3317.4.3.1.60
NAME 'radiusReplyItem'
DESC 'radiusReplyItem'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
X-ORIGIN 'FreeRadius'
)
objectclasses:
( 1.3.6.1.4.1.3317.4.3.2.1
NAME 'radiusprofile'
DESC ''
SUP top AUXILIARY
MUST cn
MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $
radiusAuthType $ radiusCallbackId $ radiusCallbackNumber $
radiusCalledStationId $ radiusCallingStationId $ radiusClass $
radiusClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $
radiusFramedAppleTalkNetwork $ radiusFramedAppleTalkZone $
radiusFramedCompression $ radiusFramedIPAddress $
radiusFramedIPNetmask $ radiusFramedIPXNetwork $
radiusFramedMTU $ radiusFramedProtocol $
radiusCheckItem $ radiusReplyItem $
radiusFramedRoute $ radiusFramedRouting $ radiusIdleTimeout $
radiusGroupName $ radiusHint $ radiusHuntgroupName $
radiusLoginIPHost $ radiusLoginLATGroup $ radiusLoginLATNode $
radiusLoginLATPort $ radiusLoginLATService $ radiusLoginService $
radiusLoginTCPPort $ radiusLoginTime $ radiusPasswordRetry $
radiusPortLimit $ radiusPrompt $ radiusProxyToRealm $
radiusRealm $ radiusReplicateToRealm $ radiusServiceType $
radiusSessionTimeout $ radiusStripUserName $
radiusTerminationAction $ radiusTunnelClientEndpoint $ radiusProfileDn $
radiusSimultaneousUse $ radiusTunnelAssignmentId $
radiusTunnelMediumType $ radiusTunnelPassword $ radiusTunnelPreference $
radiusTunnelPrivateGroupId $ radiusTunnelServerEndpoint $
radiusTunnelType $ radiusUserCategory $ radiusVSA $
radiusExpiration $ dialupAccess )
X-ORIGIN 'FreeRadius'
)
18 years, 3 months
[Fedora-directory-users] Problem with password warning from fds
by Bliss, Aaron
I know this has been talked about, but I'm still having problem with this;
I'm not receiving a password warning from the directory server; in testing,
I have accounts set to expire after 9 days with a password warning set to 8
days; below are my client config files; I'm running fds 1.0.1. any
thoughts? Thanks very much.
/etc/pam.d/system-auth
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_mkhomedir.so skel=/etc/skel/ umask=0007
session required pam_stack.so service=system-auth
session required pam_loginuid.so
/etc/pam.d/sshd
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_mkhomedir.so skel=/etc/skel/ umask=0007
session required pam_stack.so service=system-auth
session required pam_loginuid.so
/etc/ldap.conf file has this entry
pam_lookup_policy yes
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
18 years, 3 months
[Fedora-directory-users] need help with ldap and sshd
by Aaron Bliss
Things seem to be working well the directory server, however I've ran
into 2 problems.
1. I can't figure out how to configure sshd to authenticate to the ldap
server.
2. This may acutally not be a problem at all when I address number 1,
however ldap home directories are not being created despite having this
line in my /etc/pam.d/login file
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
I've only verified that number 2. is an issue over ssh, as such may not be
an acutal issue at all.
Any thoughts? thanks again.
18 years, 3 months
[Fedora-directory-users] setup fails, cannot start server (slapd)
by Ulli Horlacher
After successfully building (with dsbuild) and installing FDS on a SLES 9
system, the startup script hangs.
I have run /opt/fedora-ds/setup/setup with default-answers to all
questions (besides the password ;-) ). The problems are:
Fedora Directory Server system tuning analysis version 04-APRIL-2005.
NOTICE : System is i686-unknown-linux2.6.5-7.201-smp (2 processors).
ERROR: We support kernel version 2.4.7 and higher.
Continue? (yes/no)
Looks like a string compare bug to me. I typed "yes".
Then, some questions later, I got the infinitive loop:
[slapd-lanldap2]: starting up server ...
[slapd-lanldap2]: Attempting to obtain server status . . .
[slapd-lanldap2]: Attempting to obtain server status . . .
[slapd-lanldap2]: Attempting to obtain server status . . .
...
I terminated setup and rerun it. Now I got:
In order to reconfigure your installation, the Configuration Directory
Administrator password is required. Here is your current information:
Configuration Directory:
Configuration Administrator ID:
At the prompt, please enter the password for the Configuration Administrator.
Fedora configuration directory server
administrator ID: admin
Password: xxxxxxxx
Could not connect to f8/LC_CTYPE
Press any key to continue.
