> I didn't mean to imply that it's intentional or that it should be this
> way, just giving you a hand with the analysis. I have some changes
> around this area of password policy that aren't committed and might
> complicate a potential fix, I've filed a bug for you to keep track:
Ah, I see, thank you. You can see in the logs that an extop password
change doesn't see non-global policies as you just see a high-level
message that an extop operation was performed and that's all.
I'm fairly new to the FDS (one week maybe). Earlier I've been using
OpenLDAP and now I want to migrate from OL to FDS. Everything looks
great (schema conversion and ldif transfer) but I have one problem. Old
setup was constructed more or less that the passwords weren't stored in
LDAP but in Kerberos and in 'userPassword' field in clear text was
Now when using FDS I can't find any configuration option, that would
make it possible to use Kerberos for storing passwords and still to use
FDS to authenticate user. Maybe SASL Mappings are for that and you only
have to configure them right. Is there anyone who knows how to do it?
Thanks in advance.
i'm quite new to fedora ds,, recently i have been trying fedora ds with
the Jamm schema, it worked fine for like half an hour then whenever i try
to start fedora ds i get a segmentation fault error as follows
slapd-servername/./start-slapd: line 33: 2526 Segmentation fault
./ns-slapd -D /opt/fedora-ds/slapd-servername -i
/opt/fedora-ds/slapd-servername/logs/pid -w $STARTPIDFILE "$@"
i was wondering if anybody knows whats going on
> Effective policy is determined by new_passwdPolicy() which considers
> initiated by the password change extop to be internal and local policy
I suspected as much - this should probably go in the password policy
section of the documentation as there are all sorts of recommendations
flying round the Web for setting pam_password to "exop" to allow
password changes to work properly. It does indeed work but as you say,
it bypasses all password policies (except global ones it seems).
I have a question on LDAP search issue.
I want to disable full search on the LDAP tree.
My LDAP Tree is:
c=US, o=Dept1, cn=John Smith
c=US, o=Dept1, cn=Ann Adams
I want to deny to read full listing of the tree but only allow when the
search condition meets only the required person.
In the example above I want nobody to be listed. But when the search
criteria is "c=US, o=Dept1, cn=Ann Adams" this entry must be listed. When a
search on "c=US" comes, nothing must be listed.
What is the correct Access Control Information for this request??
I just wanted to clarify this -
* If you use Windows passync, you have to enable the password complexity
policy on Windows
* This policy isn't customisable on Windows without writing a custom
* So to avoid password policy conflicts, you have to implement password
policies on FDS too and it really needs to be same as the Windows
default password policy.
NOPS Systems Architect
310 401 0407
> At this point probably single stepping through the code in the
> is the best/quickest route to figure out what's wrong. UTSL and all
I feared you might say that ... but, for amusement, I tried changing
passwords using ldapmodify and strangely, the subtree pwd policy *is*
enforced but if I do exactly the same pwd mod with ldappasswd, it isn't
enforced. Given that the pw policy is all done on the server side, any
ideas how on earth I could be seeing this?
i'm very new to fedora ds and ldap in general, i just downloaded ldap a
couple of weeks ago and i have been playing around with it for some time,
i'm trying create an directory server and have postfix and samba users
authenticate against it, i've been through tutorials on the net expecially
fedora ds wiki, but every howto looks at it from a migraton scenario
whereas i'm trying to build this from scratch
anyway tried going through the tutorials but i get stuck when i try to add
a user with ldapmodify -a i get an error uknown object class
courierMailAlias tried searching for the objectclass on the net but to no
avail... can anybody please shed some light
I think have have an idea about this now ... the problem seems to be the
exop password modify request. Subtree and user policies are ignored from
ldappasswd (which uses exop)
PAM (when pam_password is set to "exop" in /etc/ldap.conf)
But are ok from
PAM (when pam_password is set to "clear" in /etc/ldap.conf)
So, the RFC 3062 password modification requests seem to bypass the
subtree and user policies. I see this behaviour in 1.0.2 and 1.0.4.
Now, am I right in thinking that I can use "clear" as long as I'm using
SSL to the LDAP server? What about setting local non-LDAP passwords with
this set to "clear" isn't that dangerous? I can't use "ssha" for
pam_password as then password changes don't seem to work at all, which
is why I changed to "exop".