What now?
I found no hint in http://directory.fedora.redhat.com/wiki/FAQ or
http://directory.fedora.redhat.com/wiki/Install_Guide
--
-- Ullrich Horlacher, BelWue Coordination ------- mailto:framstag@belwue.de --
Computing Centre Universitaet Stuttgart (RUS)
Allmandring 30, 70550 Stuttgart, Germany fax: +49 711 678 8363
-- saft://saft.belwue.de/framstag ----------------- http://www.belwue.de/ ----
18 years, 3 months
[Fedora-directory-users] Strange problem with replication
by Scott Boggs
I have a strange problem, which I hope someone can help me with. I have my
FDS configured to PassSync with AD which was working without issue, and I am
now getting this error:
NSMMReplicationPlugin - agmt="cn=Thursday1" (txad:636): Replication bind to
cn=sync manager on consumer failed: 49 (80090308: LdapErr: DSID-0C09030F,
comment: AcceptSecurityContext error, data 525, vece)
I am successful at getting the user information and password to sync, but it
is not reliable, I have to reinitialize a full resync a number of times
before it takes. I am also getting the following error:
NSMMReplicationPlugin - agmt="cn=Thursday1" (txad:636): Replica has no
update vector. It has never been initialized error!
I am unsure why this is showing up now, I created a user on the FDS
refreshed and even rebooted. Any words of wisdom from the FDS vets out
there would be much appreciated.
tks
18 years, 3 months
[Fedora-directory-users] Admin limit exceeded
by Greg Looney
While trying to setup admin users that are allowed to only change
certian fields for users we keep getting the "administrator limit
exceeded" when doing searches. The only user that is able to do those
searches is the "Directoy Manager"
Any ideas?
Greg Looney
Ozarks Technical Community College
18 years, 3 months
[Fedora-directory-users] Account Expiration Warning
by Jim Summers
Hello List,
Having been troubled in the past with account expiration on an
iplanet5.1 server with linux clients, I wanted to get this working
during my evaluation / testing of FDS.
I have enabled the password policy on the FDS and set the ldap.conf
entries necessary to get this working. Upon doing this and then
logging in and out, new fields appear in the people container for that
account. Such as passwordexpirationtime, passwordretrycount, etc... All
is working, such as, a passwd change will update the necessary fields
for the correct length of time reset counts, etc...
When testing the password expiration warning I stumbled onto the issue,
that I do not get an actual "Your password will expire in XX days"
message. I do see where the field, passwordexpwarned is set to "1", but
I do not ever get an actual message.
The way I am testing is to set the policy to warn the user, 3 days in
advance. Then I set the passwordexpiratontime to a date less than three
days away. Then attempt to log in. Login is ok, but no warning of the
impending doom about to strike the account.
If I actually set the expirationtime to a time less than the current,
then I can login until passwordusergracetime is GE the allowed number of
logins after the password expiration. At which time I get a message
that the password expired and it must be changed immediately, at which
time the connection immediately closes and the password cannot be changed!
No log entries in error, so I am not sure what I have overlooked?
Any advice or suggestions?
Also when doing an ldapsearch and binding as an admin user I can not see
the entries for the passwordXXXXXXX fields. Is there a certain
ldapsearch switch to see those? Possibly an ACI missing on my part?
TIA
--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------
18 years, 3 months
[Fedora-directory-users] PassSync/WinSync
by Scott Boggs
I think I almost have my PassSync working for AD interaction.
However, I am getting the following error, which appears to be stopping the
population of user accounts information. The groups come across fine.
conn=0 op=7 SRCH base="cn=MCC ou=People dc=client dc=TestSvr, cn=userRoot,
cn=ldbm database, cn=plugins, cn=config" scope=0
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="dn"
[21/Dec/2005:14:37:57 -0600] conn=0 op=7 RESULT err=32 tag=101 nentries=0
etime=0
This is the only error I can find in the access log, the error log is
complaining about the "sn" attribute being missing for the Guest account but
that is it. My SSL seems to be working (that is I don't see any errors).
Can anyone help me over this last hurdle? Thanks in Advance.
18 years, 3 months
[Fedora-directory-users] REPLICA HAS NO UPDATE VECTOR ...
by HOCQUE Steve
Hi,
I'm trying to configure FDS 1.0.1 with Active Directory.
I configure the Sync Agreement and the 'Full Re-Synchronization' works
well.
When i want to make an update : Send and Receive Updates Now, the
message "Replica has no update vector. It has never been initialized" is
displayed.
What i have to do to solve this issue ?
Many thanks for your help.
Regards.
18 years, 3 months